"Personal data" means any information relating to an identified or identifiable natural person (hereinafter referred to as "data subject"); a natural person is considered identifiable if they can be identified, directly or indirectly, in particular by association with an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

"Processing" means any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, distribution, or otherwise making available, alignment or combination, restriction, deletion, or destruction.

"Profiling" means any form of automated processing of personal data consisting of the use of such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

"Controller" means a natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data. 

"Processor" means a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller in accordance with the controller's instructions.

"Recipient" means any natural or legal person, public authority, agency, or other body to whom personal data is disclosed, whether a third party or not. However, authorities that may receive personal data in the context of a specific investigation under Union or Member State law shall not be considered recipients; the processing of such data by those authorities shall be in accordance with the applicable data protection rules in accordance with the purposes of the processing.

"Third party" means any natural or legal person, public authority, agency, or other body other than the data subject, the controller, the processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data.

"Consent" of the data subject means any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

When you use our websites, we collect data in log files, which are technically necessary for us to display our website to you and to ensure its stability and security. These log files contain data such as your web request/usage call, your IP address, browser type, browser language, and the date and time of your request. The IP address is stored in an abbreviated form in accordance with data protection regulations.

We are entitled to collect and store this data in accordance with Article 6 (1) (f) GDPR, as we have a legitimate interest in the security and stability of our website. They will be automatically deleted after 7 days at the latest, unless there is reasonable suspicion of unlawful activity.

Our websites incorporate functions and content from various social networks. This includes, in particular, links, buttons, and – if used – so-called social plugins. Providers can include Facebook/Instagram (Meta), LinkedIn, X (formerly Twitter), or Xing, for example.

In order to make the integration of social media functions as privacy-friendly as possible, we use the so-called Shariff solution on our website. Shariff was developed to prevent personal data from being automatically transferred to social network operators when you visit our websites.

With the Shariff solution, social media buttons (e.g., from Facebook, Instagram, Twitter, LinkedIn, Xing) are only displayed as static icons. Only when you actively click on such a button will a connection to the servers of the respective provider be established and data can be transmitted, such as:

• IP address
• Browser and device information
• Page accessed
• Any login cookies from the respective network

As long as you do not click on the buttons, no data will be transferred to the respective service providers, and no social media cookies will be set.

This means that personal data is only processed when you actively click on a social media icon. The legal basis in this case is your consent in accordance with Section 25 (1) TDDDG and Article 6 (1) (a) GDPR.

If you are logged into a social network, the provider can then assign your visit to our website to your user account.

Further information on the processing of personal data by the respective platform operators can be found in the respective privacy policies (e.g., Meta, LinkedIn, X/Twitter, Xing).

Many social media providers operate servers in the US or other non-EU countries. The providers we work with may also transfer data to the United States. The transfer is based on the European Commission's adequacy decision for the EU-US Data Privacy Framework (TADPF). The providers are certified according to the TADPF and are therefore committed to complying with a level of data protection recognized by the EU.

You can revoke your consent at any time via our consent management tool, which will prevent social plugins from being loaded in the future.

We and social media providers are jointly responsible for the collection and transmission of data to social media providers in accordance with Article 26 GDPR. After transmission, social media providers process the data on their own responsibility.

• Meta (Facebook, Instagram): https://de-de.facebook.com/legal/controller_addendum
• LinkedIn: https://www.linkedin.com/help/linkedin/answer/a1338708?lang=de

You can assert your rights as a data subject both with us and directly with the respective platform. If we receive a request concerning data processing by the respective platform operator, we will forward it to the respective address.

You can find the privacy policy information of the most important providers at:

• Meta (Facebook, Instagram): https://www.facebook.com/privacy/policy
• LinkedIn: https://www.linkedin.com/legal/privacy-policy
• X (formerly Twitter): https://twitter.com/privacy
• Xing: https://www.xing.com/privacy

General information about cookies

When you use our websites, cookies or similar technologies (hereinafter collectively referred to as "cookies") are stored on your computer. Cookies are small text files that are stored on your device and through which certain information is sent to the entity that sets the cookie. They serve to make the website more user-friendly and effective overall. 

You can set your browser so that you are informed about the setting of cookies and only allow cookies in individual cases, exclude the acceptance of cookies for certain cases or in general, and activate the automatic deletion of cookies when closing the browser. Disabling cookies may limit the functionality of this website.

