Data Protection Information from Your Insurer

With this information, we inform you about the processing of your personal data by us, SOGESSUR S.A. German Branch, and the rights you are entitled to under data protection law. We ask you to pass this initial information on to the insured persons.

Responsible for the Data Processing:

SOGESSUR S.A. German Branc
Fuhlsbüttler Straße 437
22309 Hamburg

Telefon: +49 (40) 64603-140
Fax: +49 (40) 271 656-195
Email address: vertragsservice@socgen.com

You can reach our Data Protection Officer by mail at the above address with the addition - Data Protection Officer - or by email at: datenschutzversicherung@socgen.com

We process your personal data in compliance with the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), the Austrian Data Protection Act (DSG), as well as the data protection relevant provisions of the German Insurance Contract Act (VVG) and the Austrian Insurance Contract Act (VersVG) and all other applicable laws.

What personal data do we user?

We use your personal data. This includes the data provided by you in the insurance application (application data), contract data, and information from third parties (e.g., from doctors, experts, and intermediaries), such as: name, policy number, date of birth, address, email, gender, health data, sum insured, duration and premium, bank details, and collection data.

In the event of an insurance claim, we additionally collect and process your information about the circumstances, the benefit data (date, amount of benefit), and other information about the claim or benefit case. This may also include - where necessary - information from third parties who are commissioned with determining the claim and benefit case (experts), who can provide information about it (authorities, witnesses, etc.), or who are involved in the provision of claims and benefits (doctors, hospitals).

We only collect the necessary data, which means that in individual cases, less data than described above may be sufficient.

Purposes and Legal Bases for Data Processing

We need the information you provide here to conclude the insurance contract and to assess the risk we are to assume. If the insurance relationship is established, we process this data for the implementation of the insurance contractual relationship. We need information about the damage, for example, to be able to check whether an insured event has occurred and how high the damage is.

We process your personal data in accordance with Art. 6 Para. 1 lit. b GDPR and your special categories of personal data (such as health data in particular) in accordance with Art. 9 Para. 2 lit. g and h GDPR (in Austria also in connection with §§ 11a ff VersVG) for the following purposes:

To assess the risk we are to assume
To determine whether and under what conditions the insurance contract can be concluded or a contract amendment can be carried out
To create an offer and/or process an application submitted by you
For the implementation, fulfillment (including premium collection), and administration of a current insurance contract as well as for billing, damage assessment, and checking whether you are entitled to an insurance benefit in relation to your insurance contract
For customer support, for advice regarding contract adjustment, supplementation, for goodwill decisions, or for comprehensive information provision

The conclusion of the insurance contract or the implementation of the insurance relationship is not possible without the processing of your personal data. Providing the necessary data is not required by law. However, if you do not provide us with the necessary data, an insurance contract may not be concluded.

If the processing of special categories of personal data (e.g., health data) is not necessary for the assertion, exercise, or defense of legal claims (e.g., in the case of claims by the injured third party in liability insurance), such data will only be processed in accordance with consent given by you (legal basis: Art. 6 Para. 1 lit. a and Art. 9 GDPR, § 11a VersVG).

Furthermore, we process your personal data in accordance with Art. 6 Para. 1 lit. f GDPR and - for statistical purposes - your special categories of personal data (such as health data in particular) in accordance with Art. 9 Para. 2 lit. j GDPR for the following purposes:

Creation of insurance-specific statistics (advice regarding contract adjustment, customer support, offer and application processing, contract administration, risk minimization)
To ensure IT security and IT operations
To prevent and investigate criminal offenses, in particular, we use data analyses to identify indications that may suggest insurance fraud,

Our legitimate interest lies in the pursuit and fulfillment of the purposes mentioned above.

In addition, we process your personal data to fulfill legal obligations such as regulatory requirements, commercial and tax law retention obligations, or our duty to advise. In this case, the respective legal regulations in conjunction with Art. 6 Para. 1 c) GDPR serve as the legal basis for processing. If we wish to process your personal data for a purpose not mentioned above, we will inform you about this in advance within the framework of the legal provisions.

Categories of Recipients of Personal Data

Reinsurers

We may insure risks assumed by us with special insurance companies (reinsurers). For this purpose, it may be necessary to transmit your contract and, if applicable, claims data to a reinsurer so that they can form their own picture of the risk or the insured event.

Intermediaries

If you are looked after by an intermediary with regard to your insurance relationship, your intermediary processes the accession, contract, and claims data required for the conclusion and implementation of the contractual relationship. Our company also transmits this data to the intermediaries looking after you, insofar as they need the information for your support and advice in your insurance and financial service matters.

