Data protection at HanseMerkur

Quick access

Provision and log files
Use of cookies
Social media
Customer and product reviews
Use of personal data
Use of e-mail
Documents & contract modification
Data subject rights
Right to object
Right to lodge a complaint
Information obligations
Data processing
Categories of recipients
Data storage duration
Transfer of data
Automated decision making

Protection and security for your data

Protection and security for your data are top priorities for HanseMerkur. This section provides you with information on your rights and the measures we have taken to protect you. The controller, within the meaning of the European General Data Protection Regulation (GDPR) and other national data protection laws of the member states, as well as other data protection provisions is:

HanseMerkur International AG
Drescheweg 1
9490 Vaduz
Liechtenstein

If our Swiss customers have data protection concerns, you can also send them to us at the following contact address:

HanseMerkur International AG
Postfach
9475 Sevelen
Schweiz

Telephone: +41 43 550 21 25
E-mail: service@hansemerkur.ch

The controller’s Data Protection Officer is:

Mr Christian Adolf
E-mail: datenschutz@hansemerkur.ch

He is data protection advisor for our Swiss clients and at the same time representative in the EEA according to Art. 27 GDPR.

Provision of the website and creation of log files

Each time you access our website, our system automatically collects data and information from the computer system of the accessing computer. The following data is collected:

Information on the browser type and the version used
The user’s operating system
The user’s Internet service provider
The user’s IP address
Date and time of access
Websites from which the user’s system accesses our website
Websites accessed by the user’s system via our website

The log files contain IP addresses or other pieces of data that can be traced back to a particular user. This could be the case, for example, if the link to the website that the user uses to access our website, or the link to the website the user visits next, contains personal data. The data is also stored in our system’s log files. This data is not stored together with other personal data concerning the user. HanseMerkur would not be able to trace the data back to you as an individual without involving your provider. By way of example, you can use the rate calculator “anonymously”.

The legal basis for the temporary storage of data and log files is Article 6(1)(f) GDPR.

Purpose of data processing The temporary storage of the IP address by the system is necessary to enable the website to be displayed on the user’s computer. This means that the user’s IP address has to remain stored for the duration of the session.

The data is stored in log files to ensure the functionality of the website. The data is also used to optimise the website and to ensure that our information technology systems are secured. Data is not evaluated for marketing purposes within this context.

The data will be erased as soon as it is no longer necessary to achieve the purpose for which it was collected. If data is recorded in order to make the website available, it is deleted after the session is finished.

If data is stored in log files, it is stored for seven days at the most. Data can be stored for longer periods. In such cases, the user IP addresses are erased or alienated so that the data can no longer be traced back to the client that accessed the website.

The collection of data to facilitate the provision of the website and the storage of data in log files is essential for the operation of the website. Consequently, users do not have any rights of objection.

Use of cookies

Depending on the area of the websites you visit, so-called “cookies” are stored on your computer. Cookies are small text files that the website provider uses to store relevant data in order to make it easier to surf on the website. These cookies cannot be read by any website other than the one that stored the cookie. HanseMerkur does not store any personal data concerning you in the cookies. The maximum cookie lifetime is 90 days. They are deleted automatically after this period has expired. A new cookie is set every time you visit the websites. If a cookie has already been set in the past, the information is updated. This is equivalent to erasing the cookie and setting a new one.

Technically necessary cookies are designed to make it easier for users to use websites. Some of the functions on our website cannot be offered if cookies are not used. These functions require the recognition of the browser even after you switch the page.

Analysis cookies are used to improve the quality of our website and its content. The analysis cookies provide us with information on how the website is used, allowing us to optimise the services we offer on an ongoing basis.

Advertising cookies are used to display advertisements that are tailored to suit your interests.

When they access our website, users are shown an information banner explaining how cookies are used for analysis purposes and referring to this data protection statement. They are also provided with information on how to disable cookies by configuring their browser settings accordingly. The legal basis for the processing of personal data using cookies is Article 6(1)(f) GDPR.

How can I manage cookies?

As an Internet user, you can decide for yourself whether you want to accept cookies or disable them entirely. If cookies are disabled, we can no longer guarantee that our website will be displayed correctly and that all of the website functions will work.

Cookies are stored on the user’s computer and are transmitted to us by the computer. This means that, as the user, you also have full control over the use of cookies. By changing the settings in your Internet browser, you can disable or restrict the transmission of cookies. Cookies that have already been saved can be erased at any time. This can also be done automatically.

What types of cookies do we use?

We use four types of cookies on our website: generally required cookies, functional cookies, performance cookies and advertising cookies.