Technically necessary cookies, which are required to carry out the electronic communication process or to provide certain functions you have requested (e.g., portal use), are set on the basis of Article 6 (1) lit. f GDPR in conjunction with § 25 (2) TDDDG. We have a legitimate interest in storing cookies for the technically error-free and optimized provision of our services. Information about the individual cookies set for this purpose (session cookies, language settings, etc.) can be found in the cookie settings.

Insofar as other cookies are stored, in particular cookies for analyzing your surfing behavior and for advertising purposes, these are treated separately in this privacy policy (see "Statistics and marketing cookies" below). Your consent is obtained via the cookie banner for these cookies that are not technically necessary. These cookies are set in accordance with Article 6 (1) (a) GDPR in conjunction with § 25 (1) TDDDG.

You can adjust your settings for consenting to the use of cookies at any time in the cookie settings (in the footer of our website). 

You can find comprehensive information about each cookie in the cookie settings.

Consent Management

As a technically necessary cookie, we use the consent management tool provided by our service provider Usercentrics, Sendlinger Str. 7, 80331 Munich, Germany, based on Article 6 (1) lit. f GDPR in conjunction with § 25 (2) TDDDG, to set the cookie that stores whether and, if so, which consents you have given for the setting of cookies.

If you wish to revoke these consents, simply delete the cookie in your browser. When you re-enter/reload the website, you will be asked for your cookie consent again. 

Statistics and marketing cookies

If you have given your consent, we use cookies on our websites for statistical and marketing purposes on the basis of Article 6 (1) lit. a GDPR in conjunction with § 25 (1) TDDDG (German Telemedia Act) in order to enable us to design our website and optimize our offerings to meet your needs; this also includes the delivery of personalized advertising. Our aim is to ensure that you only see advertising that is likely to be of interest to you and, in particular, that is not annoying.

In addition to our own cookies, cookies and similar technologies from third-party providers (e.g., Google, Meta, LinkedIn) may also be used. Below and in the cookie settings, you will find information about which third-party providers these are and what data they collect and process using these technologies. Further information can be found in the linked privacy policies of the third-party providers.

If you wish to revoke these consents, simply delete the cookies in your browser. When you re-enter/reload the website, you will be asked for your cookie consent again.

The respective third-party provider processes the following data and here, in particular:

• IP address
• pseudonymous user ID, cookie or device identifiers
• technical data (e.g., browser type, device type)
• pages accessed
• approximate location data
• time stamp
• length of visit
• interactions (e.g., click events)

Some providers, such as Meta and LinkedIn, add aggregated demographic characteristics for logged-in members (e.g., industry, career level) without giving us access to personal profile data.

Tag management system Tealium IQ
For efficient control of the technologies on our websites, we use the tag management system of our service provider Tealium IQ, Tealium Inc., 11095 Torreyana Road, San Diego, CA 92121, USA.

The Tag Manager is used to centrally manage and trigger scripts and tracking tags. Tealium does not create its own user profiles and does not use the collected data for its own purposes, but it does enable the use of other tools (e.g., web analytics or marketing tags), each of which has its own privacy policy.

Tealium is used exclusively on the basis of your consent in accordance with Section 25 (1) TDDDG and Article 6 (1) (a) GDPR.

We only load tags via Tealium for which you have given your consent via the consent management tool.

Tealium may also transfer data to countries outside the EU, in particular the US. The transfer is based on the European Commission's adequacy decision for the EU-US Data Privacy Framework (TADPF). Tealium is TADPF certified and is therefore committed to complying with EU-recognized data protection standards. Furthermore, the appropriate level of data protection is ensured elsewhere, in particular through standard contractual clauses approved by the EU.

You can withdraw your consent at any time using our consent management tool. After your revocation, Tealium will no longer trigger any unnecessary tags.

For more information about Tealium's privacy policy, please visit: https://tealium.com/privacy

Web analysis using ALH API
We use an internal web analytics solution ("ALH-API") on our websites, which is provided by ALTE LEIPZIGER Lebensversicherung a.G., Alte Leipziger-Platz 1, 61440 Oberursel, Germany, and operated within the ALH Group.

The analysis serves the statistical evaluation of the use of our website and its ongoing optimization.

The survey is conducted exclusively in anonymous form; no personal data is stored and no user profiles are created. All data is processed exclusively on servers within the ALH Group in Germany and is not passed on to third parties.

