Information on data protection in reinsurance

With this information, we inform you as an applicant, policyholder, insured person or, if applicable, as another data subject (e.g. injured party, beneficiary) of an insurer for which we act as reinsurer, about the processing of your personal data by Munich Reinsurance Company Hong Kong Branch (Parent Company: Münchener Rückversicherung Aktiengesellschaft in Munich) and the rights to which you are entitled under data protection law.

Who is responsible for processing your data?

Munich Reinsurance Company Hong Kong Branch
11/f, Fairmont House, 8 Cotton Tree Drive, Central, Hong Kong

Parent Company:
Münchener Rückversicherungs-Gesellschaft
Aktiengesellschaft in München (Munich Reinsurance Company)
Königinstrasse 107
80802 München, Germany

Hong Kong Contact:
Compliance Department
Tel: +852 2536 6316
Email: xlau@munichre.com

If you have any questions about this information, you can also contact our Compliance Department.

For what purposes, and on what legal grounds, are which data processed?

We process your personal data in compliance with the Hong Kong Personal Data (Privacy) Ordinance (hereafter referred as PDPO), and , as a Branch office of our Parent Company, the EU General Data Protection Regulation (GDPR) and any other applicable national provisions.

In order to be in a position to fulfil their obligations from the insurance relationships at any time, primary insurance companies can pass on part of their risks from the insurance contracts to reinsurers.

In the event that we are the reinsurer of the insurance company (primary insurer) with which you wish to conclude or have concluded an insurance contract, or with which you have claims from an insurance contract as an insured person, beneficiary or injured party, it is possible that we will receive your application, contract and/or claims data from this insurance company if this is necessary for the proper establishment, performance (including provision of benefits) or termination of the reinsurance contract. The same applies if we are called in by another reinsurer as co-reinsurer (retrocession).

For this purpose, we often only receive anonymised data from the insurance/reinsurance company. Insofar as anonymous data is not sufficient for the aforementioned purposes, we will receive the data from the insurance application or relationship as well as, if applicable, the data underlying a claim for benefits (e.g. insurance number, premium, type and amount of insurance cover and risk [including any risk loadings] as well as, if applicable, the causes of the claim for benefits) in pseudonymised form or potentially mentioning your name (in particular in the case of life insurance or high-sum personal injury).

As reinsurers, we only receive your personal data insofar as this is necessary for reinsurance purposes. This may be the case in the specific reinsurance relationship for the following reasons:

• In the case of high contract amounts or risks that are difficult to classify, we sometimes carry out the risk and benefit assessment ourselves.
• We need to support your insurer, in particular, in the assessment of risks and losses and in the evaluation of procedures.
• We receive lists showing the portfolio of contracts covered by the reinsurance. These lists are used to determine the scope of the reinsurance contracts, including checking whether and to what extent we are involved in one and the same risk (accumulation control), and for accounting purposes.
• We need to check our obligation to pay benefits vis-à-vis your insurer, or we check the risk and benefit assessment by the primary insurer, on a random basis or in an individual case.

We will only use this personal data for the aforementioned purposes and for purposes that are compatible with them (in particular to compile insurance-specific statistics, e.g. to develop new tariffs or fulfil supervisory requirements). We generally receive further data for the compilation of overarching insurance-specific statistics (e.g. on mortality) or for risk classifications in anonymised or – if required for the statistical purpose – pseudonymised form. In the case of anonymous data, there is no possibility of linking the information to your person; in the case of pseudonymous data, we receive the relevant information together with your contract or claim number, but not your name or any other information suitable for directly identifying you. As a rule, it is only possible for the insurance company that provides us with the data to associate these pseudonyms (e.g. the claim number) with your person.

The legal basis for the processing of your personal data is in line with PDPO and Art. 6(1)(b) of the GDPR, insofar as the reinsurance is necessary for the conclusion or fulfilment of your insurance contract with your insurer. If the reinsurance is carried out in order to ensure the fulfilment of your insurer’s obligations arising from its insurance relationships, the processing is based on the protection of legitimate interests pursuant to PDPO and Art. 6(1)(f) of the GDPR.

Insofar as special categories of personal data (e.g. your health data when concluding a life insurance contract and verification of an obligation to pay benefits by us) are required, your insurer will regularly obtain your consent in accordance with PDPO, and also for the benefit of the reinsurer, in accordance with the treaty / contract terms with your insurers. If we create statistics with these data categories, this will be done in accordance with PDPO and on the basis of Art. 9(2)(j) of the GDPR (e.g. in Germany in conjunction with Section 27 of the Federal Data Protection Act [BDSG]) or Art. 5(1)(b) in conjunction with Art. 6(4) of the GDPR. If we also collect and process special categories of personal data for the aforementioned purposes, which you have obviously made public yourself (e.g. in a press interview or on your publicly viewable user profile on a social network), this processing is based on PDPO and  Art. 9(2)(e) of the GDPR. If we collect and process other categories of personal data from other public sources (e.g. the internet, third-party databases and newspapers) as part of the verification of our obligation to provide benefits to your insurer, this processing is carried out on the basis of PDPO and of Art. 9(2)(f) of the GDPR.

