Data Privacy Statement pursuant to Art. 13 and 14 EU General Data Protection Regulation (GDPR)

By means of this statement we are informing you (in particular as policyholders, contracting parties, injured parties and claimants, beneficiaries of our customers, negotiating partners, brokers, interested parties, employees, applicants, investors, shareholders, suppliers, service providers, lessees as well as contact persons for the aforementioned groups) about the processing of your personal data that we, as Hannover Rück SE, have received directly and/or indirectly and about the rights to which you are entitled under data privacy law.

1. Responsible data controller

Hannover Rück SE
Karl-Wiechert-Allee 50
30625 Hannover
Tel. +49 511 5604-0
Fax +49 511 5604-1188
www.hannover-re.com

You can reach our Data Protection Officer by post at the aforementioned address (please include the additional address line "Data Protection Officer") or by e-mail via our data privacy group mailbox at privacy@hannover-re.com.

2. Purposes and legal bases of data processing

We process your personal data in conformity with the EU General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG) and all other relevant laws.

Insurance undertakings may pass on part of their risks from insurance contracts to reinsurers in order to actively manage their insured portfolio and so as to be able to fulfil their obligations to indemnify under the insurance relationships at all times. For the purpose of properly establishing, implementing or terminating a reinsurance treaty, we normally receive from your insurer only anonymised data. Insofar as anonymous data do not suffice for the specified purposes, we receive the data from the insurance application or relationship in pseudonymised form.

We receive your personal data primarily only to the extent that this is necessary for the purposes of the reinsurance. In particular, this may occur for the following reasons:

  • independent underwriting or claims management in the case of, for example, large contract amounts or in connection with a risk that is difficult to assess in a specific case,
  • evaluation of portfolio lists for the purpose of determining possible accumulation risks,
  • verification of the obligation to indemnify your insurer or checking of the underwriting and claims management performed by the primary insurer on a random basis or in relation to specific cases,
  • assisting your insurer with the assessment of risks and claims as well as with the evaluation of process flows.

Furthermore, we require your personal data for the compilation of insurance-specific statistics, for example for the development of new tariffs or for the fulfilment of supervisory requirements.

The legal basis for the processing of personal data for the aforementioned purposes is Art. 6 (1) b) GDPR. Insofar as special categories of personal data (e.g. data concerning your health when taking out a life insurance contract) are required to this end, your insurer will as a matter of principle obtain your consent pursuant to Art. 9 (2) a) in conjunction with Art. 7 GDPR. If we compile statistics with these categories of data, this is done on the basis of Art. 9 (2) j) GDPR in conjunction with Section 27 BDSG or Art. 5 (1) b) in conjunction with Art. 6 (4) GDPR.

Further purposes for which personal data are processed include, most notably, for the administration of shareholders and members of bodies required by law or the articles of association, suppliers and service providers, interested parties / newsletter subscribers as well as for the offering of media services and real estate / building management and property security. These processing operations are conducted on the legal basis of Art. 6 (1) GDPR.

We also process your data in order to safeguard our legitimate interests or those of third parties (Art. 6 (1) f) GDPR). In particular, this can be necessary:

  • to ensure IT security and IT operations,
  • to comply with official requirements.

Above and beyond this, we process your personal data in order to fulfil legal requirements such as supervisory standards and retention obligations under commercial and tax law or the cross-checking of your data against so-called sanctions lists in order to comply with legal stipulations for combatting terrorism (e.g. Council Regulation (EC) No. 2580/2001). In this case the relevant legal provisions in conjunction with Art. 6 (1) c) GDPR serve as the legal basis for such processing.

Should we wish to process your personal data for a purpose not specified above, we shall inform you in advance within the framework of the applicable legal provisions.

3. Sources of personal data

As a general principle, your data are passed on to us by your insurer within the scope of the aforementioned purposes. In addition, we also make use of databases from third-party providers in conformity with legal provisions. Furthermore, we use data from publically accessible sources, especially for the evaluation of large losses or for accumulation control.