The use of analysis cookies is based exclusively on your consent in accordance with Section 25 (1) TDDDG and Article 6 (1) (a) GDPR. You can revoke your consent at any time with future effect using our consent management tool. You can delete stored cookies at any time via your browser settings.

Third-party provider

• FinanceAds

We use tracking and partner programs from FinanceAds GmbH & Co. KG, Karlstraße 9, 90403 Nuremberg ("FinanceAds") on our websites to evaluate and optimize affiliate marketing measures. FinanceAds helps us determine whether users have accessed our website via a partner site or advertising measure and whether certain actions (e.g., clicks, inquiries, contract conclusions) have subsequently taken place.

This data is used exclusively for the settlement of affiliate commissions and the statistical evaluation of partner campaigns. No usage profile is created that would allow conclusions to be drawn about individual persons.

The use of FinanceAds is based exclusively on your consent in accordance with Section 25 (1) TDDDG and Article 6 (1) (a) GDPR.

We are responsible for collecting and transmitting the data to FinaceAds. After transmission, they process the data on their own responsibility. You can assert your rights as a data subject both with us and directly with FinaceAds. If we receive a request concerning data processing by FinanceAds, we will forward it to them.

FinanceAds may also transfer data to countries outside the EU, in particular the US. The appropriate level of data protection is ensured in particular by standard contractual clauses approved by the EU.

You can withdraw your consent at any time using our consent management tool.

Further information on data processing by FinanceAds can be found at: https://www.financeads.net/aboutus/datenschutz/

• Google Analytics 4

We use Google Analytics 4, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"), on our websites. The parent company is Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Google Analytics 4 is used for statistical analysis of the use of our website and its ongoing optimization.

Google Analytics 4 uses IP anonymization by default. The IP address is already shortened within the EU, so that a direct reference to a person is excluded. Google generates reports for us on website activity and may also process the collected data for its own purposes.

The use of Google Analytics is based exclusively on your consent in accordance with Section 25 (1) TDDDG and Art 6 (1) lit. a GDPR.

We are responsible for collecting and transmitting the data to Google. After transmission, they process the data on their own responsibility.

You can assert your rights as a data subject both with us and directly with Google. If we receive a request concerning data processing by Google, we will forward it to them.

Google may also transfer data to countries outside the EU, in particular the US. The transfer is based on the European Commission's adequacy decision for the EU-US Data Privacy Framework (TADPF). Google is certified under the TADPF and is therefore committed to complying with a level of data protection recognized by the EU. Furthermore, the appropriate level of data protection is ensured elsewhere, in particular through standard contractual clauses approved by the EU.

You can revoke your consent at any time with future effect using our consent management tool. In addition, Google provides an opt-out browser add-on that prevents Google Analytics from collecting data: https://tools.google.com/dlpage/gaoptout/

Further information on data processing by Google can be found at: https://policies.google.com/privacy and https://support.google.com/analytics/.

• LinkedIn Insight Tag (Conversion Tracking & Custom Audiences)

We use the LinkedIn Insight Tag, an analytics and conversion tool from LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland ("LinkedIn"), on our websites. With the help of the tag, we can track how visitors use our website (e.g., page views, interactions) and use this information to create target groups for interest-based advertising on LinkedIn (Custom Audiences). The data collected by the Insight Tag is also processed by LinkedIn for its own purposes.

Cookies are stored and accessed exclusively on the basis of your consent in accordance with Section 25 (1) TDDDG. The subsequent processing of the data is based on Article 6 (1) lit. a GDPR.

We and LinkedIn are jointly responsible for the collection and transmission of data to LinkedIn in accordance with Article 26 GDPR. After transmission, they process the data on their own responsibility. LinkedIn provides the relevant information at https://www.linkedin.com/legal/l/dpa.

You can assert your rights as a data subject both with us and directly with LinkedIn. If we receive a request concerning data processing by LinkedIn, we will forward it to them.

LinkedIn may also transfer data to countries outside the EU, in particular the US. The transfer is based on the European Commission's adequacy decision for the EU-US Data Privacy Framework (TADPF). LinkedIn is certified under the TADPF and is therefore committed to complying with a level of data protection recognized by the EU. Furthermore, the appropriate level of data protection is ensured elsewhere, in particular through standard contractual clauses approved by the EU.

