Data Protection

Question 1

General Data Protection Information for Customers of Envivas and other Interested Parties (new EU data-protection law)

Answer

Information about the protection of your personal data

In the information that follows, we inform you about how your personal data are processed by Envivas Krankenversicherung AG and about your rights under data-protection law.

Controller for the data processing

Envivas Krankenversicherung AG
Gereonswall 68, 50670 Cologne
Telephone: +49221 - 27 14 05 70
e-mail address: info@envivas.de

You can contact our Data Protection Officer by post at the above address by adding "Datenschutzbeauftragter" (Data Protection Officer) or by sending an e-mail to: datenschutz@envivas.de

Purpose and Legal Basis of Data Processing

We process your personal data in compliance with the EU General Data Protection Regulation (“GDPR”), the Federal Data Protection Act (Bundesdatenschutzgesetz, hereinafter “BDSG”), those provisions of the german Insurance Contract Act (Versicherungsvertragsgesetz (“VVG”)) that govern data protection and all other pertinent statutes. Moreover, our company has undertaken to comply with the code of conduct for the handling of personal data by the german insurance sector (“Verhaltensregeln für den Umgang mit personenbezogenen Daten durch die deutsche Versicherungswirtschaft”) (in german only) which explains the application of the aforementioned statutes to the insurance sector in more detail. You can retrieve this code of conduct (available in german only) under www.envivas.de/datenschutz.

If you request information e.g. about our company, or about products or services of our company, we need the information provided by you to process your request. If you require advice, we need your details for forwarding to one of our sales partners. If you make an application for insurance cover, we require the information provided by you to conclude the contract and to estimate the risk to be assumed by us. If the insurance contract comes into being, we process these data in order to perform the contractual relations; e.g. to decide whether to accept the application for insurance and, if so, subject to what conditions. We require details about the scope of medical treatment in order to check whether an insured claim has arisen and the extent to which there is a right to insurance payments.

It is not possible to process your application or to conclude and perform the insurance contract without processing your personal data.

Moreover, we require your personal data in order to prepare insurance-specific statistics, e.g. to develop new rates or to comply with supervisory-law requirements. We use the data to analyse the entire customer relationship, for example, to advise on any adaptations or additions to the contract, to decide on goodwill gestures or to provide detailed information.

The legal basis for the processing of personal data for pre-contractual and contractual purposes is Art. 6, 1. (b) GDPR. Where specific categories of personal data are required (e.g. your health data upon conclusion of a health-insurance contract), we obtain your consent under Art. 9, 2. (a) in conjunction with Art. 7 GDPR. If we prepare statistics using these data categories, this is done on the basis of Art. 9, 2. (j) GDPR in conjunction with section 27 BDSG.

We also process your data in order to protect legitimate interests of our own or of third parties (Art. 6, 1. (f) GDPR). This may be required, in particular:

to guarantee IT security and IT operations,
to advertise our own insurance products and other products of companies of the Generali Group and their cooperation partners and also for market surveys and opinion polls,
to prevent and investigate crimes; we use data analyses in particular to detect information that could indicate insurance fraud.

Moreover, we process your personal data to meet our statutory obligations such as supervisory-law requirements, filing and storage requirements for commercial-law and tax-law purposes or our duty to provide advice. The relevant statutory provisions apply in conjunction with Art. 6, 1. (c) GDPR as the legal basis for the processing.

If we should wish to process your personal data for any purpose not mentioned above, we will inform you previously in accordance with the statutory provisions.

Categories of recipients of the personal data

Brokers:

If there is a need to involve a broker in the processing your application, your broker processes the application data and contract data required to conclude and perform the contract. The same applies if you have a broker who looks after your insurance contracts.

Our company also transmits these data to the brokers responsible for you if they require this information for your support and to advise you on matters of insurance and on financial services.

Data processing within the group of undertakings:

Specialised companies or departments within our group of undertakings undertake certain data-processing duties centrally on behalf of the group undertakings. If there is an insurance contract between you and one or more undertakings of our group, your data may be processed centrally by an undertaking of the group e.g. for the central management of address data, for the customer telephone service, for the processing of contracts and payments, for receiving and making payments or for mutual processing for mailing purposes. The undertakings participating in centralised data processing can be found in our list of service-providers on the Internet www.envivas.de/datenschutz (available in german only).

