Data protection information insurance contracts
With this statement, we would like to inform you what personal data we store and how we use it in the context of your contractual relationship (insurance contract) with us and inform you about the rights granted to data subjects by the EU General Data Protection Regulation (GDPR).
All personal data provided to us in the insurance proposal or by third parties is stored and processed for the purposes of pre-contractual needs assessments, customer consulting and production of quotations, concluding and administering insurance contracts and the handling of claims. Personal data is processed only for specific purposes and in compliance with the GDPR, regulations of the Austrian Data Protection Act (DSG), relevant provisions of the Austrian Insurance Contract Act (VersVG) and all other appropriate laws.
As a controller within the meaning of the GDPR we determine the purposes and means of the processing of your personal data:
Grazer Wechselseitige Versicherung AG
Herrengasse 18-20, 8010 Graz
phone 0316 8037 6222, fax 0316 8037 6490, service@grawe.at
If you have any questions regarding the processing of your personal data you may address your request to the above stated address (for the attention of the “Data protection officer”) or send an email to datenschutzbeauftragter@grawe.at.
1) What personal data do we use?
We process the data which is provided by you in the insurance proposal (application data), as well as contractual data and data received from third parties (doctors, experts, insurance agents etc.). Such data is, for example, your name, your date of birth, your address, policy number, information about the insured interest (depending on the type of insurance this may be a motor vehicle, a building, an insured person etc.), the amount insured, the contract term, the insurance premium and your bank details.
If an insured event occurs, we will additionally collect and process information about the event itself (date of the event of damage, cause of the damage, photos etc.) and claim data (amount of the benefit, bank details etc.). If necessary, this may also include data obtained from third persons who were entrusted with the claim assessment (experts for example), or who are competent in any way to provide information (authorities, witnesses etc.), or who are standing in connection with the payment of the benefit (repair shops, craftsmen, doctors, hospitals etc.).
We collect only necessary information, which means that in some individual cases it will be sufficient to acquire just some of the above-listed data.
The conclusion and performance of insurance contracts is based on the processing of personal data. If you do not provide your personal data to the required extent, it may under certain circumstances be impossible to conclude the requested insurance contract with you or to examine and fulfil benefit claims arising from our insurance relationship.
2) For what purpose and on which legal basis is data collected and processed?
a) Preparation, administration and fulfilment of (insurance) contracts (legal basis: art. 6 para. 1 (b) GDPR)
If you submit an application for insurance, your statements on the application form are required for an assessment of the risk to be insured. If an insurance contract comes into effect, this data will be processed for the administration of the contract, like policy issuing and premium invoicing. If an insured event occurs, we will have to process additional data relating to the event in order to determine the extent of our obligation to pay indemnification.
b) Consent of the data subject (legal basis: art. 6 para. 1 (a) and art. 9 GDPR, §11a VersVG)
The processing of special categories of personal data (like data concerning health) requires your explicit consent, unless it is based on the statutory regulations of §§ 11 a et seqq. VersVG or is needed for the establishment, exercise or defence of legal claims (for example claims by injured third parties in liability insurance).
c) Insurance-specific statistics (legal basis: art. 6 para. 1 (b) and (f) and art. 9 para. 2 (j) GDPR, § 7 DSG)
The processing of your personal data is also required for the compilation of insurance-specific statistics, which are used for the development of new insurance tariffs or the fulfilment of requirements of the supervisory authority. Furthermore, we use the data of all your insurance contracts to get an overview of the customer relationship with you, which helps us to improve our consulting service in regard of contract adaptations or supplements, make decisions regarding insurance payments on a goodwill basis or ensure a better exchange of information with you.
d) Data processing related to statutory obligations (legal basis: art. 6 para. 1 (c) GDPR)
We process your personal data in order to comply with legal obligations to which we are subject, such as supervisory provisions, provisions by corporate and tax laws concerning the keeping of records, and consultation obligations.
In the field of life insurance, we process data concerning your tax residence in order to fulfil our reporting obligations towards financial authorities under the Common Reporting Standard (CRS) and under FATCA (Foreign Account Tax Compliance Act) Intergovernmental Agreement with the USA. Furthermore, we are obliged by the Austrian Financial Markets Anti-Money Laundering Act (FM-GwG) to fulfil our duties of due diligence in respect of combating money laundering and terrorist financing. Personal data (like identity data, information related to your professional activity and the source of your assets) is processed also for these purposes.
