Data protection information for persons involved in cases of payment and damage
With this statement, we are informing you about the processing of your personal data as a person involved in a case of payment or damage and the rights which you have according to the European General Data Protection Regulation (GDPR)
Data processing within the framework of handling cases of payment and damage from insurance contracts is done observing the GDPR, the Austrian Data Protection Act (DSG), the directives of the Austrian Insurance Contract Act (VersVG) relevant for data protection law and all other decisive legislation.
We are the controller for the processing of your personal data within the terms of the GDPR:
Grazer Wechselseitige Versicherung AG
Herrengasse 18-20, 8010 Graz
phone 0316 8037 6222, fax 0316 8037 6490, service@grawe.at
For questions on the processing of your data, please contact our data protection officer by post at the aforementioned address with the addition "Data Protection Officer" or by e-mail under datenschutzbeauftragter@grawe.at.
1) Which personal data is processed and where does it come from?
In the handling of cases of payment or damage from insurance contracts, we process not only our policyholders' personal data, but also third parties' personal data. These persons are in particular injured parties in third-party liability insurance, drivers and people involved in accidents in motor vehicle insurance, witnesses of an incident of damage as well as beneficiaries (e.g. in life insurance).
For third parties, we in particular process identity and contact data (e.g. name, address, telephone number, identity document copy), information on the insurance incident (e.g. data from traffic accident reports, information on the sequence of the accident and the amount of damage) and bank account data in order to make bank transfers.
You have either provided this data to us yourself, informed our policyholder of them (e.g. in an accident report) or they were given to us by the persons involved in the insurance incident, witnesses, authorities or other insurance companies involved.
2) For what purpose and on which legal basis is the data processed?
a) Fulfilling a contract (Art 6 para 1 lit b GDPR)
To fulfil our obligations from insurance contracts, it is necessary for us to process third parties' data (see point 1) within the framework of handling cases of payment and damage. The data processing serves to determine the sequence of the accident and, if applicable, the fulfilment of our payment obligations from the underlying insurance contracts.
b) Processing on the basis of legal obligations (Art 6 para 1 lit c GDPR)
In addition, we process your personal data to fulfil statutory obligations, for example, supervisory law requirements as well as corporation and tax law archiving obligations (Art 6 para 1 lit c GDPR).
In the life insurance area, we process the beneficiary's data (recipient of the payment) concerning their tax residence, in order to fulfil our reporting duties to finance authorities on the basis of the Common Reporting Standard Act (GMSG) and on the basis of the state treaty with the USA on the Foreign Account Tax Compliance Act (FATCA). Furthermore, we are obliged according to the Financial Market Money Laundering Act (FM-GwG) to fulfil duties of due diligence to prevent money laundering and financing of terrorism. We process the beneficiary's data (e.g. identity data) for this purpose as well.
As the controller, we also process the personal data necessary for attending to and documenting data subjects' rights (Articles 12 to 23 GDPR).
c) Health data: approval or establishment, exercise or defence of legal claims (Art 6 para 1 lit a and Art 9 para 2 lit f GDPR)
For the processing of particularly protected personal data such as health data, we obtain your consent beforehand.
To the extent that processing of health data is necessary for the establishment, exercise or defence of legal claims (Art 9 para 2 lit f GDPR), we do not need consent. This applies, for example, to the processing of the injured party's health data for dealing with personal damage and claims to damages and recourse resulting from this in third-party liability insurance.
d) Safeguarding our legitimate interests (Art 6 para 1 lit f GDPR)
We also process your data in order to safeguard our or third parties' legitimate interests. This can in particular be necessary for
- guaranteeing IT security and IT operations, including tests (to the extent not already necessary for the performance of the contract);
- risk control within the enterprise;
- business control and further development of processes, services and products;
- prevention and solving of crimes, in particular to recognise indications which may point to insurance misuse or fraud.
3) Who do we transmit the data to?
If necessary or prescribed by law in order to achieve the aforementioned purposes, we only transmit the data necessary for the individual case to the recipient concerned with it. Depending on the reason, this may be the following:
a) Insurance companies (re-insurers, co-insurers and other insurance companies involved in the handling of claims from an insurance incident) and social insurance schemes:
When insuring certain risks, we work together with re-insurers, who support us in the bearing of risks and examination of the damage incident. In the insurance of certain risks, there may also additionally be a division of risks amongst a number of (co)-insurers. Traffic accidents and other insurance incidents may trigger legal obligations with other insurance companies obliged to make a payment from this insurance incident or with social insurance schemes (e.g. claims to recourse and compensation).
In the aforementioned cases, it may be necessary for us to exchange your data for the purpose of examining payment and for the purpose of establishment and defence of claims to recourse or compensation with the aforementioned insurance companies and social insurance schemes.
b) Supervisory authorities, courts and miscellaneous third parties
As an insurance company, we are subject to high regulation requirements and official supervision. In this context, it is possible that we have to disclose personal data in connection with cases of insurance to authorities or courts upon request.
In the examination of payments, it is possible that we involve third parties such as doctors, hospitals, expert analysts or enterprises commissioned with regulating the damage and transmit your personal data to them.
4) Where is the data stored? Is the data transmitted to recipients in third countries?
The data processed within the framework of insurance operations is stored in our in-house computer centre in Graz.
If we transmit personal data to recipients outside the European Economic Area (EEA), the transmission is only done to the extent that an adequate level of data protection has been confirmed for the third country by the EU Commission or other suitable data protection guarantees (e.g. binding in-house data protection directives or EU standard contract clauses) exist.
5) How long is the data stored?
We archive personal data from damage and payment cases as long as it is needed for the purposes described above. Furthermore, we store the data as long as the establishment of legal claims from the insurance relationship is still possible (i.e. until the expiry of statutory periods of barring). In this context, we take the following periods of barring into account:
- Austrian Insurance Contract Act (VersVG): 3 or 10 years
- Austrian Motor Vehicle Third-Party Liability Insurance Act (KHVG): 10 years
- General Austrian Civil Code (ABGB): up to 30 years
In addition, we store personal data in order to fulfil our statutory archiving duties. In this context, we take the following archiving periods into account:
- Austrian Companies Code (UGB) and Federal Fiscal Code (BAO): 7 years
- Financial Market Money Laundering Act (FM-GwG): 10 years
6) What rights do you as a data subject have according to data protection law?
As a data subject, you have various rights against the controller. These rights serve the transparency of the processing of personal data. The data subject is to be able to inform themselves and is also to know by whom, how, in which way and why personal data is processed.
According to Art. 15 to 22 GDPR, you as the data subject have the following rights towards the controller with a view to the data concerned with your person which has been stored:
- right to information
- right to rectification of incorrect or incomplete data
- right to erasure of data which has been processed unlawfully
- right to restriction of the processing
- right to object to the processing (only with a legitimate interest)
- right to data portability of the data provided in a structured, commonly used and machine-readable format
If the processing is based on consent, you as the data subject have the right to revoke the consent at any time. This means that we are no longer allowed to process your data – unless any other reason for lawful processing exists. Such a revocation does not affect the lawfulness of the processing which has been done on the basis of the consent until the time of the revocation.
Data subjects must prove their identity and contribute to identification so it is assured that the reply will actually addressed to the data subject.
You have a right to complain to the Austrian data protection authority as the supervisory authority if you are of the opinion that the processing of your personal data is not being done lawfully.
7) Automated decision-making in the individual case
Within the framework of the aforementioned data processing, no decisions exclusively based on automated processing (Art 22 GDPR) are taken.