You can revoke your consent at any time with future effect, by using our consent management tool. In addition, you can disable personalized advertising by LinkedIn at https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out. For more information about data protection at LinkedIn, please visit https://www.linkedin.com/legal/privacy-policy.

• Google Ads (conversion tracking & remarketing)

We use functions from Google Ads, an advertising service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"), on our websites. This includes conversion tracking and remarketing or "similar audiences" features. These services enable us to measure how users respond to our advertisements and to serve them interest-based advertising based on their website usage.

This data may also be combined with other data by Google (e.g., if you are logged in to Google) and used for its own purposes, such as profiling or interest-based advertising.

Cookies are stored and accessed exclusively on the basis of your consent in accordance with Section 25 (1) TDDDG. The subsequent data processing is based on Art 6 (1) lit. a GDPR.

We are responsible for collecting and transmitting the data to Google. After transmission, they process the data on their own responsibility.

You can assert your rights as a data subject both with us and directly with Google. If we receive a request concerning data processing by Google, we will forward it to them.

Google may also transfer data to countries outside the EU, in particular the US. The transfer is based on the European Commission's adequacy decision for the EU-US Data Privacy Framework (TADPF). Google is certified under the TADPF and is therefore committed to complying with a level of data protection recognized by the EU. Furthermore, the appropriate level of data protection is ensured elsewhere, in particular through standard contractual clauses approved by the EU.

You can revoke your consent at any time with future effect, by using our consent management tool. In addition, you can disable personalized advertising from Google at https://www.google.com/settings/ads or via the Network Advertising Initiative's opt-out page at http://www.networkadvertising.org/choices/.

Further information on data processing by Google can be found at: https://policies.google.com/technologies/ads and https://policies.google.com/privacy

• Meta Pixel (Conversion Tracking & Custom Audiences)

We use the Meta Pixel (formerly "Facebook Pixel") from Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland ("Meta") on our websites. The pixel enables us to track the behavior of visitors, for example, whether they reached our website via an ad on Facebook or Instagram (conversion tracking). We can also display targeted advertising on Meta's platforms (Custom Audiences). Meta also processes the data for its own purposes, such as improving its own advertising systems.

Cookies are stored and accessed exclusively on the basis of your consent in accordance with Section 25 (1) TDDDG. The subsequent processing of personal data by Meta is based on Art 6 (1) lit. a GDPR.

We and Meta are jointly responsible for the collection and transmission of data to Meta in accordance with Article 26 of the GDPR. After transmission, they process the data on their own responsibility. Meta provides the relevant information and contractual provisions at https://www.facebook.com/legal/controller_addendum. You can assert your rights as a data subject both with us and directly with Meta. If we receive a request concerning data processing by Meta, we will forward it to them.

Meta may also transfer data to countries outside the EU, in particular the US. The transfer is based on the European Commission's adequacy decision for the EU-US Data Privacy Framework (TADPF). Meta is TADPF certified and is therefore committed to complying with EU-recognized data protection standards. Furthermore, the appropriate level of data protection is ensured elsewhere, in particular through standard contractual clauses approved by the EU.

You can revoke your consent at any time with future effect, by using our consent management tool. Users of Meta services can also customize personalized advertising in their account settings: https://www.facebook.com/settings/?tab=ads

Further information on data processing by Meta can be found at: https://www.facebook.com/privacy/policy

• Microsoft Advertising (Conversion Tracking)

We use conversion tracking from Microsoft Advertising (formerly "Bing Ads" and "Xander"), a service provided by Microsoft Ireland Operations Ltd., One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland, on our websites. This allows us to evaluate which Microsoft ads bring users to our website and how successful our advertising campaigns are.

The data collected through tracking may also be processed by Microsoft for its own purposes, including improving advertising services. We are unable to assign this information to individual persons.

Since tracking cookies access information on your device, processing is carried out exclusively on the basis of your consent in accordance with Section 25 (1) TDDDG in conjunction with Article 6 (1) (a) GDPR.

We are responsible for collecting and transmitting the data to Microsoft. After transmission, they process the data on their own responsibility.

You can assert your rights as a data subject both with us and directly with Microsoft. If we receive a request concerning data processing by Microsoft, we will forward it to them.

Microsoft may also transfer data to countries outside the EU, in particular the US. The transfer is based on the European Commission's adequacy decision for the EU-US Data Privacy Framework (TADPF). Microsoft is certified under the TADPF and is therefore committed to complying with a level of data protection recognized by the EU. Furthermore, the appropriate level of data protection is ensured elsewhere, in particular through standard contractual clauses approved by the EU.