Data Processing in the Corporate Group

Specialized companies or areas of our corporate group perform certain data processing tasks centrally for the companies affiliated in the group. Insofar as an insurance relationship exists between you and one or more companies of our group, your data may be processed centrally by a company of the group, for example, for the central administration of address data, for telephone customer service, for contract and benefit processing, for collection and disbursement, or for joint mail processing.

External Service Providers

We use external service providers in part to fulfill our contractual and legal obligations. A list of the contractors and service providers we use, with whom not only temporary business relationships exist, can be found in the overview at the end of this document.

Transmission of Health Data

If a transmission is necessary in the specific case, health data will be transmitted in accordance with Art. 9 Para. 2 lit. a in conjunction with Art. 7 GDPR (in Austria also in accordance with § 11 lit. a VersVG) only to the following recipients: Examining or treating doctors and hospitals or other institutions of health care or health prevention, reinsurers or co-insurers or other insurers and service providers who are involved in the processing of claims from the insured event, authorized experts or elected or legal representatives of those affected or courts, public prosecutors, administrative authorities, arbitration bodies, or other institutions for dispute resolution and their bodies including the experts appointed by them.

Data Transfer to a Third Country

Should we transfer personal data to service providers outside the European Economic Area (EEA), the transfer will only take place if the third country has been confirmed by the EU Commission as having an adequate level of data protection or if other appropriate data protection guarantees (e.g., binding internal company data protection regulations or EU standard contractual clauses) are in place.

Duration of Data Storage

We delete your personal data as soon as it is no longer necessary for the purposes mentioned above, unless further storage is required due to legal retention obligations. Corresponding proof and retention obligations arise, among other things, from the German Commercial Code, the Tax Code, and the Money Laundering Act. The storage periods are up to ten years. In Austria, these arise, among other things, from the Corporate Code, the Federal Tax Code, the Insurance Contract Act, and the Financial Market Money Laundering Act, the Commercial Code, or the Tax Code. Due to the following legal retention obligations, we must store your personal data as follows:

Storage of contract data for 7 years from the collection of the data (§ 212 UGB [Austrian Commercial Code])

Furthermore, it may happen that personal data is kept for the period during which claims can be asserted against our company (statutory limitation period of three or up to thirty years). For this purpose, however, your personal data will only be processed if and only as long as it is necessary for the pursuit or defense of legal claims.

Rights of Data Subjects

You have the following rights under the GDPR:

The right to information according to Art. 15 GDPR concerning the personal data processed by us.
The right to rectification according to Art. 16 GDPR, the right to erasure according to Art. 17 GDPR, and the right to restriction of processing according to Art. 18 GDPR.
The right to object according to Art. 21 GDPR.
If you have given consent to the processing of data, you can revoke this at any time without giving reasons with effect for the future. The lawfulness of the data processing carried out until the revocation remains unaffected by the revocation of consent.
The right to data portability according to Art. 20 GDPR.
The right to lodge a complaint with the competent data protection authority according to Art. 77 GDPR.

Automated Individual Decision-Making

Based on your information about the risk, which we ask you about when applying, we sometimes decide fully automatically about the conclusion of the contract, possible risk exclusions, or about the amount of the insurance premium to be paid by you.

Fully automated decisions (legal basis: Art. 22 GDPR) are based on predefined rules for weighing the information obtained for this purpose. For example, when applying, the calculation and assessment can be based on actuarial criteria and calculations.

Through appropriate measures, we ensure that you can exercise your rights to the intervention of a person, to present your own point of view, and to contest the decision.

Company/ Category	Order Subject / Function
Intermediaries acc. to § 137 GewO Austria / Intermediaries acc. to §34 d GewO Germany	Mediation of Insurance Products
IT-service providers	IT support
Appraisers and experts	Creation of medical reports
Disposal service providers	Document destruction
Reinsurance companies	Monitoring
Inventory management and claims processing	Postal services incl. Allocation of incoming mail; Inventory management; Contact in the context of benefit processing
Personnel service providers	Support with personnel matters
Lawyers	Legal advice and representation
Tax consultants	Advice on tax matters

¹ The phone number is available 24/7 for reporting emergency insurance claims (Rescue, recovery, transport to home country). For other insurance claims our team is at your disposal on Monday-Friday from 8:00 till 17:00 daily except for official Austrian holidays.

Service provided by call us Assistance International GmbH