Information on data privacy

Helping you keep an overview

This data privacy notice is to inform you about how we handle your personal data and about your rights under the European General Data Protection Regulation [GDPR] and the German Federal Data Protection Act [BDSG]. The data controller (unless otherwise stated below) is Hübener Versicherungs AG (hereinafter referred to as ‘Hübener’, ‘we’ or ‘us’).

Our data privacy notice consists of two parts. In Part A, you will find general information relating to data privacy at Hübener and learn, among other things, what rights you have and where you can assert them. Part B is dedicated to the various groups of data subjects and explains in detail what personal data we collect and process. In doing so, we address you in your role as:

a. visitors to our website;
b. interested parties;
c. policyholders;
d. co-insured persons and contributors;
e. persons involved in a claim;
f. insurance brokers, insurance intermediaries and underwriting agents
g. contact persons at service providers, suppliers or business partners;
h. applicants;
i. newsletter subscribers;
j. social media users.

A. General information

1. Our contact details

If you have any questions or suggestions regarding this information or if you wish to assert your rights, please contact

Hübener Versicherungs AG
Ballindamm 37
20095 Hamburg
Phone +49 40 226 31 78 – 0
Email

2. On what basis do we process your data?

The data protection term ‘personal data’ refers to all information that relates to an identified or identifiable person. We process personal data in compliance with the relevant data protection regulations, in particular the GDPR and the BDSG. We only process data on the basis of a statutory authorisation. We process personal data only with your consent (Art. 6 (1) (a) GDPR), for the performance of a contract to which you are a party or at your request to carry out pre-contractual measures (Art. 6 (1) (b) GDPR), for compliance with a legal obligation (Art. 6 (1) (c) GDPR) or if the processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data (Art. 6 (1) (f) GDPR).

If you apply for a vacancy in our company, we will also process your personal data for the purpose of deciding on the establishment of an employment relationship (Art. 6 (1) lit. b) GDPR and Section 26 (1) Sentence 1 BDSG).

3. Your rights 

Your data – your control! As the data subject, you therefore have the right to assert your rights against us. You have the following rights under the data protection laws that apply to you:

• In accordance with Art. 15 GDPR and Section 34 BDSG, you have the right to request information about whether and, if so, to what extent we process personal data about you or not.
• You have the right to request that we rectify your data in accordance with Art. 16 GDPR.
• You have the right to request that we erase your personal data in accordance with Art. 17 GDPR and Section 35 BDSG.
• You have the right to request that we restrict the processing of your personal data in accordance with Art. 18 GDPR.
• In accordance with Art. 20 GDPR, you have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller.
• If you have given us separate consent to the data processing, you can revoke this consent at any time in accordance with Art. 7 (3) GDPR. Such a revocation does not affect the lawfulness of the processing that has taken place up to the point of revocation on the basis of the consent.
• If you believe that the processing of personal data concerning you is in breach of the provisions set out in the GDPR, you have the right to lodge a complaint with a supervisory authority in accordance with Art. 77 GDPR.

In accordance with Article 21(1) GDPR, you have the right to object, on grounds relating to your particular situation, at any time, to processing of personal data concerning you which is based on point (e) or (f) of Article 6 (1) GDPR, including profiling based on those provisions. If we process personal data about you for the purpose of direct marketing, you can object to this processing in accordance with Art. 21 (2) and (3) GDPR.

If you exercise your rights under Art. 15 to 22 GDPR, we will process the personal data transmitted for the purpose of implementing these rights by us and to be able to provide proof of this. We will only process data stored for the purpose of providing and preparing information for this purpose and for the purpose of data protection control and will otherwise restrict the processing in accordance with Art. 18 GDPR.

These processing operations result from the legal basis of Art. 6 (1) (c) GDPR in conjunction with Art. 15 to 22 GDPR and Section 34 (2) BDSG.

4. Where do we process your data?

In principle, we process your data on European servers with the highest security standards. In providing our services, we are supported by external service providers to whom we forward your data. Some data processing may involve the transmission of certain personal data to third countries, i.e. countries where the GDPR is not applicable law. Such data transmissions are lawful where the European Commission has decided that an adequate level of data protection is provided in such a third country. This applies to all transmissions of data to countries on this list: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en.

If there is no such adequacy decision by the European Commission, personal data will only be transmitted to a third country if appropriate safeguards pursuant to Art. 46 GDPR are in place or if one of the requirements of Art. 49 GDPR is met.