You can revoke your consent at any time with future effect, by using our consent management tool. Microsoft also provides additional opt-out options: https://choice.microsoft.com/de-de/opt-out

If you have a Microsoft account, you can manage your personal advertising settings centrally and across devices at the following link: https://account.microsoft.com/privacy/ad-settings

For more information about data protection at Microsoft, please visit: https://privacy.microsoft.com/de-de/privacystatement

• Outbrain Pixel

We use the Outbrain Pixel, a tracking and marketing tool from Outbrain UK Limited, 121 Kingsway, First Floor, London WC2B6PA, United Kingdom ("Outbrain"), on our websites. The pixel enables Outbrain to recognize whether users have clicked on content or advertisements within the recommendation widget operated by Outbrain. This allows interest-based recommendations and advertisements to be optimized and their success to be measured.

The data is used by Outbrain to create pseudonymous user profiles and to display personalized recommendations or advertisements. We ourselves only receive aggregated evaluations and no directly personal data.

Since the use of pixels requires access to information on your device, processing is carried out exclusively with your consent in accordance with Section 25 (1) TDDDG and Article 6 (1) (a) GDPR.

Outbrain may also transfer data to countries outside the EU, in particular the US. The transfer is based on the European Commission's adequacy decision for the EU-US Data Privacy Framework (TADPF). Outbrain is TADPF certified and is therefore committed to complying with EU-recognized data protection standards. Furthermore, the appropriate level of data protection is ensured elsewhere, in particular through standard contractual clauses approved by the EU.

We are responsible for collecting and transmitting the data to Outbrain. After transmission, they process the data on their own responsibility.

You can assert your rights as a data subject both with us and directly with Outbrain. If we receive a request concerning data processing by Outbrain, we will forward it to them.

You can revoke your consent at any time with future effect, by using our consent management tool. Outbrain also provides another opt-out option: https://my.outbrain.com/recommendations-settings/home

For more information on Outbrain's privacy policy, please visit: https://www.outbrain.com/privacy/

• Screen on Demand

We use tracking technologies from ScreenOnDemand ("SoD") GmbH and its technical partner dataXtrade GmbH, both located at Dachauer Straße 15c, 80335 Munich ("SoD"), on our website. SoD enables targeted advertising to be displayed on digital devices such as websites, apps, and smart TV services. A tracking pixel is used on our website to measure reach and interactions.

SoD uses this information to compile pseudonymous usage statistics and to optimize advertisements. We only receive aggregated evaluations that do not allow any conclusions to be drawn about individual persons.

Since the use of pixels involves accessing information on your device, processing is carried out exclusively on the basis of your consent in accordance with Section 25 (1) TDDDG and Article 6 (1) (a) GDPR.

We are responsible for collecting and transmitting the data to SoD. After transmission, they process the data on their own responsibility.

You can assert your rights as a data subject both with us and directly with SoD. If we receive a request concerning data processing by SoD, we will forward it to them.
SoD uses the technical service provider Online Solutions to provide its services. As things stand at present, there are no plans to transfer the data to other third parties or to third countries.

You can revoke your consent at any time with future effect, by using our consent management tool.

Further information on data protection at SoD can be found at: https://screenondemand.de/datenschutz-sod-produkte/#eins

• Seedtag

We use tracking technologies from SEEDTAG ADVERTISING, S.L., Calle Marqués de Valdeiglesias 6, 28004 Madrid, Spain ("Seedtag") on our websites. Seedtag offers advertising services based on the evaluation of pseudonymous usage data. A tracking pixel is used on our website to measure the effectiveness of advertisements and optimize campaigns.

Seedtag uses this information to measure conversions and optimize targeted advertising campaigns. We only receive aggregated evaluations that do not allow any conclusions to be drawn about individual persons.

Since information on your device is accessed for the use of the pixel, processing is carried out exclusively on the basis of your consent in accordance with Section 25 (1) TDDDG and Article 6 (1) (a) GDPR. 

We are responsible for collecting and transmitting the data to Seedtag. After transmission, they process the data on their own responsibility.

You can assert your rights as a data subject both with us and directly with Seedtag. If we receive a request concerning data processing by Seedtag, we will forward it to them.