Furthermore, we process the personal data necessary for attending to and documenting data subjects' rights (art. 12 - 23, GDPR).
e) Marketing activities (legal basis: art. 6 para. 1 (a) and (f) GDPR)
We process your data also for marketing purposes in order to promote our own products and the products of our cooperation partners. In order to ensure a better tuning of our advertising according to customer needs and to be able to supply customized quotes, we analyse data which is relevant for this purpose. We have a legitimate interest in offering our clients and potential customers insurance products which are well adjusted to their needs. You have the right to object to the processing of your data for direct marketing purposes.
f) Entities of the insurance sector with the VVO
The Austrian insurance sector involves the Association of Austrian Insurance Enterprises (VVO), Schwarzenbergplatz 7, 1030 Vienna, as a commissioned processor under data protection law for the operation of a number of central technical and organisational services.
i. Motor vehicle registration documentation (legal basis: art. 6 para. 1 c, GDPR, §§ 40 a, 40 b, 61, Motor Vehicle Act (KFG), 1967)
Within the framework of the operation of motor vehicle third-party liability insurance, we as a company vested with registration, are obliged to participate in motor vehicle registration documentation. In connection with the notification of the existence or non-existence of the motor vehicle third-party liability insurance coverage, data of registration owners (e.g. name, date of birth, data on the motor vehicle third-party liability insurance, vehicle data) is processed in the central registration documents or the joint institution of the insurance companies entitled to operate motor vehicle third-party liability insurance.
ii. Co-insurance clearance (legal basis: art. 6 para. 1 lit. b GDPR)
The participating insurance companies exchange the premium and damage information necessary for settlement of an existing co-insurance in a bilateral way within the framework of a standardised data transfer.
iii. Bonus/malus system (legal basis: art. 6 para. 1 lit. f GDPR)
To the extent that your motor vehicle third-party liability contract is subject to the bonus/malus system, data on any bonus/malus level which may exist is collected from the previous insurance company. In this way, a correct classification in the bonus/malus system in accordance with the sequence of damage up to then is ensured. At the end of your contract, your last valid bonus/malus level is transmitted to the bonus/malus information system and stored there.
iv. Central Information System in Life Insurance (legal basis: art. 6 para. 1 lit. f GDPR)
To prevent applicants for insurance being insured upon terms and conditions and policyholders receiving payments for conditions which are not in harmony with the risk compensation of the community of insured parties, an entry in the system (registered information interconnected system according to § 50 DSG 2000 in conjunction with § 69 para. 8 DSG 2018) can be made in the event of a lasting or temporary rejection of an application for insurance, a potential acceptance of the application with aggravated conditions, conclusion of an own-occupation disability insurance with an insured annual annuity of more than EUR 9.000 or premature ending of the contract as a result of a breach of the policyholder's or applicant's notification duty.
v. "LET repayment vehicle database" (legal basis; art. 6 para. 1 lit. f GDPR)
The "LET repayment vehicle database" serves an automated exchange of data between insurance companies and banks about life insurances which are used to collateralise loans. The contract data of these life insurances is inquired by the bank to ensure the recoverability and its proper operation (§ 39 BWG).
g) Safeguarding legitimate interests (legal basis art. 6 para. 1 lit. f GDPR)
We also process your data in order to safeguard our or third parties' legitimate interests. This may in particular be necessary for
- guaranteeing IT security and IT operation including tests (to the extent not already necessary for performance of the contract),
- risk control within the enterprise,
- business control and the further development of processes, services and products,
- prevention and solving of crimes, in particular to recognise indications which may point to insurance misuse or fraud.
If we want to process your personal data for purposes other than those mentioned above, we will inform you of this in compliance with the law.
3) With whom do we share data?
If required for the achievement of any of the above purposes or if prescribed by law, we will transmit data which is necessary in a specific case to the relevant recipient who needs them. Such recipients may be:
a) Co-insurers and Reinsurers
We insure risks assumed by us with reinsurers; in individual cases, we share major risks with co-insurers. For the purpose of examination of risks and payments, it may be necessary to share your contract and damage data with a co- or reinsurer, so that the latter can get its own picture of the risk or the insurance incident.
b) Other insurers
In some cases, it may be necessary to share data with other insurers (e.g. previous insurers and insurers who are involved in the handling of claims from an insurance incident), for example for the purpose of a correct “bonus/malus” classification (motor insurance), in cases of double insurance, statutory subrogation, in establishment and defence of claims to recourse and compensation or insurance-internal claim splitting. At any rate, only such data will be transmitted which is relevant for the particular case.
