Data privacy at HDI Versicherung AG

Your personal data are those data which are relating to you as data subject as well as the conclusions drawn from the data regarding the data subject. According to the GDPR, personal data shall mean any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Such data are in particular the following: name, maiden name, place of birth, date of birth, sex, mother’s name, address, telephone number, e-mail address, social security (TAJ) number, occupation, tax identification number, bank account number. (We manage and use the data concerning health only in accordance with Section 135 of the Insurance Act and with Point b) Article 9(2) of the GDPR.

The source of the data: The data provided by the Data Subject

In case of insurance events, additional personal data and other information may be necessary in order to establish the matters of fact, as well as for the purpose of the settlement of the insurance damages arising from the liability insurance contract, the examination of the compensation legal basis, the transfer of the compensation amount, and for other purposes specified by the Insurance Act. HDI manages exclusively those data which are essential to achieving the objective of the data management and are suitable for achieving the objective.

The duration of the data management is in respect of all data management activities carried out on a voluntary basis determined in the description of the data management concerned, however, if due to any error or inadequacy the duration specified therein cannot be applied, then the following rules shall be applicable:

• until the realization of the purpose and the deletion of your personal data, or
• until your consent regarding the management of your data is withdrawn and thereby until the deletion of your personal data
• until the execution of the decision of the court or any authority on the deletion, or in the absence of such orders – and unless the law provides otherwise –
• until the limitation period of the enforceability of the rights and obligations which arise from the legal relationship related to which the personal data are managed by Data Controller. Pursuant to Section 6:22 of the effective Civil Code the general limitation period is 5 years – following the conclusion of the insurance case.

In course of the management of data within the scope of insurance secret, HDI shall manage the personal data – including the data directly related to health – during the term of the insurance legal relationship, as well as during the period in which claim may be enforced related to the insurance legal relationship (5 years after the conclusion of the damage claim related to the liability insurance contract).

The purposes of the data management are the settlement of the insurance damages arising from the liability insurance contract, the examination of the compensation legal basis, the transfer of the compensation amount, and for other purposes specified by the Insurance Act.

The data are processed and transmitted through an encrypted and secure information technology system.

HDI Versicherung AG stores the personal data on its own dedicated server protected by 24-hour security.

HDI takes all necessary security measures, organizational and technical measures in order to ensure the highest level of security possible of the personal data, as well as to prevent the unlawful alteration, destruction and use of the personal data.

HDI takes all necessary measures in order to ensure data integrity, i.e. the accuracy, completeness and up-to-date condition of the personal data managed and/or processed by HDI. HDI protects the data with the appropriate measures in particular from unlawful access, alteration, transmission, disclosure to the public, erasure or destruction, as well as from accidental destruction, damage, and from becoming inaccessible due to the changing of the technology used.

Therefore, HDI reserves the right to notify its clients and partners in the event HDI notices any security gap in its systems on part of its client and partners, and simultaneously to restrict access to the system or the services of the Service Provider or to the specific functions thereof until the security gap is terminated. In order to ensure the security of the data stored on the network, HDI avoids data loss through constant mirroring on the server.

The system administrator makes daily/weekly/monthly backups to data backup tapes and data storage devices from the databases containing personal data. The data backup tapes and data storage devices are stored at the registered seat of HDI, in a fire-proof server room protected by entry code, to which server room only the IT co-workers have entry and access authorization. The system administrator ensures constant anti-virus protection on the network managing the personal data.

HDI ensures the accessibility of the data and data files managed on its network by windows-based username and password. The detailed rules related to data security are included in the Information Security Policy.

The personal data and the information to be considered as insurance secret may be accessed by the employees of HDI who have access authorizations related to the data management purpose concerned, as well as those persons and organizations who and which perform outsourced activity to HDI pursuant to service agreements, for the purpose of performing the contracts concluded with them, to the extent necessary (according to Points f) and b) of Article 6(1) of the GDPR), and within the range specified by HDI.

The data recorded in the information technology systems are stored in the data centres located at the following places:

HDI Versicherung AG
1120 Wien, Edelsinnstrasse 7-11
Representative and contact: Westreicher Reinald

Physical location of backup server:
1030 Wien, Arsenal-Objekt 21

If it is necessary to achieve the above purposes, or if it is required by law, we transmit the data managed (name, maiden name, place of birth, date of birth, sex, mother’s name, address, telephone number, e-mail address, social security (TAJ) number, occupation, tax identification number, bank account number) to the extent prescribed in the case concerned and to the recipient which processes the data/the recipient prescribed. Recipients may be:

HDI Versicherung AG (1120 Wien, Edelsinnstrasse 7-11), (the scope of data transmitted: data necessary to determine the compensation amount and the circumstances of the damage, the legal basis of data transmitting: insurance contract, duration of access to the data: the duration of the claim settlement process+ limitation period).

UniCredit Bank Austria AG (1010 Wien, Schottengasse 6-8), (the scope of data transmitted: the bank data of the Data Subject, purpose of the data transmitting: transfer of the compensation amount, the legal basis of the data transmitting: insurance contract, duration of access to the data: the duration of the claim settlement process + limitation period))

In addition to the above, recipients may be any other competent authority, prosecutor’s office, court, or any legal representative entrusted or authorized (and bound by professional confidentiality).

Data concerning health may be transmitted only if necessary and only in specific cases, in accordance with the provisions of the Insurance Act, and together with the written exemption issued by you or your representative, and only to the following recipients: the reinsurer or the joint insurer which cooperates in course of the settlement of the claims related to the insurance event; the damage appraiser specialist, or the legal representative of the court, the prosecutor’s office, the administrative agency or any other agencies of the dispute resolution, including the agencies thereof, together with the experts appointed by them.

HDI shall at all times apply the appropriate processes to avoid, report and investigate personal data leaks.

