Information about data protection for business partners, service providers and interested parties
In the present notice, we would like to explain how your personal data will be processed, and inform you of your rights as a business partner, service provider or other interested party under data protection law. The exact type of data that will be processed, and how it will be used, depends mainly on your type of business or service, so that not all the following information will be applicable to you.
1. Who is responsible for processing your data?
Aktiengesellschaft in München
80802 München Germany
Tel.: +49 (89) 38 91 22 55
Fax: +49 (89) 39 91 7 22 55
If you have any questions about this information, you may contact our Data Protection Officer. The data protection officer can be contacted by post to “Data Protection Officer” at the above address, or by email to firstname.lastname@example.org.
2. What data and sources do we use?
We process the personal data that you provide us in the course of our business relationship. We will also process, to the extent necessary, any personal data that we legitimately either obtain from public sources (e.g. company publications, media reports, internet) or receive from other companies in the Munich Re reinsurance group. The respective personal data mainly includes your business contact information, your position, our business communication with you and the data this involves, and possibly your professional interests.
3. For what purposes, and on what legal basis, will your data be processed?
We process your personal data in compliance with the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), and all other applicable laws:
a. To fulfil (pre-)contractual duties (Art. 6(1)(b) of the GDPR)
The processing will be performed in the context of preparing, executing and terminating reinsurance arrangements in all lines of business, in connection with other services, or when using service providers.
We will process your personal data (primarily your business contact information) mainly to contact you (including via video conference systems) and to communicate with you and/or your company. The data is processed primarily in our contact management system. Furthermore, you have the opportunity to enter data in individual systems (e.g. chats in the course of online communications) and to upload documents.
b. For the purposes of protecting our legitimate interests (Art. 6(1)(f) of the GDPR)
Where necessary, we will process your data beyond the actual framework of our business relationship, for the purposes of legitimate interests pursued by us or a third party. Some examples of this would be:
- Sending digital or postal greeting cards to business partners, for example at Christmas or on corporate anniversaries
- Posting brochures or flyers to business partners to inform them of current Munich Re activities
- Transmitting data in the Munich Re reinsurance group in our contact management system
- Obtaining contact information using publicly available sources
- Technical data from electronic communication and data exchange (e.g. log data)
c. Based on your consent (Article 6(1)(a) of the GDPR)
Where you have consented to our processing your personal data for specific purposes, that constitutes the legal basis. You may revoke your consent at any time. This also applies to the revocation of any consent that was given to us before the GDPR came into effect (i.e. before 25 May 2018). Revoking consent applies only for the future and does not affect the validity of the data processed until the revocation.
Such consent particularly applies to
- Your participation in anonymous and personalised surveys to improve the quality of our service, or in the context of events and seminars, e.g. your choice of appropriate topics or lecturers. Surveys help us adapt our means of communication, e.g. our website, to your needs. Participating in such surveys is voluntary.
- Sending newsletters to regularly inform you of relevant and interesting Munich Re news. In order for you to subscribe to a newsletter offered on our website, we need your email address and other information. This allows us to check whether you are the owner of the email address provided, and that you consent to receiving the newsletter. We will use your data to send you the information you request. There is an “Unsubscribe” button at the end of each newsletter that you can use to unsubscribe to the respective newsletter, or to object to the use of your data overall.
- Information about, or invitations to, events and seminars. We process your personal data to send you invitations to events that may be relevant for you and your work. When you register for a seminar or event, we send you the necessary information about it. This includes emails about the registration process, the location and programme, and surveys about your experience at the seminar. We save your seminar or event registration information in our contact management system.
- Sending information on the basis of your stated interests. When you subscribe to a given newsletter, you can indicate your individual areas of interest (e.g. Internet of Things, cyber, life insurance). Using this information, we can send you more targeted information. This can take the form of a newsletter or invitations to events that may be relevant to you, for example.
- Information in personalised cookies. Where you have consented to our collating your data and creating a profile of your interests, we will save your data and interests, and collate them accordingly. We then use personalised cookies for this purpose. This allows us to recognise you personally when you use our digital media (e.g. our website), and provide you with information that is even more relevant and better tailored to you. Cookies are small files that control how our website looks and functions. They do not damage your computer and do not contain viruses. You may of course delete the cookies from your web browser at any time. Examples:
- If you indicated that you are interested in the Internet of Things, we can send you interesting informational material about that topic, or send you a flyer. You may of course unsubscribe at any time.
