ERV is aware that the protection of your privacy is an important concern for you when visiting our web pages. We take our remit, guaranteeing the confidentiality of your data within the framework of applicable regulations of data privacy law, very seriously in the interests of both parties. We use the latest techniques for holding dialogues with you and safeguarding your data.
The following data privacy information applies for the web presence of ERV as well as its apps for mobile devices. This information also applies for our presences in social networks and in voice-supported services.
This website contains external links to third party websites. These websites are subjected to the liability of the respective site operators. If you notice that links on our website reference web pages the contents of which breach applicable law, please notify us by sending an email to firstname.lastname@example.org . We will then immediately take down these links on our web pages. ERV assumes no liability whatsoever for how up-to-date the information provided is, nor for its correctness, completeness and quality.
2. Use of your data
We hereby inform you about the processing of your personal data when using our web pages and the apps, and the rights you have under data protection legislation.
2.1. Who is responsible for data processing and who is the Data Protection Officer?
Responsible for data processing:
ERV (Europäische Reiseversicherung AG)
Rosenheimer Straße 116
You can contact our Data Protection Officer at the above address (FAO: Data Protection Officer) or use email address email@example.com .
2.2. Which data categories do we use and where do they come from?
You can always use our web pages anonymously. We do not store any personal data of website users or data that can be associated with individuals (such as IP addresses). For the anonymous analysis of user behaviour when our web pages are visited, information (date, time, pages visited, navigation and software used) is collected by us (so as to be anonymous) using an external service provider. Anonymisation is performed before the information is stored at the service provider.
Please refer to Section 6 for more information on our web presence.
2.3. For what purposes is data processed?
When, in certain circumstances, you communicate to us your personal details, we keep them confidential in accordance with the data privacy regulations applicable at the company head office. When you send us an email, use one of our voice assistants or complete an online form on our website and send it in, we only process the personal details specified therein (such as your name or email address) for our correspondence with you for sending over the documents or information requested, or for any other purposes stated on the individual form.
If our intention is to process your personal details for a purpose that is not stated, we will inform you of this beforehand.
2.4. On what legal basis is your personal data processed?
We process your personal data in line with the provisions laid down in the European General Data Protection Regulation (GDPR), the revised Federal Data Protection Act (BDSG) and all other authoritative laws on the processing of personal data.
The specific legal basis for data processing is dependent upon the circumstances in which and for what purpose we receive your data. Every time it is applied, we will therefore draw your attention to it separately if so required.
Normally the legal basis will be “legitimate interests of the party responsible for transacting communication” or as part of application processes for taking pre-contractual steps on request of the person in question, in particular as part of applications with a finite number of users (such as applicant or shareholder portal), and also where applicable consent of the user or person in question.
2.5. Who are the recipients of your data?
At the place responsible, only those individuals and departments responsible for the respective transaction receive the data in question; a clear-cut allocation of duties and an authorisation scheme are in place for this. Data can also be sent to service providers for the aforementioned purposes. The involvement of service providers is necessary as part of the administration and maintenance of IT systems for example. The list of all service providers processing data on our behalf can be seen in Section 5 (and also downloaded or be sent on request).
Furthermore, personal data can be sent to additional recipients (such as regulatory authorities) provided this is necessary to fulfil contractual or statutory obligations.
Such data can also be forwarded to affiliated companies, for example as part of corporate communication or governance.
2.6. Is your personal data sent to a third country?
In the event personal data is sent to service providers or group companies outside the European Economic Area (EEA), it is only sent once an appropriate level of data protection has been ratified for the third country by the EU Commission, or other appropriate data privacy guarantees are in place (such as the agreeing of standard EU contract clauses and Privacy Shield). You can request this information from the contact details given at the start of this document.
2.7. What steps do we take to protect your data?
We take in each case appropriate, state-of-the-art technical and organisational safety measures to protect data from manipulation (deliberate or not), loss, permanent erasure and unauthorised access. To protect your information, we deploy SSL (Secure Socket Layer) encryption for our dialogue forms on our web pages. When sent, your data is protected by this SSL connection from landing in the hands of unauthorised third parties. Please always use these dialogue forms for your own security. When you send us information unencrypted in normal, non-secure emails, it is possible for your data when sent to end up in the hands of or be changed by unauthorised individuals.