If there is no adequacy decision and nothing else is specified below, we use the EU standard data protection clauses as suitable guarantees for the transmission of personal data from the scope of the GDPR to third countries. You can obtain or view a copy of these EU standard data protection clauses. Please contact us at the address in the ‘Contact details’ section.

If you consent to the transmission of personal data to third countries, the transmission takes place on the legal basis of Art. 49 (1) lit. a) GDPR.

5. To whom and why do we pass on your personal data?

In order to provide our services and operate economically as a company, we use various external companies to which we, in some cases, transmit personal data. If other specific recipients contain personal data for some groups of data subjects, we will inform you about this in Part B.

• Hosting provider: We commission certified service providers to host our data.
• IT service providers and SaaS providers: We use the services of various service providers who support us as processors and simplify and optimise our processes.
• Advertising and marketing providers: With the help of advertising and marketing providers, we aim to increase our brand awareness, promote demand for our products and increase our customer loyalty. To this end, campaigns are planned, broadcast and their success measured and analysed. Generally, the providers are also processors.
• Authorities: In order to comply with legal regulations or to respond to court orders or other similar official requests, further transmissions may take place.
• Reinsurance companies: We work together with reinsurance companies to protect against high financial losses. In certain cases, your personal data will be passed on for this purpose. Some of the reinsurance companies are based in Switzerland. The transmission to third countries takes place on the basis of the adequacy decision for Switzerland.
• Other insurers: In certain cases, we transmit personal data to other insurers. This is the case, for example, if the insured risk is not only borne by us, but is spread across several insurers. We also transmit personal data of policyholders to the following insurers if certain conditions are met.
• Experts: We work together with external experts (e.g. lawyers) to assess claims and sums insured. If necessary, your personal data will be passed on in this context.
• Gesamtverband der Deutschen Versicherungswirtschaft e.V. (German Insurance Association): In certain cases (e.g. in the event of major claims), notifications are sent to the German Insurance Association; as a rule, this does not involve personal data. However, it cannot be ruled out that by combining this information with information from other data sources, it is possible to draw conclusions about policyholders.
• Insurance brokers, insurance intermediaries, underwriting agents and broker pools: We pass on the contract and claims-related data required to provide you with advice and support to these persons and bodies.
• Service providers: We may also transmit your personal data to organisations such as postal and delivery services, your bank, tax consultancy/auditing firms, lawyers, debt collection service providers and service providers for document destruction.

6. How long do we store your data? 

Unless otherwise stated in the following, we only store the data for as long as is necessary to achieve the purpose of processing or to fulfil our contractual or legal obligations. Such statutory retention obligations may arise in particular from commercial or tax law regulations. From the end of the calendar year in which the data was collected, we will retain such personal data contained in our accounting records for ten years and retain personal data contained in commercial letters and contracts for six years. In addition, we will retain data relating to declarations of consent subject to proof as well as data in connection with complaints and claims for the duration of the statutory limitation periods. We will erase data stored for advertising purposes if you object to processing for this purpose.

7. How do we use ‘cookies’ and other tracking technologies?

We use cookies and similar technologies on our website. You can learn more about how we use these technologies in our cookie banner. The banner can be accessed via the footer of our website. There you will also find a list of other companies that place cookies on our websites and process data on the basis of your consent in accordance with Art. 6 (1) lit. a) GDPR, a list of cookies that we place and an explanation of how you can refuse certain types of cookies.

8. How can you contact our Data Protection Officer?

You can contact our data protection officer by email at:

Herting Oberbeck Datenschutz GmbH
https://www.datenschutzkanzlei.de

B. Special section – How and why we process your data

a. Visitors to our website

1. We process pseudonymised data on the device and browser you use, your network connection and your IP address for the following purposes:- Ensuring the security, operability and stability of our website, including defence against attacks.

   Legal basis: Legitimate interest in the flawless functioning and stability of the website pursuant to Art. 6 (1) (f) GDPR.

   – Integration of third-party content (e.g. maps).

   Legal basis: Consent pursuant to Art. 6 (1) lit. a) GDPR, which we obtain via the consent banner on our website and which you can revoke or adjust at any time via the footer of the website.

    

2. We process information about your surfing behaviour on the website. This includes the IP address and information about your browser and is used for the following purposes:- Reach measurement and analysis of visitor behaviour to optimise our websites, increase customer satisfaction and analyse errors.

   Legal basis: Our legitimate interest pursuant to Art. 6 (1) (f) GDPR is in the optimisation of our website.