External service-providers:

We use the services of external service-providers in some cases to perform our contractual and statutory duties.

You may consult a list of the contractors and service-providers whom we assign not merely for temporary business relations in the overview in the appendix to our application form and in the relevant applicable version on our website at www.envivas.de/datenschutz. We will be happy to send you a printout of the lists or of the code of conduct (in german only) by post on request.

Other recipients:

Moreover, we may transmit your personal data to other recipients such as public authorities to comply with statutory duties of information (e.g. social-insurance funds, tax and social-insurance authorities or criminal-prosecution authorities, courts).

Duration of data storage

We erase your personal data as soon as they are no longer required for the aforementioned data purposes. But, for this reason, it is possible that personal data are stored for the period during which claims can be brought against our company (statutory limitation period of three years or up to thirty years). Moreover, we also store your personal data to the extent to which we are obliged to do so by law. Duties of verification and storage of this nature arise, inter alia, under the german Commercial Code (Handelsgesetzbuch (hereinafter “HGB”)) The storage periods thereunder last up to ten years.

Rights of data subjects

You can request information about the data stored on your person from the above address. Moreover, you can require the rectification or erasure of your personal data under certain circumstances. You may also have a right to restrict the processing of your data and a right to receive the data you have provided in a structured, commonly used and machine-readable format.

Right to object

You have the right to object to the processing of your personal data for purposes of direct advertising.

If we process your data to protect legitimate interests, you can object to this processing if there are reasons arising from your particular situation which oppose the data-processing.

Right of complaint

You have the possibility of contacting the above Data Protection Officer or a data-protection supervisory authority with a complaint. The data-protection supervisory authority responsible for our company is:

Regional Officer for Data Protection and Freedom of Information for North Rhine-Westphalia (Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen)
Kavalleriestrasse 2 - 4
D-40213 Düsseldorf

Data transmission to a third country

If we transmit personal data to service-providers outside the European Economic Area (EEA), transmission takes place only if EU Commission has confirmed that the third country has an adequate level of data protection or other adequate data-protection guarantees are available (e.g. binding corporate rules or EU standard contract clauses).

Question 2

Data security

Answer

Our security precautions conform to the current state of the art:

Transmission of sensitive data

If you call up pages on our website in which it is possible to enter data and you are asked to enter data about yourself and to send off the same, we use the encryption technology SSL (Secure Socket Layer) with a key length of at least 128 bits to transmit these data via the Internet. Until the present day, no possibilities for analytical decryption of such 128-bit encryption are known.

The use of SSL is visible, inter alia, in the address (which begins in that case with https) or by the padlock in the status line of your web browser.

e-mails

We do not send unencrypted messages containing personal data by e-mail. If you send us unencrypted e-mails yourself, please note that these are not protected during transmission on the Internet against unauthorised third parties gaining knowledge of, or falsifying them.

For this reason, it is recommended that you use a Contact form if you wish to send a message to Envivas.

Phishing

Fraudsters use phishing to falsify e-mails and websites in order to gain access to your confidential data like passwords or other sensitive data. Please note that we never send e-mails or SMS in which you are asked, in some cases for strange reasons (e.g. end of insurance cover), to enter strictly confidential personal data like, for example, your bank account data, your credit-card number or your password. You will find more detailed information on phishing e-mails and how to protect yourself (in German only) e.g. on the pages of the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik) Bundesamtes für Sicherheit in der Informationstechnik.

Use of cookies

A cookie is a data element which a website can send to your browser in order to store it on your system for use at a later date. We use cookies in order to enhance the convenience of using our website (e.g. avoiding multiple entries). The cookies created during a session are automatically deleted at the end of the visit to our website. During sales promotions, we use cookies which assign a broker number during the entry via specific URLs. These expire after 30 minutes and are thereafter no longer active. Moreover, additional cookies are used within the framework of video films, which expire after 24 hours. This cookie prevents the repetition of video sequences already watched. The cookie expires after 24 hours and is no longer active.