2.8. Which data privacy rights can you assert as a person affected?
Contact the above address to request information on the data stored about yourself. Also, you can under certain circumstances request your data to be corrected or erased. Furthermore, you can be entitled to the right for processing of your data to be restricted and the right for data provided by you to be disclosed in a structured, established and machine-readable format.
2.9. Right of objection
If we process your data for the protection of legitimate interests, you can object to this processing for reasons arising from your particular situation. We will then no longer process your personal data unless we can demonstrate compelling reasons for processing that are worthy of protection and outweigh your interests, rights and freedoms, or processing serves the purposes of enforcing, exercising or defending legal claims.
If we process your data on the basis of consent issued by yourself, you are able to retract this consent at any time so as to be effective in the future.
2.10. Where can you object?
You are able to contact the aforementioned Data Protection Officer or a Data Protection Supervisory Authority about an objection. The Data Protection Supervisory Authority responsible for us:
Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
91522 Ansbach, Germany
2.11. How long is your data stored?
We erase your personal data as soon as it is no longer required for the aforementioned purposes. This is a regular process on account of the statutory obligations for producing supporting documents and compulsory safe custody, regulated by the commercial code, fiscal laws and the general tax code for example. Maximum storage periods are then generally up to 10 years. It might also be the case that personal data is stored for the period during which claims can be asserted against us (statutory limitation period of three or up to 30 years). Supplementary information, if relevant, can be found with the individual data processing tasks.
2.12. Are you obligated to provide your data?
You are not obligated to provide personal data when using the website. However, there are services for which we need personal data from you - to send you information for example, such as newsletters required and to include you in an application process. The services required cannot be rendered without these details. In each case, we only collect the information actually required.
2.13. To what extent do automated case-by-case decision-making and profiling actions take place?
If we only use automated processing methods to bring about a decision in an individual case, including profiling, we will inform you about it every time they are applied.
2.14. Use of your data
Under the terms of the GDPR, statutory information obligations are in place in the future as soon as, and to the extent which, personal data is collected from you for processing. So in the future, in insurance applications in particular, corresponding information on the specific use of your personal data will be included.
Below you can access individual, selected versions of the information on data use:
Information on data privacy (ERV data privacy clause)
The respective version for each insurance application and contract is disclosed with the insurance application.
2.15. Changes to this statement
The continued development of our web pages and advances in technology result from time to time in modifications to our Data Privacy Statement. When visiting our website, always ensure you refer to the latest version of our Data Privacy Statement.
3. German insurance industry Code of Conduct for handling personal data
18 June 2013 saw ERV become a signatory to the German insurance industry Code of Conduct for handling personal data. The Code of Conduct for data privacy regulates the collection, processing and use of your personal data.
It was agreed jointly between the German Insurance Association (GDV) and the data privacy regulatory authorities. The Berlin representative for data privacy has checked the Code of Conduct for data privacy and ascertained that the regulations contained therein are consistent with applicable data privacy law.
Companies that have signed up to the Code of Conduct commit to observing the requirements agreed therein and duly implementing as applicable any regulations still outstanding. The Code of Conduct specifies for the first time an industry-wide data privacy standard. Previously applicable regulations in the Federal Data Protection Act are being formalised and data protection issues are being included to the extent stipulated legally.
The Code of Conduct means additional consents are no longer necessary in many cases. For particularly sensitive information, such as health details, we continue however to require consent for the collection and use of health details and the release from confidentiality declaration. The German insurance industry Code of Conduct for handling personal data is here.
We will be glad to also make the text available in paper form. You can request it by phone by calling freephone number 0800 3746-000 or by sending an email to firstname.lastname@example.org.
4. Consent and release from confidentiality clauses
Since 1 January 2013, ERV has been using new consent and release from confidentiality declarations in its applications. The declarations used have been agreed jointly between the German Insurance Association (GDV) and the data privacy regulatory authorities. They provide you even more transparency in the handling of your personal data.