Seedtag may also transfer personal data to countries outside the European Economic Area. Seedtag uses standard data protection clauses or other appropriate safeguards within the meaning of Article 46 et seq. GDPR to ensure an adequate level of data protection.

You can revoke your consent at any time with future effect, by using our consent management tool.

For more information on data processing by Seedtag, please refer to Seedtag's privacy policy: https://www.seedtag.com/privacy/

To conclude and calculate a contract for my chosen insurance, the controller stores and processes my data to create a personal customer profile in accordance with Article 6 (1) (b) GDPR. Personal data will not be passed on to third parties without a corresponding legal basis.

The controller stores and processes my data in accordance with Article 6 (1) (b) GDPR for the purpose of sending me a one-time offer for the insurance policy I have selected or for performing the service I have requested. Personal data will not be passed on to third parties without a corresponding legal basis.

 

for the Alte Leipziger companies Alte Leipziger Lebensversicherung a.G.   Alte Leipziger-Platz 1 61440 Oberursel tel. 06171 66-00 fax 06171 24434 service@alte-leipziger.de

for the Hallesche Hallesche Krankenversicherung a.G. Löffelstraße 34-38 70597 Stuttgart tel. 0711 6603-0 fax 0711 6603-333 service@hallesche.de for those interested in our supplementary health insurance, please visit gesundheitsbenefits@hallesche.de

For the purpose of booking appointments and contacting me by an employee, the controller processes the information I have provided on the basis of the consent given in accordance with Article 6 (1) (a) GDPR. Personal data will not be passed on to third parties without a corresponding legal basis. Consent to this processing remains valid until you revoke it. You can revoke this consent with future effect at any time without giving reasons, by calling 0711 6603-0 or by writing to Hallesche Krankenversicherung a.G., Löffelstr. 34-38, 70597 Stuttgart, by email to gesundheitsbenefits@hallesche.de or by using the cancellation links contained in the emails.

When we work with external service providers or partners, order processing takes place regularly on the basis of Article 28 GDPR. To this end, we enter into appropriate agreements with our partners to ensure the protection of your data. We only use carefully selected processors to process your data. We only commission external service providers who have ensured that all data processing operations are carried out in accordance with data protection regulations. They are bound by our instructions and are regularly monitored by us.

We conclude contracts for order processing in accordance with Article 28 GDPR for these service providers. Data processing is carried out exclusively within the scope of the purposes and security requirements specified by us and in accordance with our instructions, without any discretion.

In certain cases, we transfer data to external parties who process the data on their own responsibility and for their own purposes. This applies, in particular, to original insurance functions that we cannot perform ourselves for reasons of technical specialization or independence.

Such transfer is permissible if

• it is necessary to safeguard the legitimate interests of the insurance company (Article 6 (1) (f) GDPR) and
• there are no overriding interests of the person insured that warrant protection.

Insured persons may object to this data transfer in individual cases. We will then assess whether the interests of the data subject outweigh these interests. However, an objection may have an impact on the performance of the contract or the processing of claims.

In individual cases, we determine the purposes and means of processing jointly with another controller. The cooperation is governed by an agreement pursuant to Article 26 GDPR, which stipulates in particular:

• which party assumes which data protection obligations,
• who is responsible for fulfilling the rights of data subjects,
• how information obligations are fulfilled.

Data subjects may assert their rights (e.g., access, deletion) against any entity involved.

If the processing of personal data is based on consent, you have the right to revoke this consent at any time. As a result, we are no longer permitted to continue processing data based on this consent in the future. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

You have the right to request confirmation from us as to whether we are processing personal data relating to you. You can request confirmation at any time, using the contact details above.

If personal data is processed, you may request information about this personal data and the following information at any time:

1. the purposes of processing;
2. the categories of personal data that are processed;
3. the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
4. where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
5. the existence of a right to rectification or deletion of personal data concerning you, or to restriction of processing by the controller, or a right to object to such processing;
6. the existence of a right of appeal to a supervisory authority;
7. if the personal data are not collected from the data subject, any available information on the source of the data;
8. the existence of automated decision-making, including profiling, pursuant to Article 22 (1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

If personal data is transferred to a third country or to an international organization, you have the right to be informed about the appropriate safeguards pursuant to Article 46 GDPR in connection with the transfer. We provide a copy of the personal data that is subject to processing. For any additional copies you request, we may charge a reasonable fee based on administrative costs. If you submit the application electronically, the information must be provided in a common electronic format, unless otherwise specified. The right to receive a copy pursuant to Article 15 (3) GDPR must not adversely affect the rights and freedoms of others.