Data Controller - through the data protection officer – shall maintain records for the purpose of controlling the measures related to personal data leaks and for the purpose of notifying the Data Subject, which records shall include the scope of personal data affected, the scope and number of data subjects affected by the personal data breach, the date and time, the circumstances and the effects of the personal data breach and the measures taken to avert it, as well as other data specified in the law stipulating the data management.

In the event of personal data breach, the supervisory authority shall be notified within 72 hours, while the data subjects shall be notified immediately. However, not all cases shall be reported to the data protection authority – only those in course of which private persons may presumably suffer any damage, for example, in case of abuse of personal identity or breach of the confidentiality requirements.

HDI will develop guidelines and procedures in order to be able to manage data leaks. These guidelines and procedures are included in the Information Security Policy.

Pursuant to Subsection (1) Section 24 of the Privacy Act, HDI is obliged to employ a data protection officer who has legal, public administration, information technology qualification or any qualification equivalent of the above.

The data protection officer shall be appointed by the HDI Versicherung AG Manangement, based on the professional aptitude, and in particular based on the expert-level knowledge of data privacy law and practice, as well as the aptitude to perform the tasks specified above. The data protection officer shall be an employee of Data Controller. Data Controller shall ensure that the data protection officer gets involved in all matters related to the protection of the personal data in the appropriate way and in due time.

Data Controller shall support the data protection officer in performing the tasks listed above by providing the data protection officer with the resources which are necessary to perform these tasks, to access the personal data and the data management operations, as well as to maintain the expert-level knowledge of the data protection officer.

Data Controller shall ensure that the data protection officer does not accept instructions from anybody related to the completion of his/her tasks. The data controller and the data processor shall not dismiss and shall not impose any sanction against the data protection officer in connection with the performance of his/her tasks. The data processor shall be liable directly to the superior management of the data controller, i.e. the Vorstand.

The Data Subjects may contact the data protection officer in respect of any and all questions related to the management of their personal data and exercising their rights. In respect of the performance of his/her tasks, the data protection officer shall be bound by the confidentiality obligation specified by European Union or member state law, or by the obligation related to the management of confidential data. The data protection officer may perform other tasks as well. The data controller shall ensure that no conflict of interest arises from such tasks.

The data protection officer shall perform his/her tasks while taking into consideration the risk related to the data management operations appropriately, as well as the nature, scope, circumstances and purpose of the data management.

The name and contact details of the data protection officer: Tamás Nagy [ +36-30-970-5052 , tamas.nagy@hdi.hu ] Data Controller will notify the supervisory authority of the name and contact details of the data protection officer as well.

The data managements related to the activity of HDI are usually based on the legal bases voluntary consent or the performance of contract. In certain cases, the management, storage and submitting of a certain scope of the data provided is stipulated by laws. Your prior, explicit, informed and voluntary consent to the management, storage, use and transmitting of your personal data (including your sensitive data) is included in the annex of the present data management notification. This statement is to be signed separately.

By signing this statement, you grant your consent to the management of your personal data and the transmitting of your data in accordance with the provisions of the present data management notification. Afterwards, you have the right to withdraw this consent in writing at any time (through any of the contact addresses specified at the end of the present data protection notification).If you do not grant your consent to the management of your data or grant only partial consent, or if you withdraw your consent to the management of data, then your data will continue to be managed exclusively in accordance with and to extent specified by the statutory provisions.

Pursuant to Article 8(1) of the GDPR, where the child is below the age of 16 years, the management of the personal data of the child shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. The validity of the legal statement of any minor data subject above the age of 16 and containing his/her consent shall not require the agreement or subsequent approval of his/her legal representative. Data Controller – taking into consideration the available technology – shall take reasonable measures to inspect in such cases whether the consent had been granted or authorized by the person exercising the parental rights related to the child.

You have the right to receive information from HDI about the management of your data, you may withdraw the consent already given at any time without justification, access your data, request that your data be rectified or erased, or request that the management of your data be restricted. You have the right to object to direct marketing, the right to prevent automated decision-making and profiling, as well as the right to data portability, judicial enforcement, as well as you may submit complaints to the Hungarian National Authority for Data Protection and Freedom of Information.

HDI shall provide information on actions taken on a request under Articles 15 to 22 of the GDPR to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. HDI shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay.

Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject. If HDI does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy. HDI provides the information requested and the notification free of charge.

Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, HDI may either charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request. HDI shall communicate any rectification or erasure of personal data or restriction of management carried out to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. HDI shall inform the data subject about those recipients if the data subject requests it.

If you have any request or complaint related to data management, please contact us in the following manner: Call us at the +36 1 248 2823 telephone number or write to us to the following address:

The data of HDI as data controller

Name: HDI Versicherung AG Branch Office in Hungary
Registered seat: 1134 Budapest, Váci út 45
Company registration number: 01-17-000450
Website: www.hdi.hu
E-Mail: office@hdi.hu
Data protection officer: Tamás Nagy

Opportunities of legal remedy

In the event the rights of the data subject are infringed, the data subject may refer to the court (subject to the choice of the data subject, to the court competent in the registered seat of the defendant or in the residence of the plaintiff) against the data controller. The court shall proceed with urgency. The list and contact details of the regional courts are available through this link: https://birosag.hu/torvenyszekek. The lawsuit initiated related to the protection of personal data is not subject to duties.

Requests for legal remedy and complaints may be submitted to the Hungarian National Authority for Data Protection and Freedom of Information:

Name: Hungarian National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság)
Address: 1125 Budapest Szilágyi Erzsébet fasor 22/c
Website: www.naih.hu
E-Mail: ugyfelszolgalat@naih.hu
Tel.: 06 1 39 11 400
Fax: 06 1 39 11 410