   For this purpose, we use the Fathom service of Conva Ventures, Inc (Canada). The transmission of data to third countries takes place on the basis of the adequacy decision for Canada.

    

3. We process data that you provide to us in contact forms about yourself or the company in which you work, such as your name, email address and telephone number, for the following purposes:- Acquisition and customer acquisition;
   – Support and communication: Responding to enquiries.

   Legal basis: Legitimate interest pursuant to Art. 6 (1) (f) GDPR is in responding to incoming enquiries.

b. Interested parties

We process data that you provide to us about yourself, insured property or insurance items. The data collected includes, for example, your name, your contact details, your master data and your bank details. In addition, we may obtain information about you from your previous insurer. This processing is carried out for the following purposes

– Initiation of a contractual relationship (including calculation of insurance premiums, obtaining information about relevant incidents from previous insurers, if necessary, appraisal of insured objects or insured items).

Legal basis: Contract initiation pursuant to Art. 6 (1) lit. b) GDPR. It is not possible to initiate a contract without providing the data. If you are not a party to the contract yourself (e.g. in the case of corporate customers), the legal basis is our legitimate interest in the initiation of the contract pursuant to Art. 6 (1) (f) GDPR.

– To check your creditworthiness.

Legal basis: Legitimate interest pursuant to Art. 6 (1) lit. f) GDPR is in minimising the risk of non-payment.

Your personal data may be transmitted to experts, other insurance companies or reinsurers. Further information on data recipients can be found under section A.5.

c. Policyholder

We process data that you provide to us within the scope of our contractual relationship about yourself, insured property or insurance items and which we require to fulfil the insurance contract. This includes, for example, billing data, contract data or the content of our correspondence with you. Here, processing is carried out for the following purposes:

– Fulfilment of the insurance contract (e.g. for invoicing, dunning);
– Claims processing;
– Support and communication: Responding to enquiries.

Legal basis: Contract fulfilment pursuant to Art. 6 (1) lit. b) GDPR. Contract fulfilment is not possible without the provision of the data. If you are not a party to the contract yourself (e.g. in the case of corporate customers), our legitimate interest in the fulfilment of the contract pursuant to Art. 6 (1) (f) GDPR is the legal basis.

– To comply with legal regulations and retention obligations.

Legal basis: Compliance with legal obligations pursuant to Art. 6 (1) lit. c) GDPR.

Your personal data may be transmitted to experts, other insurance companies, reinsurers, insurance brokers, insurance intermediaries, underwriting agents, broker pools, the German Insurance Association, authorities and service providers. Further information on data recipients can be found under section A.5.

d. Co-insured persons and premium payers

We process data that you or others, in particular the policyholder(s), provide to us about you (e.g. name, contact details, master data). We also process data of persons who are not policyholders or co-insured persons but who pay the insurance premiums for other persons. In this context, processing is carried out for the following purposes:

– Execution of insurance contracts;
– Claims processing;
– Processing of payments.

Legal basis: The legal basis pursuant to Art. 6 (1) lit. f GDPR is our legitimate interest in the fulfilment of contracts and the processing of payments.

– To comply with legal regulations and retention obligations.

Legal basis: Compliance with legal obligations pursuant to Art. 6 (1) lit. c) GDPR.

e. Persons involved in damage claims

We process data that you or the policyholder(s) provide to us about you, such as your name, your contact details, your master data and information about the damage claim. This may also include health data and thus, special categories of personal data within the meaning of Art. 9 (1) GDPR. We process this data for the following purposes:

– Fulfilment of insurance contracts;
– Claims settlement.

Legal basis: Art. 6 (1) lit. c) GDPR in conjunction with Section 100 of the German Insurance Contract Act [VVG] and Art. 6 (1) lit. b) GDPR or, if you are not a party to the contract, our legitimate interest pursuant to Art. 6 (1) lit. f) GDPR in the performance of the contract. In the case of the processing of health data, Art. 9 (2) lit. f) in conjunction with Section 100 VVG forms the legal basis. If consent is obtained in individual cases, Art. 6 (1) lit. a) GDPR and Art. 9 (2) lit. a) GDPR constitute the legal basis.

