Munich Re logo Not if, but how
EN

Explore Munich Re Group

Get to know our Group companies, branches and subsidiaries worldwide.

Information about data protection for the Pharmapool

    alt txt

    properties.trackTitle

    properties.trackSubtitle

    Transparency regarding how data is processed is a key element of data protection. Our responsibility to ensure that your data is protected in line with the valid data protection regulations is one we take very seriously. This information on data protection is designed to provide you with information on how your personal data is processed by the Munich Re Group and on your rights under data protection law.

    1. Scope of application

    This information on data protection applies to the processing of your personal data by the Pharmapool.

    The Pharmapool is an association of primary insurance and reinsurance companies (hereinafter each referred to as a “Member” and collectively as the “Members”; a list of the Members can be found here. As Managing Member, Munich Reinsurance Company is the central point of contact within the Pharmapool for data protection enquiries).

    2. Who is responsible for processing your data?

    The Members of the Pharmapool have jointly determined the purposes and means of processing. As such, they are jointly responsible for the protection of your personal data with regard to the data processing described below in accordance with Art. 26 of the EU General Data Protection Regulation (GDPR). The Members have decided that Munich Re, as the Managing Member, will process the necessary data for the Pharmapool centrally as a matter of principle. This also includes the processing of your personal data as described below.

    As part of their joint responsibility under data protection law, the Members have also agreed that Munich Re will largely fulfil the obligations under the GDPR for the Pharmapool and provide you with the necessary data protection information.

    The contact details of the Managing Member of the Pharmapool are:

    Münchener Rückversicherungs-Gesellschaft Aktiengesellschaft in München
    Königinstr. 107
    80802 Munich
    Germany

    Tel.: +49 (89) 38 91-0
    Fax: +49 (89) 39 90 56
    email:     contact@munichre.com
    (hereinafter referred to as “Munich Re” or “we”)

    You can contact our Data Protection Officer at the postal address above – please include “Data Protection Officer/ Group Compliance & Legal” in the address – or send an email to datenschutz@munichre.com.

    3. For what purposes, and on what legal grounds, will your data be processed? What categories of data do we process and who might we get you data from?

    According to Section 94 of the German Medicinal Products Act (AMG), pharmaceutical companies are obliged to ensure cover for potential personal injury that could be caused by the medicinal products they place on the market. They generally fulfil this obligation by taking out liability insurance with a primary insurer. The purpose of the Pharmapool is primarily to reinsure these liability insurance policies vis-à-vis the primary insurers.

    3.1 Data on claims made

    We process personal data relating to the event giving rise to the damage, including the contact details of the parties involved, which are necessary for the processing and settlement of the respective claim. Which data this is in each individual case depends on the claim asserted.

    We usually receive this data from you, the claimant or the primary insurer. In exceptional cases, we may also receive this sort of data from public sources or in the course of legal proceedings. However, we generally receive data that has been rendered anonymous. If anonymous data is not sufficient for the aforementioned purposes, we will receive the data in pseudonymised form or, if necessary, with your name.

    The legal basis for processing your personal data is generally Art. 6(1c) of the GDPR. Our legitimate interest lies, in particular, in the proper handling of asserted claims, proper administration and reporting between Members, and the evaluation of data for statistical purposes.

    If special categories of personal data (e.g. your health data) are required, the primary insurer will generally obtain your consent in accordance with Art. 9(2a) in conjunction with Art. 7 of the GDPR, also in favour of (the Members of) the Pharmapool, unless disclosure of the data to, and processing by, the Pharmapool is permitted without such consent on the basis of applicable regulations. Apart from the above, we would primarily process these data categories for the establishment, exercise or defence of legal claims on the basis of Art. 9(2f) GDPR. If we create statistics with these data categories, this will be done on the basis of Art. 9(2j) of the GDPR in conjunction with Section 27 of the German Federal Data Protection Act (BDSG) or Art. 5(1b) in conjunction with Art. 6(4) of the GDPR.

    3.2 Data on the primary insurer

    We process the following data in order to settle a claim: Names, contact details (professional address, telephone numbers, email address) and job titles of employees of primary insurers, current or former Members of the Pharmapool, including the Managing Member, retrocessionaires, brokers, insured pharmaceutical companies and the injured party’s health insurer, as well as the content of written correspondence and work products of the aforementioned persons.

    As a rule, we receive this data from you, your employer or the persons or companies named in the paragraphs above.