We use generally required cookies (session cookies) to facilitate the general use of our website. These cookies save certain actions taken by the user. These cookies are required to allow functional website navigation and the use of certain website functions. They make website visits easier by allowing users to use various areas of our website conveniently and in the best possible way.

Functional cookies (session cookies) allow us to tailor our website to suit our users’ personal preferences by storing the entries they make and the settings they select, such as name, region or language settings. These settings only apply when users visit our website and cannot be used by other websites.

Performance cookies (persistent cookies) help us to measure data traffic and the functionality of our website. This allows us to identify which areas of our website users visit most often and whether any error messages appear on these pages. This allows us to make the improve the user-friendliness of our website.

We use advertising cookies (persistent cookies) to display advertisements that are tailored to suit users’ interests. We also use these cookies so that we can track how often certain advertisements are displayed to a user.

Further information on session cookies and persistent cookies

Session cookies store information that is used during your current browser session. These cookies are automatically deleted as soon as you close your browser. Persistent cookies store information between two visits to the website so that you will be recognised as a returning user the next time you visit it.

The following cookies are used by us

Basic information about cookies:

You can stop cookies from being saved – and, as a result, data from being saved or collected – in your browser by disabling cookies in your browser.

Online presence in social media

HanseMerkur maintains an online presence in social networks and platforms. This enables us to actively communicate with our customers and interested parties and to inform them about our services. We would like to point out that when you visit the respective networks and platforms, the terms and conditions and data processing guidelines of the respective operator apply.

On this website we link to our presence on "Facebook" (Meta Platforms Ireland Limited). If you click on our link and are logged into Facebook/Instagram at the same time, this information will be assigned to your Facebook/Instagram account. The same applies, of course, if you make comments. The privacy policy can be found here: https://www.facebook.com/about/privacy/update

Customer and product reviews

We have integrated company and product ratings on our website to give our customers the opportunity to evaluate the conclusion of an insurance policy. At the same time, we would like to improve our internal quality management. If you have explicitly clicked on the link to the customer review after completing our online booking process or online application, you will be redirected to a questionnaire at eKomi. To prevent multiple reviews, we forward an anonymised ID to eKomi. eKomi also stores your IP address. eKomi is committed to handling your transmitted data in compliance with data protection regulations and takes all organisational and technical measures to protect your data.

We also work with Trustpilot A/S (“Trustpilot”) to collect customer feedback. Therefore, we transfer your reference number. Trustpilot also gets your name and email address. If you want to know more about how Trustpilot processes your data, you can view the company's privacy policy here.

The legal basis for the processing of the data is Art. 6 (1) lit. a GDPR. Your feedback will help us to improve this process and products for all customers on a continual basis.

Use of personal data

Our website features a contact form and an online application form that you can use to contact us electronically or take out an insurance contract. If users opt to use these forms, the data entered in the input mask will be transmitted to us and stored. The personal data that you provide us with via service functions and forms including your declaration of consent for collection, processing and use is transmitted to our computer in encrypted form via a secure connection on the Internet, and is stored and backed up. We always use state-of-the-art security procedures for such transmission (TLS or SSL). The other personal data processed when your enquiry is sent is used to prevent the misuse of the contact form and to safeguard the security of our IT systems.

When you submit your personal data – e.g. when you submit a notice of claim, use the HanseMerkur invoice app, submit an online application, send a request for a proposal or consultation, and when you confirm this data protection statement – you consent to the data you have submitted being stored and processed to the extent required in order to process and reply to your enquiry (if you have requested a reply). Depending on the nature of your request, this can also require the forwarding of your data to authorised third parties or the automated processing of the data.

The legal basis for the processing of the data is Article 6(1)(a) GDPR for users who have granted their consent, and Article 6(1)(b) GDPR for policies taken out online. If health-related data is processed, this is based on Article 9(2)(a) GDPR.

The data will be erased as soon as it is no longer necessary to achieve the purpose for which it was collected. For personal data entered in the contact form input mask and data sent by e-mail, this is the case when the relevant conversation with the user has ended. The conversation is also considered to have ended when it can be inferred from the circumstances that the matter in question has been definitively clarified. The additional personal data collected when the enquiry is sent is erased after a period of seven days at the latest.

Users can revoke their consent to the processing of personal data at any time.

Use of e-mail

E-mails that you send us via your e-mail program could potentially be unencrypted. Please check the settings in your e-mail application or enquire with your e-mail provider. E-mails sent back to you are generally encrypted using transport layer security (TLS). Transmission is only unencrypted if TLS encryption is not offered by your provider. In general, however, this type of encryption is supported by your e-mail provider.

