Data protection in Germany is primarily governed by the German Data Protection Act (BDSG). The purpose of this act is to ensure that individuals’ personal rights are protected when their personal data are being handled.
The German Criminal Code (Strafgesetzbuch, StGB) imposes penalties for the disclosure of confidential personal information. Such confidential personal information includes, for example, any information relating to private health, accident or life assurance.
Other laws, such as the German Teleservices Act (Telemediengesetz, Sections 11 et seq. TMG), also incorporate data protection components.
The general rule that applies is that companies may only collect, process and use the data that they actually require. In many cases, the consent of the person affected is required to collect (i.e., procure), process and use their data. Such processing comprises the storing, altering, transfer, blocking and deletion of personal data.
Personal data, within the meaning of the BDSG, relates to specific information concerning personal or factual issues for a specific, or identifiable, natural person.
Examples of personal data include the following:
name, address, date of birth, nationality, telephone number, occupation, bank details; information about your health (in doctors’ opinions, insurance applications etc.), your income (e.g. the so-called "scoring" of credit enquiry agencies, etc.) and financial credit history.
Pursuant to the BDSG, special protections govern all of this information.
Anonymous browsing, cookies, statistical analyses from the Internet
You can visit our website without notifying us of who you are. We will only obtain anonymous information about the name of the Internet provider, the website from which you are visiting us and the pages of our website that you view. This information is evaluated for statistical purposes. You remain anonymous as an individual user.
Information is provided for our customers and business partners on our general pages and strictly no personal information is collected or processed here.
Encryption/secure web pages
Where you input your data through our web pages, these data are retrieved and processed in a secure area using Secure Socket Layer (SSL protocol) technology or a similar technology. This ensures that the data that are passed back and forth between your PC and the website are encrypted. You need an SSL-enabled Internet browser in order to fully benefit from this technology. This will activate SSL automatically.
If you are using Internet Explorer or Netscape Navigator, you can check if you are in a secure area. You will see a key or padlock symbol in the bottom-right corner of your browser screen. A complete key or a closed padlock indicates that you are in a secure area.
If you are on a secure page, the network address will be preceded by "https".
Personal data in emails, for online applications, conclusion of a contract, etc.
If you send us an email, the data that are transferred (the email address and data that you provide us with, e.g. first name/surname) will be stored in our email systems and may also be stored in other systems.
Should you apply for, or conclude, an insurance agreement on our product pages, the necessary data will be collected. When we collect this data, we will ask you for your consent so that we can collect, process and use it. If you do not give your consent, you cannot conclude an agreement.
Above and beyond this, personal data are only collected if you have given your consent for this. When a claim is being processed, your consent will be sought if, for example, we wish to question a doctor in relation to your health. From time to time, we may perform online surveys of customers and visitors in order to better understand customer needs and experiences. Participation in these surveys is voluntary.
Other data collection
Aside from the Internet, we also collect personal data during applications, when agreements are concluded, for insured events and during job applications. Once again, we will seek the consent of the person involved here. The data will be deleted if they are no longer required or if a statutory retention obligation period has elapsed.
Processing of the data
Your health data and additional data protected under Section 203 StGB are stored in the Chubb's special secure IT systems.
Your data are exclusively read and processed for the purposes for which you have provided it to us. These usually include examining your application, preparation of your insurance certificate, the collection of insurance premiums, consultation and the provision of insurance services.
Data security is an essential principle when processing personal data. According to the BDSG, anyone processing personal data must implement appropriate technical and organisational measures in order to protect the data against any unauthorised editing. We ensure that these statutory security provisions are always observed.
If you have provided us with health data, these can only be accessed by a restricted group of people within Chubb European Group SE, Direktion für Deutschland (German Office). Any other personal data (e.g. commencement of cover, your address) may also be viewed by other employees within our company.
Our employees are not authorised to pass personal data on to unauthorised third parties. They are obliged to only use data for specific purposes and to treat data in the strictest confidence. This non-disclosure obligation remains in force beyond the term of our employees’ employment relationship.
If we disclose personal data to third parties, e.g. our insurance brokers or affiliated companies, then contracts are concluded for this purpose. Such contracts ensure that the data is disclosed in accordance with the principles of the German Federal Data Protection Act - particularly in the event of the cross-border disclosure of personal data abroad. Personal data shall only be disclosed to third parties, including our affiliated companies, if you provide your express agreement.
Companies that provide services to us are obliged to meet our strict data protection requirements. These companies may also only process personal data in the context of their services. Examples for such service providers include incident managers who provide services in an emergency, for instance in relation to a travel insurance policy, or a print shop printing insurance certificates. The list of our service providers who collect, process or use personal data for Chubb European Group SE in Germany can be found here: List of Service Providers.
Personal data shall only be disclosed to third parties beyond the scope of the above where this is necessary and permissible for the following reasons:
- in order to meet statutory or regulatory requirements or to follow legal process;
- in order to register or collect receivables to which the company is entitled, or in order to protect our rights;
- in order to prevent or detect crimes
Under the provisions of the German Data Protection Act (Bundesdatenschutzgesetz, BDSG) and the Tele Services Data Protection Act (Teledienste-Datenschutzgesetz), you have a right to free and prompt information about the personal data held by our company. This information will be supplied to you at your request.
You also have the right to the correction of inaccurate information and to the blocking or deletion of data.
Where you have consented to us using your personal data, you may revoke this consent at any time.
In all such cases, please contact our Data Protection Officer without delay.
The Association of German Insurers (Gesamtverband der Deutschen Versicherungswirtschaft e.V., GDV), as the industry’s primary association in Germany, has developed a self-regulatory code of data protection conduct in conjunction with the German data protection authorities. The Bundesverband consumer advice centre was also involved in the discussions. Like many insurers in Germany, we are a member of the GDV and will sign the code of conduct governing data protection.
This code of conduct and further information can be found here: GDV_Datenschutzkodex_Info.
The code of conduct contains a provision that “consent for the collection and use of health data and a release from the duty of confidentiality” must be obtained from the relevant person.
Declaration of consent and release from the duty of confidentiality
Our declarations of consent and release from the duty of confidentiality have been produced on the basis of the model declaration provided by the GDV / the data protection authorities. Passages that were not required were deleted and the necessary information was added, in line with the official requirements.
We will send you the form that is appropriate for your product with your application.
Our declaration of consent and release from the duty of confidentiality for applications not including health questions can be found here.
In the event of a claim you will receive a new appropriate form. The standard form declaration of consent and release from the duty of confidentiality can be found here.
Attached to the declaration is the list of our service providers and other organisations to whom we disclose your data. You can find the current list here: List of Service Providers.
You will of course also be sent any documents you request by post.