You have the possibility of setting your browser in such a way that either no cookies are received or you are notified of their receipt. You can further decide in our cookie policy whether or not to accept the cookies. As a result, your privacy remains protected. The information and services we offer are naturally also available to you without the use of cookies.

Further information about the technologies we use for marketing and statistical evaluation of our websites.

Use of JavaScript

JavaScript programs are simple programs downloaded from the server to be executed in the browser which enable us to make the use of our website easier. We use JavaScript e.g. to improve the visual presentation possibilities of our website, for navigation between individual pages and to make it easier for you to use our contact forms.

You can prevent the use of JavaScript in your browser settings. In this case, what we offer on our website is available to you only in a very limited form.

Other active contents (Java applets and ActiveX controls) are not used on our websites.

Access-protection measures

Our data-processing systems are protected against the outside world by firewalls. Registration procedures and authentication systems ensure that internal applications are accessible to authorised persons only.

Further information

You can find more detailed information on the subject of Internet security under the following links (in German only):

Bürger-Cert

BSI für Bürger

Question 3

Service-providers for web analysis with right of opt-out

Answer

The Envivas website uses cookies and similar technologies of the following providers to ensure the proper functioning of the webpages, as well as improve the surfing experience of users.

You can adjust your cookie settings again at any time in our cookie policy.

Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA

As a customer of Google AdWords, we use the Google Dynamic Remarketing technology of Google Inc. This technology allows us to show target-oriented advertising during Google searches to those users who have already visited our websites and online services and have shown interest in what we offer. This technology uses cookies, small text files, which are stored in your browser software. These cookies enable us to analyse user behaviour on our website and, on this basis, to show targeted advertising and interest-based advertising.

If you object to participation in the aforementioned procedures, you can refuse the setting of cookies in the settings of your browser software. One possibility is to change your browser settings so that the setting of cookies is automatically disabled. Another possibility is to disable cookies of the “www.googleadservices.com” domain in your browser software. The installation of corresponding browser plugins can also prevent information being sent by the cookie.

You can refuse to receive interest-based advertising and the use of cookies for this purpose by visiting the following website:
https://www.google.com/ads/preferences/html/opt-out.html

Alternatively the use of cookies can be disabled by third party suppliers via a disabling page of the network advertising initiative:
https://www.networkadvertising.org/choices

By using this website, you consent to the processing of anonymised data collected about you by Google in the manner described above and for the aforementioned purpose. We draw attention to the fact that Google has its own privacy policies independently of ours. We assume no responsibility or liability for these procedures and guidelines. We ask that you find out more about Google’s privacy policy yourself at the following address: https://www.google.de/intl/de/policies/privacy

Microsoft Bing Ads (Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA)

If you should arrive at our website via a Microsoft Bing advertisement, a cookie is stored in your browser software. These cookies are not used for personal identification. The information collected by the cookie serves only the purpose of preparing statistics on the use of the website. This enables us to evaluate and improve our marketing measures.

If you object to participation in the aforementioned procedures, you can refuse the setting of cookies in the settings of your browser software. One possibility is to change your browser settings so that the setting of cookies is automatically disabled. The installation of corresponding browser plugins can also prevent information being sent by the cookie. You can refuse the use of such cookies by Microsoft directly on the following website:
https://choice.microsoft.com/de/opt-out.

You can find further information on data protection and on the cookies used by Microsoft Bing on the Microsoft website:
https://privacy.microsoft.com/de-de/privacystatement/

The objection or disabling takes place via the link:
Confirming the link causes a so-called opt-out cookie to be set on your data carrier. Please note that if you delete all cookies on your terminal device, these opt-out cookies are also deleted; that means that if you continue to object to anonymised data collection, you must set the opt-out cookies again. The opt-out cookies are set per browser and terminal device. If you use different browsers to visit our website at home and at work, you must enable the opt-out cookies in the different browsers or on the different terminal devices.

metapeople Germany, Philosophenweg 21, D-47051 Duisburg

Our website, Envivas.de, uses the campaign tracking system metalyzer of metapeople GmbH (https://www.metapeople.com).Our website collects and processes data for marketing and optimisation purposes. These data can be used to issue pseudonymised user profiles. However, unless the data subject separately grants consent, there is no identification of the person and collected data are not merged into a personal profile. For each visitor to Envivas.de, the webserver of Metapeople stores the name of the Internet service-provider, the website used to visit our website and the websites visited together with the date and the length of the visit. We also use the service-providers assigned by us to this purpose. The data collected do not include your name or address or e-mail address and, therefore, allow no personal identification.

