Munich Re logo Not if, but how
EN

Explore Munich Re Group

Get to know our Group companies, branches and subsidiaries worldwide.

Information about data protection for the reinsurance industry

    alt txt

    properties.trackTitle

    properties.trackSubtitle

    Transparency regarding how data is processed is a key element of data protection. Our responsibility to ensure that your data is protected in line with the valid data protection regulations is one we take very seriously. This information on data protection is designed to provide you with information on how your personal data is processed by the Munich Re Group and on your rights under data protection law.

    1. Scope of application

    The following information about data protection applies to applicants, policyholders and persons involved (e.g. injured parties or beneficiaries) of an insurer for whom we act as the reinsurer.

    2. Who is responsible for processing your data?

    Münchener Rückversicherungs-Gesellschaft Aktiengesellschaft in München
    Königinstr. 107
    80802 Munich
    Germany

    Tel.: +49 (89) 38 91-0
    Fax: +49 (89) 39 90 56
    email:     contact@munichre.com
    (hereinafter referred to as “Munich Re” or “we”)

    You can contact our Data Protection Officer at the postal address above – please include “Data Protection Officer/ Group Compliance & Legal” in the address – or send an email to datenschutz@munichre.com.

    3. For what purposes, and on what legal grounds, are which categories of data processed?

    In the event that we are the reinsurer of the primary insurer with which you wish to conclude, or have concluded, an insurance contract, or with which you have claims under an insurance contract as an insured person or affected individual, it is possible that we will receive your application, contract and/or claims data from this insurance company if this is necessary for the proper establishment, performance (including provision of benefits) or termination of the reinsurance contract. The same applies if we are called in by another reinsurer as co-reinsurer (retrocession).

    In general, we only receive anonymised data from the insurance/reinsurance company. Insofar as anonymous data is not sufficient for the aforementioned purposes, we will receive the data from the insurance application or relationship as well as, if applicable, the data underlying a claim for benefits (e.g. insurance number, premium, type and amount of insurance cover and risk [including any risk loadings] as well as, if applicable, the causes of the claim for benefits) in pseudonymised form or potentially mentioning your name (in particular in the case of life insurance or high-sum personal injury).

    As reinsurers, we only receive your personal data insofar as this is necessary for reinsurance purposes. This may be the case in the specific reinsurance relationship for various reasons: 

    • In the case of high contract amounts or risks that are difficult to classify, we may carry out the risk and benefit assessment ourselves;
    • We need to support your insurer, in particular, in the assessment of risks and losses and in the evaluation of procedures;
    • We receive lists showing the portfolio of contracts covered by the reinsurance. These lists are used to determine the scope of the reinsurance contracts, including checking whether and to what extent we are involved in one and the same risk (accumulation control), and for accounting purposes;
    • We need to check our obligation to pay benefits vis-à-vis your insurer, or we check the risk and benefit assessment by the primary insurer on a spot-check or case-by-case basis; and/or
    • To prevent and investigate criminal offences such as insurance fraud. 

    We will only use this data for the aforementioned purposes and for purposes that are compatible with them (in particular to compile insurance-specific statistics, e.g. to develop new tariffs, for data analysis purposes, to analyse specific loss patterns, or to fulfil supervisory requirements). We generally receive further data for the compilation of overarching insurance-specific statistics (e.g. on mortality) or for risk classifications in anonymised or – if required for the statistical purpose – pseudonymised form. In the case of anonymous data, there is no possibility of linking the information to you as an individual. In the case of pseudonymous data, we receive the relevant information together with your contract or claim number, but not your name or any other information suitable for directly identifying you. As a rule, it is only possible for the insurance company that provides us with the data to associate these pseudonyms (e.g. the claim number) with you as an individual.

    The legal basis for the processing of your personal data in the context of the conclusion or fulfilment of your insurance contract with your insurer is Art. 6(1b) of the GDPR. If the reinsurance has been arranged in order to ensure the fulfilment of your insurer’s obligations arising from its insurance relationships, the processing is based on the protection of legitimate interests pursuant to Art. 6(1f) of the GDPR.

    Insofar as special categories of personal data (e.g. your health data when concluding a life insurance contract and verification of an obligation to pay benefits by us) are required, your insurer will generally obtain your consent in accordance with Art. 9(2a) in conjunction with Art. 7 of the GDPR, also for the benefit of the reinsurer, unless transfer of the data to, and processing by, reinsurers is permissible without such consent due to applicable regulations (in particular at the registered office of your insurer). If we create statistics with these data categories, this will be done on the basis of Art. 9(2j) of the GDPR (e.g. in Germany in conjunction with Section 27 of the Federal Data Protection Act (BDSG)) or Art. 5(1b) in conjunction with Art. 6(4) of the GDPR. If we also collect and process special categories of personal data which you have obviously made public yourself (e.g. in a press interview or on your publicly viewable user profile on a social network) for the purposes set out above, this processing is based on Art. 9(2e) of the GDPR. If we collect and process other categories of personal data from public sources (e.g. the internet, third-party databases and newspapers) as part of the verification of our obligation to provide benefits to your insurer, this processing is carried out on the basis of Art. 9(2f) of the GDPR. 

