Information about data protection in reinsurance
As an applicant, policyholder, insured party or other affected person (e.g. injured party or beneficiary) of an insurer for which we act as reinsurer, these notes are designed to inform you about how Münchener Rückversicherungs-Gesellschaft Aktiengesellschaft in München processes your personal data and to inform you of your data protection rights in law.
Who is responsible for processing your data?
Aktiengesellschaft in München
Germany +49 (89) 38 91-0
Telefax: +49 (89) 39 90 56
If you have any questions about this information, you can also contact our Data Protection Officer. The Data Protection Officer can be contacted by post at the above address or by sending an email to email@example.com.
Which data will be processed for what purposes, and on what legal basis?
We process your personal data in compliance with the EU General Data Protection Regulation (GDPR) and all other applicable national laws.
In order to be in a position to meet their obligations from insurance contracts at any time, primary insurers may cede a portion of their risks from insurance contracts to reinsurers.
Where we are the reinsurer for the primary insurance company with which you wish to conclude or have concluded an insurance contract, or if you have claims arising from the contract as an insured person, beneficiary or injured party, it is possible that we will receive details of your application, contract and/or claim from this insurance company if necessary for the proper justification, performance (including claims) or termination of the reinsurance agreement. The same applies if we are involved as a co-reinsurer with another reinsurance company (retrocession).
The data that we receive from the (re)insurance company is often anonymised. Where anonymised data are insufficient for the aforementioned purposes, we receive data from the insurance application or contract, and may receive claims-related data (e.g. policy number, premium, type and amount of insurance cover and risk, including any risk loading and possible causes that may affect claims) in its pseudonymised format, or even including your name (particularly for life insurance or personal injuries with high sums insured).
As the reinsurer, we only receive your personal data insofar as it is necessary. In specific circumstances, this could be necessary for the following reasons:
- We may carry out the risk and claims assessment ourselves in cases where the sum insured is high, or where there is a specific risk that is difficult to categorise.
- We provide support to your insurance company in assessing risk and losses, and in evaluating procedures.
- We are provided with lists of the contracts covered by the reinsurance. These lists serve to determine the scope of the reinsurance agreements, including checks on whether and to what extent we cover the same risk (accumulation control), and also for settlement purposes.
- We check our obligation to payyour insurer, or we may monitor risks and claims by making spot checks at the primary insurer or in individual cases.
We only use these personal data for the stated purposes or for associated compatible purposes (particularly for drawing up insurance-specific statistics – such as for setting new tariffs or to meet regulatory requirements). Further data may be used to prepare overarching insurance statistics (e.g. for mortality), and for risk classifications we usually receive data in anonymised or (where necessary for statistical purposes) in a pseudonymised format. There is no possibility of anonymised data being linked with your personal details. Pseudonymised data is provided in conjunction with your contract or claims number, but not with your name or other information that allows you to be identified. Linking these pseudonyms (e.g. claims number) with your personal details is normally only possible for the insurance company that provides us with the data.
The legal basis under which we process your personal data is Article 6(1)(b) of the EU General Data Protection Regulation (GDPR), where reinsurance is required for the conclusion or performance of the insurance contract with your insurer. If the reinsurance is intended to help your insurer meet its obligations under the insurance contract, processing is necessary for the purposes of protecting legitimate interests pursuant to Article 6(1)(f) of the General Data Protection Regulation.
Where special categories of personal information are required (such as your health data when concluding a life insurance contract or a check on our indemnity obligations), your insurer will regularly ask for your consent in accordance with Article 9(2)(a) in conjunction with Article 7 of the GDPR also in favour of the reinsurer where transmission to and processing of the data by the reinsurer is not provided by other applicable laws (particularly at the registered office of your insurer) without provision of consent. If we prepare statistics using these data categories, we do so in accordance with Article 9(2)(j) of the GDPR (e.g. in Germany in conjunction with Section 27 of the German Federal Data Protection Act (BDSG)) or Article 5(1)(b) in conjunction with Article 6(4) of the GDPR.