4. Categories of personal data

Essentially, the following data and data categories are collected, processed and used:

  • Address data
  • Insurance contract data
  • Claims data
  • Health data
  • Billing and benefit data
  • Contact data
  • Bank details
  • Share register data

5. Categories of recipients of personal data

In order to fulfil our contractual and legal obligations we utilise to some extent external service providers in the following categories:

  • Surveyors / medical experts for the preparation of expert opinions for underwriting and claims management
  • IT service providers for the maintenance, operation and protection of systems and applications, data recovery and destruction of data media
  • Service providers to assist with application and portfolio processing, such as translators, audit service providers, service providers for the storage and destruction of files

In addition, we may transfer your personal data in specific cases to other recipients. These include, for example, public authorities in order to fulfil statutory duties of notification or other reinsurers to whom we transfer risks (retrocessionaires).

6. Duration of data storage

We erase your personal data as soon as they are no longer needed for the aforementioned purposes. In this context it may occur that personal data are stored for the period in which claims can be asserted against our company (statutory limitation period of three or up to thirty years). In addition, we store your personal data to the extent that we are required to do so by law. Corresponding documentation and retention duties derive from, among other things, the Commercial Code, the Fiscal Code and the Money Laundering Act. The retention periods under such laws are up to ten years.

7. Data transfer to a third country

If we transfer personal data to an undertaking/service provider and/or authorities outside the European Economic Area (EEA), the transfer only takes place if the European Commission has confirmed that the third country ensures an adequate level of data protection or other adequate data protection safeguards (e.g. mandatory internal corporate data protection rules or EU standard contract wordings) are in place. Detailed information in this regard and concerning the level of data protection at our service providers in third countries can be requested from the contact information specified under Item 1.

8. Automated decision-making and profiling

We process your data on a partially automated basis in order to support decision-making by our employees in certain situations. Should we fully automate these operations in the future, we shall inform you accordingly in advance so that you can safeguard your rights.

9. Rights of data subjects

You may require information about the data stored on your person by contacting the address specified above. In addition, you may, under certain circumstances, require the rectification or erasure of your data. Furthermore, you may be entitled to a right to restrict the processing of your data as well as a right to be provided with the data made available by you in a structured, commonly used and machine-readable format.

10. Right to object

If we process your data to protect legitimate interests, you may register your objection to this processing with our Data Protection Officer at the aforementioned address if there are reasons associated with your particular situation that oppose such data processing.

11. Right to complain

You have the option to complain to the aforementioned Data Protection Officer or a responsible data protection supervisory authority.

The data protection supervisory authority responsible for our company is the Data Protection Commissioner for the State of Lower Saxony:

Die Landesbeauftragte für den Datenschutz Niedersachsen
Prinzenstraße 5
30159 Hannover

Phone: +49 (0511) 120 45 00
Fax: +49 (0511) 120 45 99
E-mail: poststelle@lfd.niedersachsen.de

12. Local specificities

Insofar as country-specific peculiarities need to be observed for the processing of your data, you will find them in the country-specific sections of our website.

13. Reservation of right of modification

We reserve the right to modify these data privacy rules at any time within the limits set by applicable laws.

Information as of May 2018

Data privacy information for shareholders of Hannover Rück SE

With effect from 25 May 2018 the EU General Data Protection Regulation (GDPR) and the new version of the German Data Protection Act (BDSG) are applicable. We are providing you with the following particulars in order to keep you informed about the collection and processing of your personal data by Hannover Rück SE (Hannover Re) and the rights to which you are entitled according to data protection regulations.

Who is the responsible data controller?

Hannover Rück SE
Karl-Wiechert-Allee 50
30625 Hannover
E-mail: Hauptversammlung@hannover-re.com.

You can contact Hannover Re's data protection officer by post using the aforementioned address for the responsible data controller (please add "Group Data Protection Officer") or via e-mail at: datenschutz@hannover-re.com.

What categories of data do we process, for what purposes and on what legal basis?

Hannover Re processes your personal data in conformity with the General Data Protection Regulation (GDPR), the German Data Protection Act (BDSG), the relevant legal provisions governing the European Company (SE), the German Stock Corporation Act (AktG) and other relevant legal provisions.

The shares of Hannover Re are no-par-value registered shares. In accordance with Section 67 AktG, personal data must be entered in the company’s share register when issuing such registered shares. This consists of the shareholder’s first name and surname, address details and date of birth as well as specification of the number of shares or stock number. According to Section 67 (1), sentence 2 AktG, the shareholder is required to provide this information to the company. This notification is usually provided by the credit institutions involved in the purchase / sale and safekeeping of the shares. The credit institutions pass this information on to Hannover Re via Clearstream Banking AG, Frankfurt, which, as the central securities depository, oversees the technical processing of securities transactions and the safekeeping of shares for the credit institutions.

