Privacy Policy

HAHNENBERGER Risk & Service Management GmbH
Baumweg 8 (HH)
60316 Frankfurt am Main
Telephone: 069 / 405 624 610
E-Mail: mail(at)hrsm.de

You can request information regarding the protection of your personal data from our management, contact details above.

You have the right of appeal to the supervisory authority in the state in which a company is based. The supervisory authority for our company is:

Der Hessische Datenschutzbeauftragte
Gustav-Stresemann-Ring 1, 65189 Wiesbaden
Tel. 0611 1408-0
Fax 0611 1408-900
http://www.datenschutz.hessen.de

In order to arrange the desired insurance cover, personal data is exchanged not only between insurance company and broker but, if legally necessary, with public bodies and institutions too. A summary of business partners and insurance companies is available upon request.

1. Validity

   This guideline regulates data protection compliant information processing and respective responsibility at the above referenced company and its subsidiary/subsidiaries on the basis of the legal regulations of the European General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSGneu). All employees are required to comply with this policy.

   It is aimed in particular at:

   Employees, customers and interested parties, insurers and service providers.

   The following principles apply:

   • Safeguard personal rights
   • Specific use of personal data only
   • Transparency
   • Avoid unnecessary use of personal data
   • Data accuracy
   • Confidentiality
   • Security
   • Deletion and restriction of data processing when requested

2. Definitions of Terms (Article 4 GDPR)

   Personal data is individual information about personal or factual circumstances of a natural person (affected person). Examples are name, date of birth, address, contract information, contents of an email. Specific personal data includes information on race, ethnic origin, political opinion, religious or philosophical beliefs, trade union membership, health, sexual habits, financial circumstances.

   Responsible entity is any person or entity that collects, processes or uses personally identifiable information for themselves or has others do so on their behalf.

3. Collection, Processing and Storage of Personal Data (Art. 5 & 6 GDPR)

   The collection, processing and storage of personal data in our company is based on the brokerage contract we use and the other applicable documents which are signed separately (such as broker agreement and data processing consent).
   We will not act on your behalf without a signed brokerage and data protection agreement (for minors consent must be provided by the parent or guardian)
   Our activities are saved in our insurance brokerage computer programme which also provides specific instructions for the execution of requests. Profiling does not take place in our company. The data is processed exclusively for the agreed purpose.

   In accordance with legal requirements, specifically legal retention periods, customer data is deleted after termination of a brokerage agreement. Deadlines may be extended accordingly if needed in the defence of a possible legal claim. Here “deletion” of data becomes “restriction of processing”.

4. Confidentiality

   On commencement of employment all employees are required to observe confidentiality and to comply with all work instructions as well as these guidelines. This commitment is renewed annually.

5. Processing overviews (Art. 30 GDPR)

   We use internal process overviews (directory of processing activities) to create transparency within the company and to check whether our procedures pose particular risks to the rights and freedoms of those affected. We are therefore subject to a prior checking/data protection impact assessment. We are obliged to keep these overviews for inspection by the authorities.

6. Procurement of hardware and software

All hardware required for our workflows (computers, screens, keyboard, mouse and secondary devices such as scanners or printers) is managed according to internal guidelines. The computers are already configured for the employees and equipped with corresponding programs that are used for standard business. Additional software may only be installed in agreement with the management.

7. Password Policies

   In order to secure access to our systems, an individual authentication is necessary. All employees must uphold these internal regulations.

8. Technical and Organizational Measures

   All possible technological and organizational measures are taken to prevent unauthorized parties accessing the personal data we store. To meet the requirements and guidelines of data processing security we also maintain separate records.

   A transfer to third countries is currently not planned.

9. Rights of Persons Affected (Articles 12 to 23 GDPR)

   1. An individual may request information regarding the personal data stored about them and to which purpose it is kept. If in the employment relationship according to the respectively applicable employment law further inspection rights are provided in the documents of the employer (eg personal file), these remain unaffected.
   2. If personal data is transmitted to third parties, information must also be provided on the identity of the recipient or on the categories of recipients.
   3. If personal data is incorrect or incomplete, the person concerned may request a correction or addition.
   4. An individual may object to the processing of their personal data for the purpose of advertising, marketing and opinion polls, consumer research. For this purpose, data must be restricted (blocked) for processing.
   5. An individual is entitled to request the deletion of their data if a legal basis for the processing of the data is not present or is obsolete. The same applies if the reason for the data processing has expired. Existing storage requirements and protection against detrimental interests must be observed.
   6. An individual has a fundamental right to object to the processing of their data with regard to the future. This must be respected if their interest in the protection of their data is due to a personal situation which outweighs the interest of processing their data. This does not apply if there is a legal obligation to continue data processing.
   7. An individual has a right to data portability. This means the right to receive personal information in a structured, common and machine-readable format. The freedom and rights of other persons may not be affected.
   8. An individual has the right of appeal to the supervisory authority in whose state the company has its headquarters. Contact details can be found at the beginning of this document.

