In accordance with Art. 13 and 14 of the General Data Protection Regulation (GDPR), we are informing you about how your personal data is processed by AWP P&C S.A., Branch Office for Germany, and about the rights to which you are entitled under data protection law. Please make all co-insured individuals (e.g. your spouse) aware of this policy.
Declaration and information on data processing
I Who is responsible for processing your personal data?
Responsibility for processing your personal data rests with
AWP P&C S.A.,
Branch Office for Germany
Bahnhofstrasse 16
D - 85609 Aschheim (near Munich).
The Data Protection Officer can be contacted by standard mail at the aforementioned address, using the suffix "Data Protection Officer", or by email at datenschutz-azpde@allianz.com.
II For what purpose is your data processed, and on what legal basis does this take place?
1.) What applies to all categories of personal data?
We process your personal data in compliance with the EU General Data Protection Regulation, the German Federal Data Protection Act (BDSG), the provisions of the German Insurance Contract Act (VVG) relevant to data protection law, as well as all other applicable laws.
When you apply for insurance cover, we will require the information provided by you here in order to conclude the contract and to estimate the risk assumed by us. If the insurance contract comes into existence, we will process this data for the implementation of the contractual relationship, such as for invoicing purposes. We require information about loss or damage in order to be able to assess whether an insured event has occurred and determine the extent of this loss or damage.
It is not possible to conclude and implement the insurance contract without processing your personal data.
Art. 6 section 1 b) GDPR constitutes the legal basis for the processing of personal data for pre-contractual and contractual purposes.
Alongside that, Art. 6, para. 1 a) and c) – f) GDPR contain other legally defined situations in which we are entitled to process personal data.
We will process your data in order to fulfil a legal obligation in accordance with Art 6, para. 1 c) GDPR, such as to review claims for settlement, if another insurer seeks recourse from us due to the existence of multiple insurance policies.
We will also process your data in order to protect our legitimate interests or the legitimate interests of third parties (Art. 6, para. 1 f) GDPR. This may be the case particularly:
- for ensuring IT security and IT operations
- for marketing our own insurance products, and for conducting marketing surveys and opinion polls
- for the prevention and investigation of criminal activities (in particular, we employ data analyses to detect possible indications of insurance fraud).
As a rule, we only process that data that we have received directly from you. In certain cases we may also receive such data from other sources (such as if another insurer seeks recourse from us due to the existence of multiple insurance policies.
We also process your personal data in order to fulfil other statutory obligations, such as regulatory requirements, as well as data retention obligations imposed by commercial and tax law. In these cases, the legal basis of the data processing is provided by the relevant statutory regulations in conjunction with Art. 6, para 1) c) GDPR.
We may also process you data in accordance with Art. 6, para. 1 d) GDPR in order to protect your vital interests, or if you have consented to such data processing, Art. 6, para. 1 a) GDPR.
If we wish to process your data for any purpose other than those specified above, we will notify you in advance within the framework of the statutory regulations.
2.) What applies to special categories of personal data, especially health data?
There are special safeguards on the processing of special categories of personal data, of which health data is one. As a rule, processing is permitted only if you have consented to the processing in accordance with Art. 9, para. 2 a) GDPR, or if this is a case of one of the other situations defined by law, Art. 9, para. 2 b) – j) DSGVO.
a) Processing of your special categories of personal data
In many cases, in order to review the benefit entitlement, we require personal data belonging to a special category (sensitive data). This includes health data, for example. If, in connection with a specific insured event, you provide us with such data together with a request to review and process the claim, you are explicitly permitting us to process your sensitive data necessary in order to process the insured event. We will again remind you specifically of this fact in the claim form.
You may withdraw your consent at any time, with future effect. However, we explicitly inform you that it may no longer be possible to review our indemnity obligation in connection with the insured event. If the damage event has already been processed, it may be the case that the data cannot be deleted for statutory retention periods, for example.
We may also process your sensitive data if this is necessary to protect your vital interests, and if you are physically or legally incapable of giving consent, Art. 9, para. 2 c) GDPR. This may be the case if you suffer a serious accident while travelling, for example.
In the case of multiple insurance policies, if another insurer seeks recourse from us or if we seek recourse from another insurer, we may process your sensitive data in order to assert and defend the statutory claim for settlement, Art. 9, para. 2 f) GDPR.
b) Requesting health data from third parties for review of the indemnity obligation
In order to examine our duty to indemnify, it may be necessary for us to check information concerning your state of health, as provided by you in substantiating claims, or which is evident from documents submitted (e.g. invoices, prescriptions, reports) or statements, e.g. from a doctor or other member of a healthcare profession.
For this purpose, we will require your consent, including a confidentiality waiver covering us and all agencies subject to a duty of confidentiality, and which are required to provide information for review of the indemnity obligation.
We will notify you in each specific case about what persons or institutions require information for what purpose. You may then decide in each case whether you consent to us collecting and using your health information, and whether to release the named persons or institutions and their employees from their duty of non-disclosure, and if you agree to the communication of your health data to us, or if you want to personally provide the necessary documentation.
III To what recipients will we communicate your data?
Recipients of your personal data may include: selected external service providers (e.g. assistance service providers, benefit processors, transport service providers, technical service providers, etc.), other insurers (e.g. in the case of multiple insurance coverage).
We also insure some of the risks that we cover with specialist insurance companies (re-insurers). To this end, it may be necessary to send your contract and, where relevant, your claims information to a re-insurer, to enable it to form its own opinion of the risk or the insured event.
If you join a group insurance contract as an insured person, (e.g. when acquiring a credit card), we may disclose your personal data to the policyholder (a bank for example), if it has a legitimate interest in knowing this information.
In addition, we may also communicate your personal data to other recipients, such as public authorities for the fulfilment of statutory duties of notification (e.g. finance authorities or criminal investigation agencies).
The forwarding of data is a form of data processing, and is likewise performed within the framework of the principles set out in Art. 6, para. 1 and Art. 9, para. GDPR.
IV For how long will we store your data?
We will retain your data for the period during which claims may be made against our company (statutory limitation period of 3 to 30 years). We will also store your data if we are under a legal obligation to do so, e.g. according to the provisions of the German Commercial Code, the German Fiscal Code or the German Money Laundering Act. The relevant retention periods range up to ten years.
V Where will your data be processed?
If we should transfer your data to service providers located outside of the European Economic Area (EEA), the transfer within the Allianz Group will be performed on the basis of "Binding Corporate Rules", which have been approved by the data protection authorities. These form part of the "Allianz Privacy Standard". These Corporate Rules are binding on all companies within the Allianz Group, and they ensure an appropriate level of protection for personal data. The "Allianz Privacy Standard" and the list of Allianz Group companies that comply with this standard can be downloaded from here.
In those cases in which the "Allianz Privacy Standard" does not apply, the transfer of data to third countries will take place in accordance with Art. 44 – 50 GDPR.
VI What are your rights?
You have the right to be informed about all of the information retained by us, and to demand that incorrect data be rectified. Under certain conditions, you also have the right to the erasure of data, the right to object to processing, the right to the restriction of processing and the right to data portability.
Right of objection
You may object to the processing of your data for direct marketing purposes. If we process your data in order to protect legitimate interests, you may object to this processing for reasons pertaining to your particular situation.
If you have any objections concerning the handling of your data, you may contact the aforementioned Data Protection Officer in this connection. You are also entitled to lodge an objection with a data protection supervisory authority.