Your personal data is processed in connection with the purposes set out in the German Stock Corporation Act. This primarily involves the management of the share register, communication between the shareholders and the organisation as well as the holding and conduct of Annual General Meetings. In addition, we also process your personal data for statistical purposes, e.g. regarding changes in the shareholder structure or trading volumes.

This data processing takes place on the legal basis of Article 6 (1c) and (4) GDPR in conjunction with the German Stock Corporation Act.

In addition, we process your personal data in accordance with statutory requirements, such as supervisory regulations and retention requirements under stock corporation, commercial and tax laws. If, for example, you authorise the proxy appointed by the company for the Annual General Meeting, we are legally required to record in a verifiable form the data serving to document this proxy authorisation and to retain it for three years in a manner that is protected against third-party access (Section 134 (3) sentence 5 AktG). The determinative legal basis for processing of the data is Article 6 (1c) GDPR.

In individual cases, Hannover Re also processes your data in order to safeguard legitimate interests in accordance with Article 6, (1f) GDPR. This is the case with capital increases, for example, if we are required to exclude certain shareholders from information concerning rights offerings due to their nationality or place of residence so as to adhere to securities regulations of such countries.

If we intend to process your personal data for any other purpose, we will inform you in advance within the framework of the legal provisions.

Which categories of recipients might we share your data with?

External service providers:

Hannover Re makes use of external service providers for the management of the share register and for technical matters connected with organising and holding the Annual General Meeting. Examples of the tasks performed by service providers that we commission in this regard are:

  • the administration and technical management of the share register by a share register service company
  • the organisation of Annual General Meetings by AGM service providers, service providers for printing and sending shareholder communications
  • the holding of Annual General Meetings (primarily: attendance checks, technical infrastructure for voting and documentation of Annual General Meetings)

Additional recipients:

In the context of Hannover Re’s Annual General Meeting a list of participants is compiled containing personal data of the participants. This list can be viewed by other shareholders of the company during the Annual General Meeting. Furthermore, it may become legally necessary to pass on your personal data to other recipients such as government agencies upon materialisation of certain facts and circumstances (e.g. if statutory voting rights thresholds are exceeded, to the revenue authorities or criminal prosecution authorities).

Is data transmitted to service providers in third countries?

If your personal data is transferred to service providers outside the European Economic Area (EEA), such transfer will only take place if the third country has been confirmed by the European Commission as having an appropriate level of data protection or if other appropriate data protection guarantees (e.g. mandatory internal company data protection regulations or EU standard contractual clauses) are in place. Before we undertake such a transfer, we will inform you in accordance with legal regulations.

How long do we save your data?

Your personal data is erased as soon as it is no longer required for the purposes mentioned above and provided no other legal documentation and retention obligations require further storage. Such documentation and retention obligations derive from, inter alia, the German Commercial Code, the German Fiscal Code and the German Money Laundering Act.

Data stored in the share register will be stored for the holding period and a period of ten years following the complete sale of your shares based on the legal documentation and retention obligations. Your personal data will be stored should you assert legal claims or if legal claims are lodged by Hannover Re. As a general principle, this is intended to assist with clarification of claims and enforcement in individual cases. Based on the legal principles governing the statute of limitations, this can lead to a storage period of three to thirty years.

For personal data arising in connection with Annual General Meetings, the period of storage is normally up to three years. Wherever possible, we will keep your personal data in anonymised form.

What are your data protection rights?

You can request information about the data stored on your person from the aforementioned address. Under certain conditions, you can also request that your data be corrected or erased. You may also have the right to restrict the processing of your data and to have the data that you made available provided to you in a structured, commonly used and machine-readable format.

You can access our online Annual General Meeting service and the shareholder portal directly at https://netvote.hannover-rueck.de or via our company's homepage at www.hannover-rueck.de/115095/hauptversammlung-2019. The shareholder portal gives you access to the most important information recorded about your person in the share register; you can inform us of any corrections here or via the aforementioned address. The e-mail address hannoverrueck.hv@linkmarketservices.de may also be used for sending communications.

Right of objection

You have the right to object to the processing of your personal data in order to safeguard legitimate interests for reasons that arise from your particular situation. Hannover Re will then no longer process your personal information unless it can demonstrate compelling legitimate grounds for processing which outweigh your interests, rights and freedoms, or if the intention of processing is to assert, exercise or defend legal claims.