If you also wish to use end-to-end encryption (S/MIME) for your e-mail communication, please note that HanseMerkur uses DomainKeys for e-mail encryption. You can find HanseMerkur’s certificates at www.openkeys.de using the following addresses:

S/MIME: securemail@hansemerkur.de
PGP: postmaster@hansemerkur.de

Service - Request documents & modify contract

You have the option of requesting specific documents or a contract amendment via a form on our website. Please note that we offer different forms for different request situations (e.g. request for a copy of an insurance policy, confirmation of a Corona travel cover or cancellation of your annual insurance). In order to prepare and send these documents and change confirmations, it is necessary that you provide us with the personal data requested in the forms. Only in this way can we, on the one hand, correctly create the requested document and send it to the e-mail address stored for your contract and, on the other hand, carry out selected business processes (termination, revocation, contract changes). The processing is also automated, provided that a successful verification of the information you have provided has taken place.

Please note that we always use the e-mail address stored for your contract to send the confirmation in order to ensure that no unauthorized persons can access your information. If no e-mail address is stored for your contract, we will check whether an alternative e-mail address is stored in the central customer database of HanseMerkur, which can be used as a substitute.

Please understand that, for security reasons and to protect your data, we are unable to send your request to an alternative e-mail address that is unknown to us. Should there be any queries in connection with your request, we require an e-mail address in order to be able to contact you for clarification purposes. This e-mail address will not be added to your contract or otherwise stored in the systems, but will only be used for the aforementioned purpose. Of course, the e-mail address will not be passed on to third parties.

On the basis of your entries regarding name, insurance policy number and date of birth, we check whether the processing can be automated. Automated processing takes place if a specific assignment has been possible without doubt on the basis of the entries you have made.

On the basis of the opt-in provided by you in the context of the certificate request and contract change request, processing takes place on the basis of consent pursuant to Art. 6 para. 1 lit. a DSGVO.

Data subject rights

You may contact us at the above address to request information about the personal data concerning you stored by us. Furthermore, you may request the rectification or erasure of data concerning you under certain circumstances. You may also have a right to restrict the editing of data concerning you and a right to receive the data you provided in a structured, commonly used and machine-readable format.

Right to object

You have the right to object to the processing of your personal data for direct marketing purposes. If we process your data to protect legitimate interests, you may object to this processing if your particular situation gives rise to reasons that prevent data processing.

Right to lodge a complaint

You may lodge a complaint with the abovementioned Data Protection Officer or with a data protection supervisory authority. The data protection supervisory authority for Liechtenstein is:

Data Protection Office
Städtle 38
Postfach 684
9490 Vaduz
Liechtenstein

Swiss clients have the option of contacting the Federal Data Protection and Information Commissioner (FDPIC):

Federal Data Protection and Information Commissioner
Feldeggweg 1
3003 Bern
Switzerland

Information obligations pursuant to Article 13 GDPR

This information explains how your personal data is processed by HanseMerkur and the rights to which you are entitled under data protection law as an insurance client or party involved.

HanseMerkur International AG
Drescheweg 1
9490 Vaduz
Liechtenstein

Tel.: +41 43 550 21 25
E-mail: service@hansemerkur.ch

The controller’s Data Protection Officer is:

Mr Christian Adolf

E-mail: datenschutz@hansemerkur.ch

Purposes and legal basis of data processing

We process personal data in compliance with the European General Data Protection Regulation (GDPR), the Swiss Federal Act of 25 September 2020 on Data Protection (FADP) and other applicable laws.

If you submit an application for insurance cover, we need the information you provide to conclude the contract and to assess the risk to be assumed by us. If the insurance contract is concluded, we will process these data to implement the contractual relationship, for example to issue a policy or invoice. We require information on the damage or loss, for example, in order to be able to verify whether an insured event has occurred and to determine the extent of the damage.

It is impossible to conclude or execute the insurance contract without processing your personal data.

We also require your personal data to compile insurance-specific statistics, for example to develop new rates or to meet regulatory requirements. We use the data relating to all pre-existing policies taken out with a HanseMerkur company to get an overview of the entire client relationship, for example to provide advice on a contract amendment or supplement, in cases involving goodwill decisions or to provide comprehensive information.

This personal data is processed for pre-contractual and contractual purposes in accordance with Article 6(1)(b) GDPR. Where special categories of personal data (e.g. your health data when concluding a health insurance contract) are required for this purpose, we will obtain your consent in accordance with Article 9(2)(a) in conjunction with Article 7 GDPR. In such cases, we provide you with a sample declaration in advance.