    We will process your personal data (primarily your business contact information) mainly to contact you and to communicate with you and/or your company.

    The legal basis for the processing is Art. 6(1b) of the GDPR, insofar as the processing is based on the performance of your employment relationship.

    In the context of the other processing operations described above, we generally also process your data to protect our legitimate interests (Art. 6(1f) of the GDPR). Our legitimate interest lies, in particular, in the proper handling of asserted claims, proper administration and reporting between Members, and the evaluation of data for statistical purposes.

    3.3 Data on third parties

    Furthermore we process the following data: Names, contact details (professional address, telephone numbers, email address) and job titles of any external experts (such as lawyers, tax advisors, auditors or other experts) and (other) service providers, including their employees, consulted by the primary insurer or the Pharmapool or its Members, as well as the content of written correspondence and their work products (such as expert opinions).

    As a rule, we receive this data from you, your employer or the persons or companies named in the paragraphs above.

    We will process your personal data (primarily your business contact information) mainly to contact you and to communicate with you and/or your company.

    The legal basis for the processing is Art. 6(1b) of the GDPR, insofar as the processing is based on the use of (your) services.

    In the context of the other processing operations described above, we generally also process your data to protect our legitimate interests (Art. 6(1f) of the GDPR). Our legitimate interest lies, in particular, in the proper handling of asserted claims, proper administration and reporting between Members, and the evaluation of data for statistical purposes.

    No automated decision-making is used.

    4. Who receives your data?

    The data may also be sent to service providers for the purposes for which it was collected. Service providers have to be involved in the administration and maintenance of IT systems, for example.

    Service providers that we use to send you the information you have requested (e.g. information by mail, newsletters, etc.) will receive the necessary personal data (e.g. postal companies will receive your name and address details). A list of all service providers that process data on our behalf can be consulted or downloaded using the link “Further information” at the end of this data protection information.

    5. Will your data be transferred to a third country?

    As a general principle, we process your personal data in Germany or in countries that are European Union (EU) or European Economic Area (EEA) member states. If we need to transfer personal data to service providers or subcontractors outside the EEA, we will do so only if the European Commission has confirmed that the country’s level of data protection is sufficient, or if data protection is otherwise sufficiently guaranteed (for example, through Binding Corporate Rules, or the European Commission’s Standard Contractual Clauses). You can write to the above-mentioned address to obtain detailed information and to learn more about the level of data protection at our service providers in non-EEA countries.

    6. How long will your data be stored for?

    We will delete your personal data as soon as it is no longer required for the above-mentioned purposes. It is possible that your personal data may be stored until legal claims may no longer be asserted against the Pharmapool (statutory limitation periods of between three and 30 years). Furthermore, we will store your personal data insofar as we are legally obliged to do so. Corresponding documentation or retention duties result, among other things, from the relevant national legal provisions (e.g. the Commercial Code (HGB), the Fiscal Code (AO) and the Money Laundering Act (GwG) in Germany. The respective retention periods may last up to ten years).

    7. What measures do we take to protect your data?

    We take state-of-the-art technical and organisational security measures to protect data against accidental or intentional manipulation, loss, destruction, and access by unauthorised parties.

    8. What data protection rights can you assert as a data subject?

    You can request information about the personal data we have stored under your name, from the address above. In addition, under certain circumstances, you may request that your data be rectified or erased. Furthermore, you may have a right to restrict the processing of your data and a right to disclosure of the data you have made available in a structured, common and machine-readable format. If you have given your consent, you have the right to revoke it at any time with effect for the future; if you were not informed of any other way to do so when you gave your consent, you can send your revocation to the above address.

    If we process your data for the purposes of safeguarding legitimate interests, you may object to this processing on grounds relating to your particular situation. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for processing that override your interests, rights and freedoms, or if processing serves the assertion, exercise or defence of legal claims.

    Please contact us at the address above to exercise these rights. 

    9. Who can you contact if you wish to make a complaint?

    If you believe that we have breached applicable data protection law when processing your personal data, you can contact the aforementioned Data Protection Officer or the data protection authorities to make a complaint. The public authority responsible for Munich Re is:

    Bayerisches Landesamt für Datenschutzaufsicht (Data Protection Authority of Bavaria for the Private Sector)
    Promenade 18
    91522 Ansbach
    Germany

    10. Changes to this information on data protection

    We have to amend our data protection information from time to time to make ongoing improvements to our website and to reflect technological advances. When you visit our website, please read the current version of our information on data protection (current version: June 2025).