We also process data to protect our further legitimate interests, or the interests of third parties (Art. 6(1)(f) of the GDPR). This can be necessary, for example,

• for the aforementioned purposes and for accumulation control in the Munich Re reinsurance group, especially in the case of particularly high life-insurance sums. This may also require us to collect data about you and other risk-relevant groups of people (e.g. the names of other team members in the case of insured professional athletes) from publicly accessible sources (e.g. the internet, third-party databases or newspapers) in order to be able to adequately assess our potential overall exposure in the event of individual loss events;
• to meet governmental requirements;
• or to ensure IT security and IT operations.

In addition, we process your personal data to comply with Hong Kong’s legal obligations such as supervisory requirements, document-retention obligations under commercial or tax law, or to compare your data with sanctions lists in order to comply with legal provisions on combating terrorism (e.g. Council Regulation [EC] 2580/2001). In such cases, the relevant Hong Kong legal regulations in conjunction with Art. 6(1)(c) of the GDPR form the legal basis for the processing.

If we wish to process your personal data for any other purposes than those mentioned above, we will inform you in advance in accordance with the statutory requirements.

Who do we receive your data from?

As a rule, your data will be passed on to us by the primary insurance company within the framework described above. In rare cases, we also receive data from other reinsurance companies if they do not wish to bear the risk alone. We only use publicly accessible sources in exceptional cases, especially in the event of major losses or accumulation control as described above.

To which categories of recipients do we forward your data?

External service providers:
In certain cases, we use external service providers to meet our contractual and legal duties. The categories of service providers can be found here: https://www.munichre.com/content/dam/munichre/contentlounge/website-pieces/documents/Dienstleisterliste_Datenschutzgrundverordnung_de_20180522.pdf

Companies in the Munich Re reinsurance group:
These receive data in individual cases insofar as this is necessary for accumulation control in the reinsurance group, in the case of particularly high life-insurance sums.

Additional recipients:
Some primary insurance companies and other reinsurers use intermediaries or service providers to initiate or manage reinsurance relationships with us. In these cases, your data that we process for the above purposes will be transferred between us and your primary insurer or between us and another reinsurer via such intermediaries or service providers.

In addition, we may transfer your personal data to other recipients in individual cases, such as to authorities for the fulfilment of statutory notification duties or to retrocessionaires, i.e. other reinsurers we use for further risk balancing.

How long will we store your data?

We will delete your personal data as soon as it is no longer required for the above-mentioned purposes. It is also possible that personal data may be saved for the period in which claims can be made against our Company (statutory limitation period of three or up to thirty years). Furthermore, we will store your personal data insofar as we are legally obliged to do so. Corresponding documentation or retention duties result, among other things, from the relevant Hong Kong and German legal provisions (e.g. the Commercial Code [HGB], the Fiscal Code [AO] and the Money Laundering Act [GwG] in Germany). The applicable statutory retention periods in this context are up to ten years.

How do we transmit data to countries outside Europe?

For Data Transfer outside of Hong Kong territory, we shall follow PDPO’s requirements.

If we need to transfer personal data to service providers outside the European Economic Area (EEA), we will do so only if the European Commission has confirmed that the respective country’s level of data protection is sufficient, or if data protection is otherwise sufficiently guaranteed (for example, through binding, in-house data protection provisions, or the European Commission’s standard contractual clauses). In rare exceptional cases, an adequate level of data protection may also be dispensable if the transmission would only be occasional and necessary to further secure your claims against your insurer.

The companies of the Munich Re reinsurance group have adopted binding internal rules on data protection (these are called the “Binding Corporate Rules”: https://www.munichre.com/content/dam/munichre/global/content-pieces/documents/Binding-Corporate-Rules-en.pdf). Appropriate data protection guarantees are thus in place worldwide at those group companies. You can request detailed information on this as well as on the level of data protection of our service providers in third countries using the contact details provided above.

What data protection rights do you have?

In addition to your right to object, you have a right to information, a right to rectify or erase data under certain conditions, as well as a right to restrict data processing. Upon request, we will make the data that you provided available in a structured, accessible and machine-readable format. You can revoke your consent at any time; this does not affect the lawfulness of the processing carried out on the basis of the consent until revocation. Please contact the Compliance Department contact above if you wish to exercise these rights.

Right to object
If we process your data for the purposes of protecting legitimate interests, you may object to this processing on grounds relating to your particular situation.

Would you like to file a complaint about how your data is being handled?

You may contact the Compliance Department contact as mentioned above or the Hong Kong data protection authority if necessary. The website is www.pcpd.org.hk.