Data protection information
With this statement we would like to inform you which personal data we store and how we use them in the context of your contractual relationship (insurance contract) with us. Further we will inform you about the rights granted to data subjects by the EU General Data Protection Regulation (GDPR), taking effect on 25 May 2018.
All personal data provided to us in the insurance proposal or by third parties are stored and processed for the purposes of pre-contractual needs assessment, customer consulting, concluding and processing insurance contracts and the handling of claims. Personal data are processed only for specific purposes and in compliance with the GDPR, regulations of the Austrian Data Protection Act (DSG), relevant provisions of the Austrian Insurance Contract Act (VersVG) and all other appropriate laws.
As a controller within the meaning of the GDPR we determine the purposes and means of the processing of your personal data:
Grazer Wechselseitige Versicherung AG
Herrengasse 18-20, 8010 Graz
phone 0316 8037 6222, fax 0316 8037 6490, service@ grawe.at
If you have any questions regarding the processing of your personal data you may as of 25 May 2018 address your request to the above stated address (for the attention of the “Data protection officer”) or send an email to datenschutzbeauftragter. @ grawe.at
Which personal data do we use?
We process the data which are provided by you in the insurance proposal (application data), as well as contractual data and data received from third parties (doctors, experts, insurance agents etc.). Such data are, for example, your name, your date of birth, your address, information about the insured interest (depending on the type of insurance this may be a motor vehicle, a building, an insured person etc.), the amount insured, the contract term, the insurance premium and your bank details.
If an insured event occurs, we will additionally collect and process information about the event itself (date of the loss, cause of the damage, photos etc.) and claim data (amount of the benefit, bank details etc.). If necessary, this may also include data obtained from third persons who were entrusted with the claim assessment (experts, for example), or who are competent in any way to provide information (authorities, witnesses etc.), or who are standing in connection with the payment of the benefit (repair shops, craftsmen, doctors, hospitals etc.).
We collect only necessary information, which means that in some individual cases it will be sufficient to acquire just some of the above-listed data.
For what purpose and on which legal basis is data collected and processed?
a) Preparation, administration and fulfilment of (insurance) contracts (legal basis: art. 6 para. 1 (b) GDPR)
If you submit an application for insurance, your statements on the application form are required for an assessment of the risk to be insured. If an insurance contract comes into effect, these data will be processed for the implementation of the contract, like policy issuing and premium invoiceing. If an insured event occurs, we will have to process additional data relating to the event in order to determine the extent of our obligation to pay indemnification.
b) Consent of the data subject (legal basis: art. 6 para. 1 (a) and art. 9 GDPR, §11a VersVG)
The processing of special categories of personal data (like data concerning health) requires your explicit consent, unless it is needed for the establishment, exercise or defence of legal claims (for example claims by injured third parties in liability insurance).
The conclusion and performance of insurance contracts is based on the processing of personal data. If you do not provide your personal data to the required extent, it may under certain circumstances be impossible to conclude the requested insurance contract with you or to examine and fulfil benefit claims arising from our insurance relationship.
c) Insurance-specific statistics (legal basis: art. 6 para. 1 (b) and (f) and art. 9 para. 2 (j) GDPR, § 7 DSG)
The processing of your personal data is also required for the compilation of insurance-specific statistics, which are used for the development of new insurance tariffs or the fulfilment of requirements of the supervisory authority. Furthermore, we use the data of all your insurance contracts to get an overview of the customer relationship with you, which helps us to improve our consulting service in regard of contract adaptions or supplements, make decisions on a goodwill basis or ensure a better exchange of information with you.
d) Data processing related to statutory obligations (legal basis: art. 6 para. 1 (c) GDPR)
We process your personal data in order to comply with legal obligations to which we are subject, such as supervisory provisions, provisions by corporate and tax laws concerning the keeping of records, and consultation obligations.
In the field of life insurance we process data concerning your tax residence in order to fulfil our reporting obligations towards financial authorities under the Common Reporting Standard (CRS) and under FATCA (Foreign Account Tax Compliance Act) Intergovernmental Agreement with the USA. Furthermore we are obliged by the Austrian Financial Markets Anti-Money Laundering Act (FM-GwG) to fulfil our duties of due diligence in respect of combating money laundering and terrorist financing. Personal data (like identity data, information related to your professional activity and the source of your assets) is processed also for these purposes.
e) Marketing activities (legal basis: art. 6 para. 1 (a) and (f) GDPR)
We process your data also for marketing purposes in order to promote our own products and the products of our cooperation partners. In order to ensure a better tuning of our advertising according to customer needs and to be able to supply customized quotes we analyse data which are relevant for this purpose. We have a legitimate interest in offering our clients and potential customers insurance products which are well adjusted to their needs. You have the right to object to the processing of your data for direct marketing purposes.
f) Entities of the insurance sector (legal basis: art. 6 para. 1 (f) GDPR)
It is important to ensure that a coordinated exchange of information takes place between participating insurance companies with regard to
- preventing and combating insurance abuse and insurance fraud,
- preventing that insurance applicants are granted coverage or insurance holders receive benefits on terms contradicting the principle of a balance of risks within the insured community,
- fact-finding measures, the settlement of claims arising from insurance contracts and the collection and subsequent verification of data concerning a potential client´s past claims experience in the motor liability insurance (“bonus-malus” system).