    We also process your data to protect our legitimate interests, or the interests of third parties (Art. 6(1f) of the GDPR). This can be necessary, for example: 

    • for the aforementioned purposes and for accumulation control within the Munich Re Group, especially in the case of particularly high life insurance sums. This may also require us to collect and process data about you and other risk-relevant groups of people (e.g. the names of other team members in the case of insured professional athletes) from publicly accessible sources (e.g. the internet, third-party databases or newspapers) in order to be able to adequately assess our potential overall exposure in the event of individual loss events;
    • to meet requirements imposed by authorities (potentially also law enforcement agencies); and/or
    • to ensure IT security and IT operations.

    In addition, we process your personal data to comply with legal obligations such as supervisory requirements, document-retention obligations under commercial or tax law, or to compare your data with sanctions lists in order to comply with legal provisions on combating terrorism  (e.g. EU Regulation 2580/2001) . In such cases, the relevant legal regulations in conjunction with Art. 6(1c) of the GDPR form the legal basis for the processing.

    If we wish to process your personal data for any other purposes than those mentioned above, we will inform you in advance in accordance with the statutory requirements. 

    No automated decision-making is used.

    4. Where does your data come from?

    As a rule, your data will be passed on to us by your insurer. This is because, in certain circumstances, primary insurance companies pass on part of their risks to reinsurers to be in a position to fulfil their obligations from insurance relationships at all times. 

    In rare cases, we also receive data from other reinsurance companies if they do not wish to bear the risk alone. We only use publicly accessible sources in exceptional cases, especially in the event of major losses, as part of the verification of our obligation to provide benefits or in the context of accumulation control as described above.

    5. Who receives your data?

    5.1 External service providers

    In certain cases, we use external service providers to meet our contractual and legal duties. The categories of service providers can be found here: List of service provider categories (in German only)

    5.2 Companies in the Munich Re Group

    These companies receive data in individual cases insofar as this is necessary, for example for claims handling or accumulation control in the (re)insurance group, especially in cases involving particularly high life insurance sums.

    5.3 Additional recipients

    Some primary insurance companies and other reinsurers use intermediaries or service providers to initiate or manage reinsurance relationships with us. In these cases, your data that we process for the above purposes will be transferred between us and your primary insurer or between us and another reinsurer via such intermediaries or service providers.

    In addition, we may transfer your personal data to other recipients in individual cases, such as to authorities for the fulfilment of statutory notification duties or to retrocessionaires, i.e. other reinsurers we use for risk diversification purposes. 

    6. Will your data be transferred to a third country?

    As a general principle, we process your personal data in Germany or in countries that are European Union (EU) or European Economic Area (EEA) member states. If we need to transfer personal data to service providers or subcontractors outside the EEA, we will do so only if the European Commission has confirmed that the country’s level of data protection is sufficient, or if data protection is otherwise sufficiently guaranteed (for example, through Binding Corporate Rules, or the European Commission’s Standard Contractual Clauses). You can write to the above-mentioned address to obtain detailed information and to learn more about the level of data protection at our service providers in non-EEA countries.

    7. How long will your data be stored for?

    As a general rule, we will delete your personal data as soon as it is no longer required for the above-mentioned purposes. Particularly where business-related data is concerned, however, personal data often has to be saved for the period in which claims can be made against us (statutory limitation period of three or up to thirty years). The same applies if we have a statutory obligation to retain the data, for example for tax law purposes. Corresponding documentation or retention duties result, among other things, from the relevant national legal provisions (e.g. the Commercial Code (HGB), the Fiscal Code (AO) and the Money Laundering Act (GwG) in Germany). The corresponding statutory retention periods can be up to ten years. 

    8. What measures do we take to protect your data?

    We take state-of-the-art technical and organisational security measures to protect data against accidental or intentional manipulation, loss, destruction, and access by unauthorised parties.

    9. What data protection rights can you assert as a data subject?

    You can request information about the personal data we have stored under your name, from the address above. In addition, under certain circumstances, you may request that your data be rectified or erased. Furthermore, you may have a right to restrict the processing of your data and a right to disclosure of the data you have made available in a structured, common and machine-readable format. If you have given your consent, you have the right to revoke it at any time with effect for the future; if you were not informed of any other way to do so when you gave your consent, you can send your revocation to the above address.

    If we process your data for the purposes of safeguarding legitimate interests, you may object to this processing on grounds relating to your particular situation. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for processing that override your interests, rights and freedoms, or if processing serves the assertion, exercise or defence of legal claims.

    Please contact us at the address above to exercise these rights. 

    10. Who can you contact if you wish to make a complaint?

    If you believe that we have breached applicable data protection law when processing your personal data, you can contact the aforementioned Data Protection Officer or the data protection authorities to make a complaint. The public authority responsible for Munich Re is:

    Bayerisches Landesamt für Datenschutzaufsicht (Data Protection Authority of Bavaria for the Private Sector)
    Promenade 18
    91522 Ansbach
    Germany

    11. Changes to this information on data protection

    We have to amend our data protection information from time to time to make ongoing improvements to our website and to reflect technological advances. When you visit our website, please read the current version of our information on data protection (current version: June 2025).