1. What is the scope of this Privacy Statement? This Privacy Statement describes how DKV Belgium NV/SA (“DKV”) collects, uses, consults or otherwise processes the personal data of its prospective, current and former policyholders and insured persons as well as of proxies and legal representatives of the latter (collectively referred to as “you”, “your” or “yours”). In all the situations described in this Privacy Statement, DKV will process your personal data as data controller. DKV is a company incorporated under the laws of Belgium, whose registered office is located at Loksumstraat 25 Rue de Loxum, 1000 Brussels, Belgium, registered at the Belgian Crossroads Bank for Enterprises with company number 0414.858.607, tel.: +32(0)22876411. DKV attaches significant importance to your privacy and will process your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (the “GDPR”) and any secondary national legislation adopted pursuant to the GDPR (collectively referred to as “EU Privacy Law”). Specific terms used in this Privacy Statement shall have the meaning as set out in EU Privacy Law.
2. What are the types of personal data DKV processes about you? DKV processes the following types of personal data about you: – identification data; – health-related data (see also Article 7); – judicial data; – data relating to criminal convictions and offences (see also Article 8); – data on education; – financial data; – data on consumption habits; – data on lifestyles; – data on housing; – occupational data; – data on family composition; – data on personal characteristics; – data on leisure activities and interests; – survey data; – surfing and social media behavior; and – sound and image recordings.
3. From which sources does DKV obtain your personal data? DKV obtains your personal data from the following sources: – application, claim and other forms; – telephone calls, emails and other communications from service providers, insurance intermediaries, claims investigators or witnesses; – medical professionals; – authorities; – credit reference agencies; and – other third parties.
4. What are the purposes and legal grounds for the processing of your personal data? Your personal data are processed for the following purposes and on the basis of the following legal grounds:
4.1. Insurance related purposes DKV processes your personal data for the following insurance related purposes: – issue and execution of the insurance contract, including risk assessment and assessment of eligibility; – fulfilment of pre-contractual and contractual obligations and obligations deriving from the insurance relationship with you, including management of the contractual relationship; provision of customer service; issue, collection and verification of invoices and premiums; prevention, detection and investigation of crime, including insurance fraud; management and settlement of claims and disbursements; recovery from third parties responsible for a claim; possible litigation, and communication with DKV staff relating to the conclusion and/or performance of the insurance contract; and – handling of specific requests you may have, including the provision of the benefits related or ancillary to the insurance contract. The processing for insurance related purposes is based upon the following legal grounds: (i) performance of the insurance contract under which you are a policyholder or insured person or in order to take pre-contractual steps at your request; (ii) the legitimate interests of DKV; and, (iii) in respect of health-related data, your explicit consent (see also Article 7).
4.2. Administrative and compliance purposes DKV processes your personal data for the following administrative purposes: – to carry out administrative accounting activities and those concerning the performance of the insurance activity; – to manage DKV's business and operations; – to manage DKV's IT infrastructure (including carrying out computer tests); – to monitor the quality of the service (in particular by means of telephone communication records with the DKV Contact Centre); – to train staff; – to monitor and report; – to prevent, detect and investigate crime, abuse and fraud; – for CCTV (video-surveillance), recordings of which are retained in accordance with applicable law; – to establish statistics of coded data, including big data; – to re-distribute risk through co-insurance and/or reinsurance; and – to ensure compliance with legal and regulatory obligations (e.g. tax, accounting and administrative obligations) required under applicable laws, regulations or orders issued by the competent national authorities and other public bodies. The processing for administrative purposes is based upon the following legal grounds: (i) performance of the insurance contract under which you are a policyholder or insured person or in order to take pre-contractual steps at your request; (ii) the legitimate interests of DKV and (iii) compliance with legal obligations to which DKV is subject.
4.3. Marketing purposes DKV processes your personal data for the purpose of carrying out marketing activities by DKV itself, by other companies of the Munich Re Group, by insurance intermediaries, by selected third parties, through the sending of advertising material, direct sale, carrying out of market research, commercial communications concerning services and products of DKV as well as products and services of the Munich Re Group or third companies (business partners of DKV) by traditional and/or distance communication means (such as email, phone and any other form of electronic communication). The processing for marketing purposes is, depending on the case, based upon the following legal grounds: (i) the legitimate interests of DKV; or(ii) your consent.
5. Which are the third parties your personal data is shared with and for which purposes? To the extent strictly necessary, your personal data may be shared with the following third parties for the following purposes: – insurance intermediaries, for purposes of proposing, concluding and executing insurance contracts; – (re)insurance companies for the purposes of re- or coinsurance, assistance and/or recovery of expenses; – Munich Re group companies, for purposes of monitoring and reporting; – service and healthcare providers, for purposes of allowing DKV to provide, develop, monitor and improve its services to you; – certain regulated professions such as lawyers, notaries or auditors, for purposes of compliance with legal or contractual obligations DKV is subject to and/or for the establishment, exercise or defence of legal claims; – the Insurance Ombudsman, for purposes of the establishment, exercise or defence of complaints and legal claims; and – public entities, for purposes of compliance with legal and regulatory obligations DKV is subject to and/or for the establishment, exercise or defence of legal claims.