We also process your data where it is necessary for the purposes protecting our legitimate interests, or those of third parties (Article 6(1)(f) of the GDPR. This may be necessary, for example:
- to meet requirements from public authorities,
- for accumulation control purposes in the Munich Re reinsurance group with respect to particularly high life insurance amounts. These may require us to collect data on other risk-relevant groups of persons from publicly accessible sources such as the internet (for example, the names of the team members of a professional sports player) in order to appropriately estimate our possible overall exposure for individual loss events,
- or to ensure IT security and IT operations.
We also process your personal data in order to comply with legal requirements – such as regulatory requirements, retention requirements under commercial and tax laws, or in order to check your data against sanctions lists drawn up under anti-terrorism laws (e.g. EU Regulation 2580/2001). In these cases, the processing is permitted by the respective statutory provision in conjunction with Article 6(1)(c) of the GDPR.
Should we wish to process your personal data for a purpose not listed above, we would inform you of this in advance, in accordance with the law.
Who sends us your data?
We regularly receive your data from primary insurance companies under the conditions set out above. In rare cases, we also receive your data from other reinsurance companies if they do not wish to bear the full risk alone. In exceptional cases, we will use publicly available sources – particularly in the case of major losses or for the purposes of accumulation control described above.
To which categories of recipient might we disclose your data?
External service providers:
We use external service providers to meet some of our contractual and legal duties. The categories of service providers can be found here: https://www.munichre.com/en/general/gdpr.html
Munich Re reinsurance group companies:
These companies receive data in individual cases where necessary for accumulation control in the reinsurance group for particularly high life insurance amounts.
Some primary insurance companies and other reinsurers use agents or service providers for business acquisition or to administer reinsurance agreements. In such cases, where we process your data for the purposes set out above your data will be transmitted to such agents or service providers when the data is being passed to us by your primary insurer or between us and another reinsurer.
In addition, in certain cases we may share your personal data with other recipients – for example, public authorities in order to meet statutory reporting duties, or to retrocessionaires (other reinsurers we involve in order to further equalise our risks).
How long do we store your data?
We will delete your personal data as soon as it is no longer required for the aforementioned purposes. However, it is possible that your personal data may be saved until legal claims may no longer be asserted against our Company (a statutory limitation period of between 3 and 30 years). In addition, we will retain your personal data where we are required to do so by law. Relevant documentation and record-retention requirements are set out in applicable national laws (for example, in the German Commercial Code (HGB), the German Tax Code (AO), and the German Money Laundering Act (GwG). The applicable retention periods are up to ten years.)
How do we transmit data to countries outside Europe?
If we need to transfer personal data to service providers outside the European Economic Area (EEA), we will normally do so only if the European Commission has confirmed that the respective country’s level of data protection is sufficient, or if data protection is otherwise sufficiently guaranteed (for example, through binding, in-house data protection provisions, or by application of the European Commission’s standard contractual clauses). In some rare cases, an appropriate level of data protection may be unnecessary if transmission is only occasional and necessary to secure your claim against your insurer.
The companies in the Munich Re reinsurance group have adopted binding corporate rules on data protection: https://www.munichre.com/content/dam/munichre/contentlounge/website-pieces/documents/general/Binding-Corporate-Rules-en.pdf
Appropriate data protection guarantees are thus in place worldwide at those Group companies. You may obtain further information on this issue, as well as about the level of data protection at our third country service providers, from the aforementioned contacts.
What data protection rights do you have?
In addition to your right to object, you have a right to information, a right to rectify or erase data under certain conditions, as well as a right to restrict data processing. Upon request, we will make the data that you provided available in a structured, accessible and machine-readable format. You have a right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. Please contact the aforementioned address to exercise these rights.
Right to object
If we process your data for the purposes of protecting legitimate interests, you may object to this processing on grounds relating to your particular situation.
Would you like to file a complaint about how your data is being handled?
You may contact the aforementioned Data Protection Officer or the data protection authorities.
The public authority responsible for Munich Re is:
Bayerisches Landesamt für Datenschutzaufsicht (Data Protection Authority of Bavaria for the Private Sector), Promenade 27, 91522 Ansbach, Germany. Tel.: +49 (0) 981 53 1300
Email: firstname.lastname@example.org or
We will notify you should this information change substantially.