You have the right to request that we correct any inaccurate personal data concerning you without delay. Taking into account the purposes of the processing, you have the right to request the completion of incomplete personal data, including by means of a supplementary statement.

You have the right to request that we delete the relevant personal data without delay, and we are obliged to delete personal data without delay if one of the following reasons applies:

1. The personal data is no longer necessary for the purposes for which it was collected or otherwise processed.
2. The data subject withdraws their consent on which the processing was based in accordance with Article 6 (1)(a) or Article 9 (2) (a) of the GDPR, and there is no other legal basis for the processing.
3. The data subject objects to the processing pursuant to Article 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21 (2) GDPR.
4. The personal data was processed unlawfully.
5. The deletion of personal data is necessary for compliance with a legal obligation under Union or Member State law to which the controller is subject.
6. Personal data was collected in relation to the information society services offered in accordance with Article 8 (1) GDPR.

If we have made your personal data public and are obliged to delete it in accordance with paragraph 1, we will take appropriate measures to inform third parties who process the data on the basis of our publication that you have requested the deletion of the personal data or copies or replications of this personal data.

The right to deletion ("right to be forgotten") does not apply if processing is necessary:

• to exercise the right to freedom of expression and information;
• for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
• for reasons of public interest in the area of public health pursuant to Article 9 (2) (h) and (i) and Article 9 (3) GDPR;
• for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89 (1) of the GDPR, insofar as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing, or
• to assert, exercise, or defend legal claims.

You have the right to request that we restrict the processing of your personal data if one of the following conditions applies:

• the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data,
• the processing is unlawful and the data subject opposes the deletion of the personal data and requests the restriction of their use instead;
• the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise, or defense of legal claims, or
• the data subject has objected to the processing pursuant to Article 21 (1) of the GDPR, as long as it is not yet clear whether the legitimate grounds of the controller override those of the data subject.

If processing has been restricted in accordance with the above conditions, such personal data shall, with the exception of storage, only be processed with the consent of the data subject or for the establishment, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

If you have asserted your right to rectification, deletion, or restriction of processing against us, we are obliged to notify all recipients to whom your personal data has been disclosed of this rectification, deletion, or restriction of processing, unless this proves impossible or involves disproportionate effort.

You have the right to be informed about these recipients.

You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used, and machine-readable format, and you have the right to transmit this data to another controller without hindrance from us, provided that:

1. the processing is based on consent pursuant to Article 6 (1) (a) or Article 9 (2) (a) or on a contract pursuant to Article 6 (1) (b) GDPR, and
2. processing is carried out using automated procedures.

When exercising your right to data portability pursuant to paragraph 1, you have the right to have the personal data transferred directly from us to another controller, where technically feasible. Exercising the right to data portability does not affect the right to deletion ("right to be forgotten"). This right does not apply to processing that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

In accordance with Article 21 GDPR, you have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Article 6 (1) (e) or (f) GDPR. We no longer process personal data unless we can demonstrate compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject, or the processing serves to assert, exercise, or defend legal claims.

If personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing purposes; this also applies to profiling insofar as it is related to such direct marketing. If you object to processing for direct marketing purposes, your personal data will no longer be processed for these purposes.

In connection with the use of information society services, you may exercise your right to object by automated means using technical specifications, notwithstanding Directive 2002/58/EC.

You have the right to object, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out for scientific or historical research purposes or for statistical purposes pursuant to Article 89 (1), unless the processing is necessary for the performance of a task carried out for reasons of public interest.

You also have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement, if the data subject considers that the processing of personal data relating to you infringes this Regulation, without prejudice to any other administrative or judicial remedy.

The supervisory authority to which the complaint has been lodged shall inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy pursuant to Article 78 of the GDPR.

Contact details of the competent supervisory authority:

State Commissioner for Data Protection and Freedom of Information Baden‑Württemberg (LfDI BW)
35 Heilbronner Street  
70191 Stuttgart 
Phone: 0711 / 61 55 41-0 
Email: poststelle@lfdi.bwl.de

The Hessian Commissioner for Data Protection and Freedom of Information
1 Gustav-Stresemann-Ring
65189 Wiesbaden
Phone: 0611-1408 0
Email: poststelle@datenschutz.hessen.de