5. List of service providers
We keep a list of all service providers who can be active for ERV as part of a contract. The obligation to maintain this list is given from the new consent and release from confidentiality declarations, and the new Code of Conduct for data privacy, agreed jointly between the German Insurance Association (GDV) and the data privacy regulatory authorities.
The purpose of this list is to establish transparency regarding the processing of your data.
In the list are the service providers that collect, process or use as agreed health details and/or other personal data on behalf of ERV insurance companies.
The service providers are named specifically when their primary remits are collecting, processing and using personal data. You can object to the sending of your data to the service providers in the list on a case-by-case basis specifying reasons. We will then check whether, in light of your specific personal situation, your interest worthy of protection outweighs exclusion of data being sent.
Please note that all ERV service providers are in the list. This does not mean however that your data is always passed to all service providers.
The list of ERV service providers is here.
6. Web presence
“Session cookies” are stored on your computer during an online session. They are small files used for flow control and for sending details entered from subsequent pages. When a dialogue is ended, these cookies are deleted and there is no analysis of user behaviour. Statistical analyses for checking the success of our web presence are performed anonymously - no association to you as an individual is established. If, in addition to the mandatory details required for an individual quotation, we request optional information (to improve our website, for advertising purposes or to simply get to know and advise you better), the entry fields for this information are denoted accordingly.
Also, cookies are deployed in conjunction with usage in the personal customer area. Cookies do not contain any personal data. To be able to request access details for, and to log into, ERV online, the cookies of the www.erv.de website must be enabled. The settings for cookies are different from browser to browser.
6.2. Use of advertising analysis tools (Adobe Analytics)
To make visits to the web pages and use of the apps more user friendly, we use the Adobe Analytics software from Adobe Systems for marketing and optimisation purposes. Information on usage behaviour is stored, including origin and page accesses. Also, information such as gender, year of birth and postcode are collected in anonymised form without there being any inferences to you as an individual. It is not possible to combine the details with your personal data (name, address or insurance number). Furthermore, your IP address is not processed by Adobe Systems, only stored in truncated form. Information collected by Adobe Systems is stored within the European Union.
By using this website, you agree to the collection and storage of data collated about you by Adobe Systems in the way described above and for the purpose stated above.
If you do not agree to the collection and storage of this data by Adobe Systems, please revoke it here.
More information on data privacy at Adobe Systems and the Data Privacy Statement are available from http://www.adobe.com/de/privacy.html .
6.3 Sending of information and encryption
When you send ERV a message using the contact form, the SSL (Secure Socket Layer) encryption technique (with a minimum key length of 128 bits) is used to send this information. Purchasing from us is secure using credit cards. We comply with PCI DSS – the security standard of Visa, MasterCard and American Express. Independent checks regularly confirm to us we are adhering to these requirements. This is how we ensure that nobody without authorisation can gain access to your card details.
7. Social networks
Our web presence uses the social plugins (plugins) of several social networks, including Facebook, Twitter and Google+. The plugins are identified by a logo or words “Social plugin”.
When you access a page on our website that contains such a plugin, it can establish direct connections to the social network and send data as required. Communication takes place between the plugin, your browser and the social network. By integrating the plugins, the social networks receive the information that you have accessed the relevant page on our website. If you are already logged in to a social network, it can assign the visit to your account.
When you interact with the plugins, such as by pressing the “Like” button or posting a comment, the corresponding information is sent directly to the social network, where it is saved in line with the guidelines for that social network.
Please refer to the data privacy information for the relevant social network for the purpose and scope of data collection, other additional processing and use of data by the social network, your rights in this regard and the setting options for protecting your privacy.
- Data Privacy Guideline of Facebook
- Data Privacy Guideline of Twitter
- Data Privacy Guideline of Google+
- Data Privacy Guideline of LinkedIn
- Data Privacy Guideline of Instagram
- Data Privacy Guideline of YouTube
If you do not want social networks to record information about your visit to our web pages, you must log out of the social networks before visiting our web pages or using the app.