Do you have any questions or do you wish to complain about the handling of your data?

You have recourse to our data protection officer (contact details as above) or a data protection supervisory authority.

The responsible data protection supervisory authority for Hannover Re is:

Die Landesbeauftragte für den Datenschutz Niedersachsen (Data Protection Commissioner for Lower Saxony)
Prinzenstrasse 5
30159 Hannover

Do we use profiling or automated case-by-case decision making?

Insofar as automated processing of your personal data involves using such data to evaluate, analyse or predict certain personal aspects relating to you, this is known as "profiling". Should Hannover Re carry out profiling in the future, we will inform you according to legal regulations.

Reservation of right of modification

We reserve the right to modify these data privacy rules at any time within the limits set by applicable laws.

Information as of January 2019

Data privacy information in connection with your use of our website

1. Scope of application and basic principles

We attach considerable importance to the protection of your personal data. You can learn more about the general and extensive measures that we take to protect your data in our Data Privacy Statement pursuant to Art. 13 and 14 EU General Data Protection Regulation. In the following we provide you with specific information in connection with your use of our website.

2. Use of cookies, Web analysis

Cookies are small files that we send through your Web browser to your computer's hard drive and which we can read during your current visit to our webpages and upon subsequent visits.

You can prevent cookies being saved by setting your browser software accordingly; we would, however, point out to you that in this case you may not be able to use all the functions of this website.

We use the following technical cookies without your explicit consent because they are necessary for the proper functioning of our website:

  • cookie banner accepted: Remembers that you have accepted the cookie policy on the cookie banner.
  • legal notices accepted: Remembers the pages for which you have accepted any preceding legal notices.
  • form ID cookie: Stores a random, variable and untraceable ID number in order to be able to distinguish actual visitors from bots when forms are submitted.
  • function cookies for stock and bond charts, the contents of which are supplied by external service providers and integrated into our website.

In addition to these technical cookies, we use the analytics tool Matomo for Web analytics purposes in order to optimise for you our Web offerings and in particular how they are presented. The analytics tool Matomo (further information at: http://matomo.org) uses cookies to analyse user behaviour. This analysis is, however, conducted on an anonymised basis because we use the "anonymizeIP" plugin to ensure that IP addresses are always logged anonymously (so-called IP masking). This step blanks the last two bytes of your IP address (e.g. 123.456.xxx.xxx).

You may control such logging of your visit to our website by Matomo via the following link.

You are currently opted in. Click here to opt out.

You are currently opted out. Click here to opt in.

We make use of offerings from external service providers in connection with the HTML Annual Report and the Applicants' Portal. In the case of both offerings, further cookies are placed on your computer when accessing the HTML Annual Report or upon registering with the Applicants' Portal. These areas are, however, subject to separate Data Privacy Statements of which you will be informed when making use of the respective offering.

3. Collection and processing of your data

We collect your data in various ways:

Access data and server log files

In order to technically optimise the utilisation of our Internet offerings, we require information about which technical tools are used to access which of our webpages. We save these data in so-called server log files. Unless otherwise required by law, the storage period is 12 months. The data do not include any personal data.

Subscription to our e-mail notification service

If you are a subscriber to our e-mail Notification Service, you receive e-mail notifications of current publications that you can access under www.hannover-rueck.de or www.hannover-re.com. We use the data provided by you for this purpose solely for sending our notification e-mails. You may choose to stop receiving these notifications at any time by sending an e-mail to privacy@hannover-re.com. In addition, each notification e-mail contains a link via which you can cancel the receipt of these e-mails.

Direct inquiries using contact forms or via e-mail

Inquiries that we receive via the contact or order form or which you send directly to a contact person at the Hannover Re Group are forwarded as necessary by us internally within the Group to the relevant responsible area.

In view of our global presence, the responsible area may be located outside the European Economic Area (EEA). In this case too, however, your data are used solely to respond to your particular inquiry and in accordance with the relevant applicable statutory provisions. In this respect, our binding corporate rules safeguard the necessary level of data privacy also in connection with such data transfers.

All data that you transmit using the e-mail form on our website are encrypted to protect them against misuse by third parties. We currently use TLS (Transport Layer Security (formerly SSL, Secure Sockets Layer)) encryption as recommended by the Federal Office for Information Security (BSI). We cannot, however, guarantee the security of data transmitted to us over the Internet.