- If we can recognise your interests through personalised links in newsletters or on our website, we can provide you with even more relevant and interesting information. If you have subscribed to one of our general newsletters and click on a link in the newsletter, we recognise that this is a topic that particularly interests you. Our webpages can then be especially tailored to your needs, so that it becomes even easier and quicker for you to find the information you want.
- If we know your interests, we can invite you to events and seminars that you may like. If we know what parts of an event or seminar you attended, we can design them better in the future, or make more appropriate information available to you. We also take voluntary surveys during and following events. Your personal feedback helps us to choose appropriate topics or presenters.
- If you do not want us to consolidate your data (i.e. create a profile), you may refuse your consent, or revoke it later without providing a reason. If you refuse your consent, or revoke it later, we will of course not collate your information into a profile of your interests. This means that we will not be able to recognise you as someone who is interested in certain topics, and cannot send you targeted information.
We will save your personal data such as your interests and consents to receive newsletters, invitations to events and seminars, survey responses, and consents to profiling or other consents, in our contact management system. Your consents will be documented there and can be inspected at your request.
d. Based on legal obligation (Art. 6(1)(c) of the GDPR)
We will also process your data to fulfil our legal duties, e.g. based on supervisory provisions, or to compare your data against sanctions lists to comply with counter-terrorism rules (e.g. Council Regulation 2580/2001).
4. Who receives your data? What categories of recipient might we disclose your data to?
Only those staff within Munich Re (Group) who need your data for the aforementioned purposes will have access to it.
External service providers
In certain cases, we use external service providers to meet our contractual and legal duties. Outsourcing is necessary, for example, when creating the content for our website or sending out newsletters. We have concluded corresponding data protection agreements with such service providers.
Service providers that we use to send you the requested information (such as brochures by mail, issuing electronic newsletters) will receive the necessary personal data. The categories of service providers can be found here.
Companies in the Munich Re reinsurance group:
Only those authorised staff in our worldwide reinsurance group have access to our contact management system.
5. How long do we store your data?
As a rule, we anonymise or delete your personal data as soon as it is no longer necessary for the aforementioned purpose, unless statutory documentation and retention rules (e.g. in the German Stock Corporation Act (AktG), Commercial Code (HGB) or Tax code (AO)) require us to keep it for longer. We will store your personal data for longer than that only in exceptional cases, where necessary in connection with claims asserted against Munich Re (Group) (statutory limitation period of up to 30 years).
6. How do we transmit data to countries outside Europe?
If we need to transfer personal data to service providers outside the European Economic Area (EEA), we will do so only if the European Commission has confirmed that the respective country’s level of data protection is sufficient, or if data protection is otherwise sufficiently guaranteed (for example, through binding, in-house data protection provisions, or the European Commission’s standard contractual clauses).
The companies in the Munich Re reinsurance group have adopted binding corporate rules on data protection: https://www.munichre.com/content/dam/munichre/global/content-pieces/documents/Binding-Corporate-Rules-de.pdf/_jcr_content/renditions/original.media_file.download_attachment.file/Binding-Corporate-Rules-de.pdf ). Appropriate data protection guarantees are thus in place worldwide at those Group companies. You may obtain further information on this issue, as well as about the level of data protection at our third-country service providers, from the aforementioned contacts.
7. What data protection rights do you have?
In addition to your right to object, you have a right to information, a right to rectify or erase data under certain conditions, as well as a right to restrict data processing. Upon request, we will make the data that you provided available in a structured, accessible and machine-readable format. Please contact the aforementioned address to exercise these rights.
Right to object
If we process your data for the purposes of protecting legitimate interests, you may object to this processing on grounds relating to your particular situation. We will then stop the processing, unless we have compelling legitimate interests to do so which override your grounds. Even after giving your consent, you are entitled to revoke it for the future without consequences.
8. Would you like to file a complaint about how your data is being handled?
You may contact the aforementioned Data Protection Officer or the data protection authorities. The authority responsible for us is:
Bayerisches Landesamt für Datenschutzaufsicht (Data Protection Authority of Bavaria for the Private Sector), Promenade 27, 91522 Ansbach, Germany Tel.: +49 (0) 981 53 1300, Email: email@example.com or https://www.lda.bayern.de/en/contact.html
9. Are you obliged to provide your data?
We need your personal data, for example to send you the requested information, the newsletter you subscribed to, or invitations to events. Without this data, Munich Re cannot carry out the services you request.