For these purposes, participating insurers as controllers exchange the following personal data through the Association of Austrian Insurers as the processor:
- in indemnity insurance and motor liability insurance – personal and risk-related identification data like name, date of birth, vehicle registration and identification numbers, relevant data on insurance claims, but under no circumstances personal data related to health;
- in life and occupational disability insurance – name, date of birth, type and date of a report, insurance class, numerically coded report and objection notations, if there are any.
If we want to process your personal data for other than the above mentioned purposes, we will inform you of this in compliance with the law.
With whom do we share data?
If required for the achievement of any of the above purposes or if prescribed by law, we will transmit data which are necessary in a specific case to the relevant recipient who needs them. Such recipients may be:
a) Co-insurers and Reinsurers
In the insurance of particular risks we cooperate closely with reinsurers, supporting us in risk assessment and in the examination of claims. Furthermore, specific risks may be shared between several (co-)insurers. In these cases it may be necessary to exchange data with reinsurers or co-insurers for the purposes of risk or claims assessment.
b) Other insurers
In some cases it may be necessary to share data with other insurers, for example for the purpose of a correct “bonus-malus” classification (motor insurance), in cases of double insurance, statutory subrogation or insurance-internal claim splitting. At any rate, only such data will be transmitted which are relevant for the particular case.
c) Independent insurance agents
When you use the service of an insurance agent, he/she collects and processes your personal data and passes them on to us for risk assessment, contract processing or claims assessment. Likewise we share your personal data with your agent, if this is required for a competent insurance consultation.
d) Authorities, courts and other third parties
As an insurance company we are subject to strict regulatory requirements and to supervision by the authorities. In that context it may become necessary to disclose to authorities or courts upon their request the personal data of our policy holders.
During the examination of a claim it may be required to use the service of third parties like doctors, hospitals, experts or claim adjusters, and to share your personal data with them.
In the area of assistance services (e. g. GRAWE mobil, GRAWE help, GRAWE Unfall SOS) we cooperate with Mondial Assistance AG International S.A. (Austrian branch) and use their service for the performance of our contractual obligations. They receive from us all data they need for the processing of a claim.
e) Recipients of data concerning your health
According to the legal regulations, data concerning your health may only in specific cases and within the scope of the consent you gave, but even without your explicit permission (given in individual situations) transmitted to the following recipients:
examining and treating physicians and hospitals or other medical care and health care institutions, social security institutions, reinsurers, co-insurers or other insurers, cooperating in the processing of the relevant claim, appointed and authorised experts, authorised or legal representatives of the persons concerned, courts, public prosecutors, administrative authorities, arbitration boards or other third party institutions and bodies responsible for dispute resolutions, including all experts appointed by them.
Where is data stored? Can data be transmitted to recipients in third countries?
All data processed in the course of insurance business operations are stored in our internal computer centre in Graz.
A transmission of data to recipients outside the European Economic Area (EEA) takes only place when it has been officially confirmed by the EU Commission that the relevant third country is able to ensure an adequate level of data protection or if other safeguards for data protection, like binding corporate rules or EU Standard Contractual Clauses, exist.
For how long is data stored?
Basically, your data is stored for the duration of our insurance relationship. However, there are legal obligations concerning the preservation of records, requiring that we keep data concerning you or third parties (like co-insured persons), your claim cases and your insurance contract even beyond the term of the insurance relationship or for a certain time after the settlement of a claim. Such documentation and safekeeping obligations are set forth in the Austrian Commercial Code, the Federal Fiscal Code and the Financial Market Anti-Money Laundering Act.
Furthermore, we store your personal data for as long as any legal claims may be asserted in connection with our insurance relationship. The statutory periods of limitation are between 3 and 30 years.
Which rights do you have under the Data Protection Law?
In accordance with articles 15 - 22 GDPR you have the following rights against the data controller concerning the data stored in relation to your person:
- Right of access
- Right to rectification of inaccurate or incomplete data
- Right to erasure of data which have been unlawfully processed
- Right to restriction of processing (as of 25 May 2018)
- Right to object to the processing of personal data (if a legitimate interest exists)
- Right to data portability: right to receive the data you provided in a structured, commonly used and machine-readable format (as of 25 May 2018)
Where the processing of your data is based on your consent, you may withdraw this consent at any time with the effect that we will no longer process your data, unless there is another legal ground that requires a further processing. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
The data subject must provide information enabling his or her identification in order to ensure that a response will reach the right person.
You have the right to lodge a complaint with the Austrian Data Protection Authority as the supervisory authority, if you believe that your personal data is being unlawfully processed.