c) Independent insurance intermediaries
When you use the service of an independent insurance intermediary (broker, agent or bank), he/she collects and processes your personal data and passes them on to us for risk assessment, contract processing or claims assessment. Likewise we share your personal data with your independent intermediary, if this is required for a competent insurance consultation (e.g. contract and damage data such as policy number, nature of the risk and the insurance coverage, premium, information on damage and/or payment incidents, amount of the insurance payments).
d) Authorities, courts and other third parties
As an insurance company, we are subject to strict regulatory requirements and to supervision by the authorities. In that context, it may become necessary to disclose to authorities or courts upon their request the personal data of our policy holders.
During the examination of a claim, it may be required to use the service of third parties like doctors, hospitals, experts or claim adjusters, and to share your personal data with them.
In the area of travel insurance and assistance services (e. g. GRAWE mobil, GRAWE help, GRAWE Unfall SOS) we cooperate with AWP Austria GmbH and AWP P&C S.A. (Austrian branch) and use their service for the performance of our contractual obligations. They receive from us all data they need for the processing of a claim.
In addition, your data may be processed by IT service providers who are active for us as commissioned processors.
e) Recipients of data concerning your health
According to the legal regulations (§§ 11 a, et seqq. VersG), data concerning your health may only in specific cases and within the scope of the consent you gave, but even without your explicit permission (given in individual situations) be transmitted to the following recipients:
examining and treating physicians and hospitals or other medical care and health care institutions, social security institutions, reinsurers, co-insurers or other insurers cooperating in the processing of the relevant claim, appointed and authorised experts, authorised or legal representatives of the persons concerned, courts, public prosecutors, administrative authorities, arbitration boards or other third party institutions and bodies responsible for dispute resolutions, including all experts appointed by them.
4) Where is data stored? Can data be transmitted to recipients in third countries?
All data processed in the course of insurance business operations are stored in our internal computer centre in Graz. The computer centre fulfils the standards of norm ISO 27.001 and has been certified according to the TÜV trusted data center standard of TÜV AUSTRIA GMBH.
A transmission of data to recipients outside the European Economic Area (EEA) takes place only as a matter of principle when it has been officially confirmed by the EU Commission that the relevant third country is able to ensure an adequate level of data protection or if other safeguards for data protection, like binding corporate rules or EU Standard Contractual Clauses, exist. In individual cases, we can also transmit data to recipients in third countries according to art. 49 para. 1 GDPR for the purpose of fulfilment of the insurance contract in question (lit. b) - in particular in connection with the payment duty in a damage incident - or to establish, exercise or defend legal claims (lit. e).
5) For how long is data stored?
In principle, your data is stored for the duration of our insurance relationship. Moreover, we store the data from the insurance relationship as long as establishment of legal claims from the insurance relationship is still possible. In this context, we take the following periods of barring into account:
- Austrian Insurance Contract Act (VersVG): 3 or 10 years
- Austrian Motor Vehicle Third-Party Liability Insurance Act (KHVG): 10 years
- General Austrian Civil Code (ABGB): up to 30 years
In addition, we store personal data following the end of the contract in order to fulfil our statutory archiving duties, In this context, we take the following archiving periods into account:
- Austrian Companies Code (UGB) and Federal Fiscal Code (BAO): 7 years
- Financial Market Money Laundering Act (FM-GwG): 10 years
6) Which rights do you have under the Data Protection Law?
In accordance with articles 15 - 22 GDPR you have the following rights against the data controller concerning the data stored in relation to your person:
- Right of access
- Right to rectification of inaccurate or incomplete data
- Right to erasure of data which have been unlawfully processed
- Right to restriction of processing
- Right to object to the processing of personal data (if a legitimate interest exists)
- Right to data portability: right to receive the data you provided in a structured, commonly used and machine-readable format
Where the processing of your data is based on your consent, you may withdraw this consent at any time with the effect that we will no longer process your data, unless there is another legal ground that requires a further processing. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
The data subject must provide information enabling his or her identification in order to ensure that a response will reach the right person.
You have the right to lodge a complaint with the Austrian Data Protection Authority as the supervisory authority, if you believe that your personal data is being unlawfully processed.
7) Automated decision-making in the individual case?
Within the framework of the data processing described above, no decisions exclusively based on automated processing (Art 22 GDPR) are taken.