4. Third-party contents and technologies

On our webpages we currently include icons for the social networks XING, Twitter, Google+ and LinkedIn that are associated with functions. In addition, there is a contact link via YouTube. As soon as you, as a user, activate these icons by clicking on them and/or follow the corresponding link under Contact, you leave our website and enter the sphere of influence of the relevant social network. You also have the option to follow us on YouTube, XING and LinkedIn. You are urged to familiarise yourself with the purpose and scope of data collection and the further processing and use of the data by the respective social network as well as with your rights and setting options for protecting your privacy by consulting the data privacy statements/notices of the social network in question.

5. Further information

Further information, particularly regarding the topics

  • disclosure of your data,
  • data security,
  • your rights,
  • our Data Protection Officer and/or
  • responsibility,

can also be found in our Data Privacy Statement pursuant to Art. 13 and 14 EU General Data Protection Regulation.

6. Reservation of right of modification

We reserve the right to modify these data privacy rules at any time within the limits set by applicable laws.

Information as of January 2019

Data privacy notice regarding video surveillance

By means of this notice we are informing you about the processing of personal data by Hannover Rück SE insofar as it may be possible for us in certain cases to associate a recording with individual persons in the context of video surveillance.

1. Responsible data controller

Hannover Rück SE
Karl-Wiechert-Allee 50
30625 Hannover
Tel. +49 511 5604-0
Fax +49 511 5604-1188

You can reach our Data Protection Officer if you have any questions regarding this notice by post at the aforementioned address (please include the additional address line "Data Protection Officer") or by e-mail via our data privacy group mailbox at privacy@hannover-re.com.

2. Purposes and legal bases of data processing

We process personal data in conformity with the EU General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG) and all other relevant laws.

Video surveillance takes place to protect domiciliary rights and our own legitimate interests or those of third parties (Art. 6 (1) f) GDPR, § 4 BDSG) in assuring the necessary high standards of safety and security. Hannover Rück SE/E+S Rückversicherung AG are responsible for the safety of employees and the security of property on and at our office premises.

Recording in the context of video surveillance primarily serves to protect premises, persons and property, facilitate access control as well as to identify and avert technical problems. Recordings may also be used in the prosecution of crimes (e.g. in cases of burglary or property damage).

3. Location of video surveillance

Camera equipment has been installed, in particular, in the areas where visitors enter our office premises, at the access points to the underground parking garages, in parking areas and delivery zones, at emergency exits and at the staff entrances/exits. Audio is not recorded.

Camera installations that facilitate the monitoring of publicly accessible areas are made identifiable by appropriate signage.

4. Recipients of the data

Only a small number of authorised persons on our Facility Management team are permitted to access the recordings made by the camera equipment. The Employee Council and the Data Protection Officer are also integrated into the procedure.

5. Duration of data storage

Video recordings are stored for a period of at most 7 days and then automatically erased through re-recording, unless one of the purposes defined for storage exists or, as appropriate, longer retention is necessary due to forwarding to the police or other regulatory agencies.

6. Rights of data subjects

You may require information about the data stored on your person by contacting the address specified above. In addition, you may, under certain circumstances, require the erasure of your data. Furthermore, you may be entitled to a right to restrict the processing of your data.

7. Right to object

If we process your data to protect legitimate interests, you may register your objection to this processing with our Data Protection Officer at the aforementioned address if there are reasons associated with your particular situation that oppose such data processing. We shall then no longer process your personal information unless we can demonstrate compelling legitimate grounds for processing which outweigh your interests, rights and freedoms, or if the intention of processing is to assert, exercise or defend legal claims.

8. Right to complain

You have the option to complain to the aforementioned Data Protection Officer or to a responsible data protection supervisory authority.

The data protection supervisory authority responsible for our company is the Data Protection Commissioner for the State of Lower Saxony:

Die Landesbeauftragte für den Datenschutz Niedersachsen
Prinzenstraße 5
30159 Hannover
Phone: +49 511 120 45 00
Fax: +49 511 120 45 99
E-mail: poststelle@lfd.niedersachsen.de

9. Reservation of right of modification

We reserve the right to modify these data privacy rules at any time within the limits set by applicable laws.

Information as of April 2019