Any statistics we compile from these data categories are based on Article 9(2)(j) GDPR.

We will also process your data in order to protect our legitimate interests or those of third parties (Article 6(1)(f) GDPR). In particular, this may be necessary

to ensure IT security and IT operations;
to advertise our own insurance products and other products offered by the companies belonging to the HanseMerkur Insurance Group and their cooperation partners for market surveys and opinion polls;
to prevent and investigate criminal offences; in particular, we use data analyses to detect signs of insurance fraud.

In addition, we process your personal data to meet legal obligations, such as regulatory requirements, retention obligations under commercial and tax law or our duty to provide advice. Processing in this case is based on the relevant statutory provisions in conjunction with Article 6(1)(c) GDPR.

We will inform you in advance if we intend to process your personal data for a purpose not mentioned above, as required by law.

Categories of recipients of personal data

Reinsurers

We also insure risks assumed by us with special insurance companies (reinsurers). This may require us to send your contract data and any claims data to a reinsurer so that they can form their own opinion about the risk or the insured event. It is also possible for the reinsurer to support our company in risk or performance assessments and in the evaluation of procedural processes on the basis of their special expertise. We will only transfer your data to the reinsurer to the extent necessary for the fulfilment of our insurance contract with you or to the extent necessary to protect our legitimate interests.

Brokers

If you are advised by a broker with regard to your insurance contracts, your broker will process the application as well as the contract and claims data required to conclude and execute the contract. Our company also transmits such data to the brokers who are responsible for you, insofar as they require the information to provide you with support and advice in your insurance and financial services matters.

Data processing within the Group

Specialised companies/areas of our group of companies perform certain data processing tasks on a centralised basis for the companies that form part of the Group. If there is an insurance contract in place between you and one or several companies in our Group, your data may be processed on a centralised basis by one Group company, for example to enable the central administration of address data, for the purposes of providing client service by telephone, for contract and benefits processing, for collection and disbursements, or for joint mail processing. You can find the names of the companies that participate in centralised data processing in our service provider list.

External service providers

HanseMerkur International AG currently works with service providers (companies/individuals) using health-related data as and when required to fulfil its contractual and statutory obligations. We would be happy to provide you with the full contact details on request. HanseMerkur International AG also works with the following individuals/companies that collect, process and use health-related data as and when required:

Individuals/companies	Activities
Advigon Versicherung AG	Business process outsourcing (insurance operations and central functions)
HanseMerkur Krankenversicherung AG	Actuarial function
Dipl.-Math. Robert Raeder	Actuary responsible
XpertCenter AG	Benefit processing and settlement
Medicall AG	Assistance telephony
Doctors, psychologists, psychiatrists, reinsurers	Experts
Lawyers	General services in justified individual cases
External IT service providers	Application development and provision of technical resources
Letter shops	Mailing campaigns
Private investigators	Ad hoc fraud prevention in justified individual cases
Collection companies	Judicial dunning procedure, collecting receivables
Amazon Web Services (AWS)	Service for converting the data (insurance policy) into an appropriate Apple/Google format so that the user can store it.

We may also transfer your personal data to other recipients, such as public authorities, in order to comply with statutory notification obligations (e.g. social insurance agencies, financial authorities or law enforcement authorities).

Data storage duration

We will delete your personal data as soon as they are no longer required for the aforementioned purposes. Personal data may be retained for the period during which claims may be asserted against our company (statutory limitation period of three or up to 10 years). In addition, we store your personal data to the extent required by law. Corresponding evidentiary and retention obligations result, among other things, from the German Commercial Code (Handelsgesetz – HGB), the German Tax Code (Abgabenordnung – AO) and the German Money Laundering Act (Geldwäschegesetz). Under these provisions, the retention periods are up to 10 years.

Transfer of data to a third country

If we transfer personal data to service providers outside of Switzerland or the European Economic Area (EEA), the transfer will only take place if the third country has been confirmed by the Swiss Federal Council or by the European Commission (EC) to have an adequate level of data protection or if other appropriate data protection guarantees (e.g. binding internal company data protection regulations or EU standard contract clauses) are in place.

Automated individual decision-making

On the basis of your risk details, which we request from you when you submit your application, we make fully automated decisions for some of our products, such as the conclusion or termination of the contract, possible risk exclusions or the amount of the insurance premium you have to pay. We also make fully automated decisions about our obligation to pay benefits for some of our products on the basis of your information on the insured event, the data stored on your contract and any information obtained from third parties. The fully automated decisions are based on binding fee regulations for medical treatments. You have the right to obtain human intervention on the part of the Controller, to express your point of view and to contest the decision.