Data collection and storage may be objected to at all times with effect for the future.

You can refuse the use of cookies for this purpose by visiting the following website: https://www.metapeople.com/opting-out-of-cookies/

Webtrekk GmbH, Boxhagener Str. 76-78, 10245 Berlin

So that we can constantly optimise what we offer and eliminate faults more quickly, we use web-analysis technologies of the company Webtrekk GmbH, Boxhagener Str. 76-78, 10245 Berlin. Webtrekk GmbH was certified for data protection by the TÜV Saarland technical inspectorate. In particular, the collection and processing of tracking data for conformity with data protection and data security was examined and certified.

During the use of this website, information transmitted by your browser is collected in pseudonymised form and evaluated exclusively in aggregated form.

This takes place using a cookie technology and so-called pixels which are incorporated into every website. Data are collected such as browser type and version, operating system, screen resolution, IP address (collected exclusively after deleting the end digits and pseudonymised

for the purpose of session identification and, if appropriate, geolocalisation merely as far as city level and deletion directly after use), the website that you use to visit our website, and the pages of our website that you visit. There is no further issue of user profiles or evaluation of the same.

Under the german Telemedia Act (Telemediengesetz, “hereinafter TMG”), you have the right, as visitor to the contact page, to object to your visitor data being stored (collected in pseudonymised form) for the future, so that you are no longer recorded in future. You can object to data collection and storage by Webtrekk at all times with effect for the future. To do so, please use the relevant opt-out function of our service-provider Webtrekk. To do so, please click on the following link: I would like to be excluded from tracking by Webtrekk

Your successful opt-out from tracking will be confirmed. The opt-out is maintained by a cookie called “webtrekkOptOut”. If you accept this cookie and do not delete it, you need not opt-out from tracking again.

AB Tasty of AB TASTY SAS, 38 rue du sentier, 75002, Paris, France

This website uses the services of AB Tasty of AB TASTY SAS, 38 rue du sentier, 75002, Paris, France. This service is used for AB testing and for continuous improvement of the website. The cookies used make it possible to change the websites on a case-by-case basis and to analyse changes in order to structure them better for customers. Customers can object to data processing by AB Tasty on the websites by clicking on the following link: https://www.abtasty.com/#abtastyoptout=1

The cookie thereby enabled ensures that AB Tasty is no longer executed. The objection is stored in a special cookie and remains valid as long as the cookie is not deleted. We draw your attention to the fact that the website can, in this case, no longer be used to the full extent.

Facebook Inc., 1601 South California Avenue, Palo Alto, CA 94304, USA

We use the remarketing or "Website Custom Audience” technology of Facebook Inc. The use of this technology enables us to show interest-related advertising to visitors to our website when they visit Facebook again at a later date. For the use of this technology, Facebook pixels, i.e. small HTML elements, are integrated on our pages which Facebook can use to allocate visitors to our website to a specific target group on the basis of an anonymous identification number (“Custom Audience List”). As a result, we receive information which we use to issue and analyse lists of target groups for Facebook advertising (“Facebook Ads”), e.g. on the basis of the previously visited areas on our website.

The information generated by Facebook pixels is normally transmitted to a Facebook server in the USA where it is stored and processed. On our website, Facebook pixels are called up inside an iFrame, an HTML element which is used to structure websites. This ensures that Facebook does not extend existing user profiles with data on the use of our website or with personal data records.

If you wish to object to the use of the "Website Custom Audience”, you can do so under https://www.facebook.com/ads/website_custom_audiences. You will find further information about the purpose and scope of data collection and the further processing and use of the data by Facebook and the settings available to you to protect your privacy in the data-protection guidelines of Facebook which can be found, inter alia, on https://www.facebook.com/ads/website_custom_audiences and
https://www.facebook.com/privacy/explanation