10. Procedure for "Data Breaches" (Article 33 GDPR)

    Each employee must immediately notify their respective supervisor, management or data protection officer of any violations of this Privacy Policy or any other privacy policy (privacy incidents). The responsible manager is obliged to inform the data protection officer immediately of any data protection incidents.

    In cases of unlawful transfer of personal data to third parties, unlawful access by third parties to personal data, or loss of personal data, the company's respective emergency measures must be carried out immediately so that state law reporting obligations of data protection incidents can be upheld.

Statement on the Protection of your Data when Visiting our Homepage

1. Forms

   You can use the contact form on our website to contact us. If you enter your personal data, such as name, date of birth, address, bank details or other data to request an offer or report a claim, this will be stored by us and processed exclusively for these purposes.
   Data on minors will be collected only from parents/guardians and only if personal data processing and use is required to fulfill a contractual relationship.

2. Integration and Use of Third-Party Content

   Content on our website from third parties, in particular software from insurance companies to calculate offers, compare tariffs, may be integrated into the design of our website. The privacy statements of the appropriate third party apply to such content and are linked accordingly or are visible on their website.

3. Server Log Files

   The provider of the pages automatically collects and stores information in so-called server log files which your browser automatically transmits to us. These are:

   • Browser type and browser version
   • used operating system
   • Referrer URL
   • Host name of the accessing computer
   • Time of the server request
   • IP address
   This data will not be merged with other data sources.
   The basis for data processing is detailed in Article 6, paragraph 1 of the General Data Protection Regulation, which allows the processing of data for the performance of a contract or pre-contractual measures

4. Google Web Fonts

   This site uses so-called web fonts provided by Google for the uniform representation of fonts. When you call up a page, your browser loads the required web fonts into your browser cache to display texts and fonts correctly.
   To do this, the browser you use must connect to Google's servers. As a result, Google learns that our website has been accessed via your IP address. The use of Google Web Fonts is in the interest of a consistent and attractive presentation of our online services. This constitutes a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR
   If your browser does not support web fonts, a default font will be used by your computer.
   More information about Google Web Fonts can be found at https://developers.google.com/fonts/faq and in Google's Privacy Policy: https://www.google.com/policies/privacy/ .

5. Google Maps

   This site uses the mapping service Google Maps via an API. Provider is Google Inc., 1600 Amphitheater Parkway, Mountain View, CA 94043, USA.
   To use the features of Google Maps, it is necessary to save your IP address. This information is usually transmitted to and stored on a Google server in the United States. The provider of this site has no influence on this data transfer.
   The use of Google Maps is in the interest of an attractive presentation of our online offers and an easy findability of the places we have indicated on the website. This constitutes a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR
   For more information on how to handle user data, please refer to Google's Privacy Policy: https://www.google.de/intl/de/policies/privacy/ .

Consent to Data Processing and Contact

In order to work for you, we must collect, store and pass on data to third parties. We do this for example when we record your risk situation and pass on this data to various insurers in order to receive suitable offers for you. For this we also use so-called broker service providers.
It is sometimes necessary for us to request your data from third parties. These are primarily insurers, but it may be necessary to request data from doctors, tax consultants, lawyers or credit bureaus for example.
Health data is collected exclusively and only as is necessary for life, medical and accident insurance (personal insurance) and in the settlement claims.
You may grant these consents individually and withdraw them at any time which could mean that we may then no longer be able to work for you.

For more detailed information, please refer to our Privacy Policy & Business Partner List.

Consent to Collect and Request Data
You agree that we may collect data - including health data * - from you and third parties. If we need to request data from doctors, we will inform you know in advance.

Consent to the Storage of Data
You agree that we may store and process the collected data as necessary and have it stored and processed by authorised third parties.

Consent to the Disclosure of Data
You agree that we may pass on data - including health data * - to third parties within the scope of our brokerage activities. Third parties include insurers, brokerage service providers, workshops, appraisers or other service providers. An overview of potential recipients can be found in the Business Partner Overview. We can, upon request, inform you to whom we have transmitted your data.

Consent to Contact
Customer information is an integral part of our work. You have used our electronic contact form and expect feedback with regard to your request. We will use the contact information you have transmitted and therefore need your consent to practice our activities.

Changes to the privacy policy

We reserve the right to change our privacy policy as necessary to comply with current legal and technical requirements. These changes are valid the next time you visit our website. Amendments are acknowledged by a version update.