ERV uses the email address specified by you to send reply emails with the information requested. We only send personal and confidential information in encrypted format, and if this is not possible, by post. If the content of your message pertains to a contractual relationship, ERV keeps the email. The email address is only stored for the purposes of correspondence with you and is not forwarded to third parties. You receive no unsolicited emails from us. If however you do receive an unsolicited email claiming to be from us, it is bogus and should be deleted.
Before sending ERV an unencrypted email, please remember that its contents are not protected in the Internet against falling into unauthorised hands, falsification, etc. For this reason, the recommendation is to use our contact form to send messages to ERV.
9. Voice assistants
If you use a voice assistant via a terminal incorporating a microphone (e.g. Amazon Echo, Google Home), your audio recording made is also processed with the aid of the apps installed there (e.g. Amazon Alexa, Google Assistant). Your complete audio recording in particular and your use of the voice assistant is processed at this time both on your terminal and on these providers' servers. Their Terms and Conditions of Use and Data Privacy Conditions apply:
If you use these voice assistants to contact us, to obtain general information, information relating to a specific contract, or offers ("voice services"), the provider of the voice assistant in question passes information to us. This is necessary if we are to be able to respond to your enquiry. However, we only receive the content of your enquiry, not the voice recording itself. This is retained in your user account of the relevant voice assistant where you can manage it (in particular, delete it).
We only receive your location or email address in this communication if this is necessary to respond to your enquiry and you have granted us access to this information when speaking to the voice assistant.
If you want to use an existing user account (e.g. Amazon login) to take advantage of one of our voice services we only receive information from this account if you have previously given your express consent. The legal basis is then your consent as set out in Article 6, Paragraph 1, Letter a) of the GDPR. If you also agree to the use of the payment functions of one of your existing user accounts (e.g. Amazon Pay) in our voice service, then we only receive your contact and address data for the payment from the payment service provider but not your bank details. Other than that, all we receive is what is called a "token" which is needed for technical reasons so that you can approach us with the existing user account and can pay without providing us with registration data. The legal basis for this data processing is therefore both your contract with us, Article 6, Paragraph 1, Letter b) of the GDPR and also the legal obligation of defining the beneficiary in invoices as required by Article 6 Paragraph 1, Letter c) of the GDPR in conjunction with § 14, Paragraph 4 of the German Value Added Tax Act (Umsatzsteuergesetz).
Finally, we also receive a number (called an ID) so that we can pass the answer to your enquiry to your voice assistant. This ID is linked to our service in the voice assistant but not to you as a person. In this way the information you requested (e.g. offers, general information or information about a contract) can be sent again via the server and systems of the providers of your voice assistant, and your terminal. We can only allocate this ID to your person if the content of your voice recording includes unambiguous information about yourself (e.g. your name or contract number).
The legal basis for this data processing is the pre-contractual information about you or the contract with you, Article 6 Paragraph 1, Letter b) of the GDPR.
We also process data with the aid of the Adobe Analytics service. The legal basis in this is our legitimate interest in accordance with Article 6 Paragraph 1, Letter f) of the GDPR. Remarks concerning Adobe Analytics (see above, section 6.2.) apply accorndingly.
If you delete the ID which is allocated to our service we can no longer attribute your enquiry and its answer to a terminal and a person. However, this does not apply if you yourself have passed personal information to us via the voice assistant. In general and in principle we process the above personal information only for as long as is necessary for us to deal with your enquiry. If your enquiry relates to a contract or a contract proposal our storage periods set out above in Section 2.11 apply.
10. Information security
ERV is continually aligning itself to the most state-of-the-art technology to guarantee the security of its information and communication systems. ERV deploys national and international standards for its implementation.
11. Questions above data privacy
The in-house Data Protection Officer and his/her employees ensure the principles of data privacy are observed. Please write to us if you have further questions about data privacy at ERV.
Europäische Reiseversicherung AG
Data Protection Officer
Rosenheimer Str. 116