Your personal data may be transmitted to experts, other insurance companies, reinsurers, insurance brokers, insurance intermediaries, underwriting agents, broker pools, the German Insurance Association, authorities and service providers. Further information on data recipients can be found under section A.5.

f. Insurance brokers, insurance intermediaries and underwriting agents

We process data that you provide to us about yourself and, if applicable, the company in which you work, such as your name, email address and telephone number for the following purposes:

– Contract fulfilment (this includes contract administration, documentation on ongoing cooperation, billing and communication).

Legal basis: Contract fulfilment pursuant to Art. 6 (1) lit. b) GDPR. If you are not a party to the contract yourself, the legal basis is our legitimate interest in the fulfilment of the contract between the company in which you work and us in accordance with Art. 6 (1) (f) GDPR.

g. Contact persons at service providers, suppliers or business partners

We process data that you provide to us about yourself and the company in which you work, such as your name, email address and telephone number, for the following purposes:

– Fulfilment of the contract with the company in which you work (this includes contract administration, documentation on ongoing cooperation, invoicing and communication).

Legal basis: Legitimate interest pursuant to Art. 6 (1) lit. f) GDPR in the fulfilment of the contract between the company in which you work and us.

h. Applicants

1. We process data that you provide to us in the course of your application or that a recruitment agency transmits to us. This is information in connection with your CV, your previous career and other data that we process for the following purposes:– Determining whether employment is possible;
   – Initiation of an employment relationship.

   Legal basis: Contract initiation in accordance with Art. 6 (1) lit. b) GDPR and Section 26 (1) Sentence 1 BDSG.

   – Fulfilment of statutory retention obligations or defence against legal claims.

   Legal basis: Compliance with legal obligations pursuant to Art. 6 (1) lit. c) GDPR.

   – Inclusion in our talent pool for subsequent re-contact if no employment relationship is initially established.

   Legal basis: Consent pursuant to Art. 6 (1) lit. a) GDPR, which you can revoke at any time by contacting us using the contact details above.

    

2. We process your name and contact details, which we have received in the course of the application process, for the following purpose:- This makes it possible to establish who has applied to us in the past.

   Legal basis: Legitimate interest pursuant to Art. 6 (1) lit. f) GDPR in the planning of our company.

   If we are unable to offer you employment, we will keep the application documents you have submitted for up to six months after a rejection for the purpose of answering questions in connection with your application and rejection. This does not apply if statutory provisions prevent erasure, if further storage is necessary for the purpose of providing proof or if you have expressly consented to longer storage period.

i. Newsletter subscribers

1. We process your name and contact details, which you provide to us when registering for our newsletter, for the following purposes:– Sending personalised advertising mailings with information and updates on our activities for the purpose of promoting sales and acquiring new customers;
   – Verification of your email address via the double opt-in procedure.

    

2. We process pseudonymous information on how our newsletter is used (click behaviour, opening rate and time, length of stay) for the following purposes:- Performance measurement to optimise our content and improve our products.

   The legal basis for data processing in connection with our newsletter is your consent in accordance with Art. 6 (1) (a) GDPR, which you can revoke at any time by contacting us using the contact details above or by using the unsubscribe link.

j. Social media visitors

1. Responsibility of social media providers

When you visit our social media pages (Instagram and LinkedIn) on which we present our company, certain information about you as a visitor is processed.

Further information:

Instagram:

• Privacy policy of Meta Platforms Ireland Limited
• Opt-out-Option

LinkedIn: Privacy policy of LinkedIn Ireland Unlimited Company

2. Joint responsibility of the social media providers and Hübener (joint controllers)

The social media providers collect and process event data and send us anonymised statistics and data for our pages, which help us to gain insights into the various activities that visitors carry out on our site (so-called ‘Page Insights’). These page insights are generated on the basis of certain information about individuals who have visited our site(s).

Further information:

Instagram:

• Joint Controller Agreement
• Data subject rights can also be asserted against Meta. Further information on this can be found in the privacy policy.

LinkedIn:

• Joint Controller Agreement
• Data subject rights can be asserted via this contact form at LinkedIn. You can contact LinkedIn’s data protection officer via this link.
• LinkedIn and Hübener Versicherungs AG have agreed that the Irish Data Protection Commission is the competent supervisory authority overseeing the processing of page insights. You can lodge your complaint with the Irish Data Protection Commission (see www.data protection.ie) or with another supervisory authority.

3. Hübener’s responsibility

We process information that you have provided to us via our social media channels on the respective social media platform. This information may be the name used, contact information or a message to us.

Legal basis: Legitimate interest pursuant to Art. 6 (1) lit. f) GDPR in communicating with interested parties and followers.