6. What are the legitimate interests for which DKV processes your personal data? Where DKV relies on its legitimate interests, this includes (i) the offering of products or services that best meet your needs and desires; (ii) compliance with applicable guidelines, standards and codes of conduct; (iii) the improvement of DKV's business operations and services; (iv) the performance of computer tests and security; (v) the training of staff; (vi) monitoring of DKV’s activities and reporting to the Munich RE Group as well as to supervisory authorities; (vii) the prevention of abuse and fraud; (viii) the establishment of statistics of coded data, including big data; (ix) the protection of DKV's business, shareholders, employees and customers; and (x) the establishment, defence and exercise of legal claims. When DKV invokes its legitimate interests, it thoroughly ways in the balance of DKV's interest and your interest, including the protection of your privacy.
7. How does DKV process your health-related data? Prior to concluding an insurance contract, DKV processes your medical data in response to medical questionnaires/ requests specifically with a view to assessing risks and eligibility for the conclusion of the insurance contract. During the execution of the insurance contract DKV processes your medical data for the management, processing and execution of your claims. This data, as well as the health-related data provided in the past, can only be processed with your explicit consent. If you do not give your consent, the conclusion and/or proper performance of the insurance contract could be hindered. In accordance with Article 61 of the Insurance Act of 4 April 2014, you may ask your attending physician to communicate to the advising physician designated by DKV any medical certificate necessary for the execution of the contract. This data should be limited to a description of the state of health at the time of the occurrence of an insurance case. The advising physician designated by DKV is then entitled to transmit to DKV only the information relevant to the conclusion or execution of the insurance contract.
8. Under which circumstances does DKV process your personal data relating to criminal convictions and offences? DKV will process your personal data relating to your criminal convictions and offences only (i) to the extent necessary for the management of its own disputes; (ii) for reasons of substantial public interest for the performance of tasks of public interest established by or pursuant to applicable laws; (iii) if you have given your explicit written consent for the processing of such personal data for one or more specific purposes and the processing is limited to those purposes; and (iv) if the processing relates to the personal data that have apparently been disclosed by you on your own initiative for one or more specific purposes and if the processing is limited to those purposes.
9. Does DKV apply automated decision-making? DKV carries out processing activities by automated means which may produce legal effects concerning you (e.g. pricing, risk assessment, claims handling, etc.). You however have the right to obtain human intervention, to express your point of view and to contest the decision.
10. How long does DKV keep your personal data? DKV retains your personal data for as long as is required to fulfil the activities set out in this Privacy Statement, for as long as otherwise communicated to you or for as long as is permitted by applicable law. For example, DKV may retain your personal data if it is reasonably necessary to meet any regulatory requirements, resolve any disputes or litigation, or as otherwise needed to enforce this Statement or prevent fraud and abuse. To determine the appropriate retention period for the information DKV collects from you, DKV considers the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of the data, the purposes for which DKV processes the personal data, and whether DKV can achieve those purposes through other means, and the applicable legal requirements.
11. How are your personal data protected? Appropriate technical and organisational measures are implemented in order to ensure an appropriate level of security of your personal data, including but not limited to physical and IT system access controls, obligations of confidentiality, etc. In the event personal data is compromised as a result of a personal data breach DKV will make the necessary notifications, if required under EU Privacy Law.
12. Does DKV transfer your personal data outside of the EEA? Your personal data is processed mainly in the European Economic Area (“EEA”). However, in the framework of the provision of its services to you, DKV may transfer personal data to countries outside the EEA. In this case, DKV will take appropriate measures to safeguard the personal data, including by entering into Standard Contractual Clauses adopted by the EU Commission in accordance with Article 46(2) of the GDPR. These can be consulted at the DKV's headquarters.
13. What are your rights? Upon written request dated and signed, and with proof of your identity, you have the right to: – obtain access to your personal data; – obtain rectification of incorrect personal data; – obtain erasure of your personal data; – obtain restriction of the processing of your personal data; – obtain portability of your personal data; – object to the processing of your personal data; – withdraw your consent, in case the processing of your personal data is based thereon, without affecting the lawfulness of processing based on consent before the withdrawal; – obtain human intervention in relation to automated decision making and profiling; and – lodge a complaint with the supervisory authority where you live or where you believe a breach may have occurred. The above rights may be subject to certain legal conditions and/or modalities set out in EU Privacy Law. In order to exercise your rights, please contact the Data Protection Officer of DKV by post at Loksumstraat 25 Rue de Loxum, 1000 Brussels, Belgium or by e-mail at privacy@dkv.be.
14. What happens if DKV makes modifications to this Privacy Statement? DKV reserves the right to modify and update this Privacy Statement from time to time. The latest version of this Privacy Statement can be consulted at https://www.dkv.be/privacy at all times.
15. How to contact DKV? If you have any questions, comments, remarks, requests or complaints regarding this Privacy Statement or the processing of your personal data by DKV, please contact the Data Protection Officer of DKV by post at Loksumstraat 25 Rue de Loxum, 1000 Brussels, Belgium or by e-mail at privacy@dkv.be.