Records of processing activities (Art. 30 EU GDPR)

The General Data Protection Regulation (GDPR) requires that all responsible bodies shall maintain a record of all categories of processing activities under their responsibility. The records of processing activities include the following information:

1. Name and address of the responsible bodies
2. Managing Directors
3. Data Protection Officer
4. Purpose and legal basis of data collection, processing and use
5. Description of the groups of persons concerned and the related data or data categories
6. Recipients or categories of recipients to whom the data might be disclosed
7. Technical and organizational measures
8. Standard periods for deletion
9. Planned data transfer to third countries

1. Name and address of the responsible bodies

DR-WALTER GmbH
Eisenerzstr. 34
53819 Neunkirchen-Seelscheid
Germany

T +49 2247 9194-0
F +49 2247 9194-40
info@dr-walter.com
www.dr-walter.com

Commercial register: Siegburg HRB 4701
USt.-Id-Nr.: DE 212252105

DR-WALTER Versicherungsmakler GmbH
Eisenerzstr. 34
53819 Neunkirchen-Seelscheid
Germany

T +49 2247 9194-0
F +49 2247 9194-40
info@dr-walter.com
www.dr-walter.com

Commercial register: Siegburg HRB 14554
USt.-Id-Nr.: DE 314696745

2. Managing Directors of DR-WALTER

Dipl.-Kfm. Reinhard Bellinghausen (CEO)

Timo Dreger (COO)

3. Data Protection Officer (Art. 37 EU GDPR)

Sandra Karnstedt-Panienka

4. Purpose and legal basis of data collection, processing and use (Art. 5 EU GDPR)

Operation of insurance business; distributing, selling, managing and processing insurance contracts in Germany and abroad along with any related ancillary business. Data processing and storage of personal data for our own purposes and on behalf of the involved insurance companies.

The legal basis for the processing of personal data for contractual and pre-contractual purposes is Article 6 Paragraph 1 (b) of the EU General Data Protection Regulation (GDPR). Should this require specific personal data (e.g. health data), DR-WALTER will obtain consent in accordance with Article 9 Paragraph 2 (j) GDPR in connection with Section 27 Federal Data Protection Act (BDSG). Once given, consent can be withdrawn at any time in accordance with Article 21 GDPR.

5. Description of the groups of persons concerned and the related data or data categories

The data being collected, processed and used concern the following groups of individuals:

• prospective customer data (product interest, address data, anonymized IP addresses, clustered demographic and geographical data),
• customer data (address data, anonymisierte IP-Adressen, clustered demographic and geographical data, insurance contract data, insurance benefits data, bank data, expert data (if applicable), data on court cases and complaints),,
• data about doctors and clinical facilities; health data,
• employee data, applicant data, intermediary / broker / agency data (staff data about personnel administration, management and payroll accounting),
• data on business partners and agencies, intermediaries and brokers (address, billing and benefits data), if required to fulfill the purposes referred to under No. 4.

6. Recipients or categories of recipients to whom the data might be disclosed (Art. 28 EU GDPR)

• Internal units of DR-WALTER involved in the execution of the respective business processes.
• Public bodies receiving data in compliance with statutory requirements (e.g. social insurance agencies, financial authorities, courts, the Federal Financial Supervisory Authority (BaFin)).
• External contractors (insurance companies and service providers).
• Further external bodies such as credit institutions (insurance services and collection of premiums), brokers and insurance agencies in connection with intermediary services as well as central contact offices of the insurance associations.

7. Technical and organizational measures

This is an overview of the technical and organizational measures we have taken to protect your data.

1. Confidentiality

a. Physical access control

Physical access to data processing equipment, which is used to process or use personal data, shall be denied to unauthorized persons.

• There shall be permanent physical access control to the office buildings by colleagues sitting in the reception area. Physical access control to all other rooms is carried out by colleagues sitting in the wing of the building.
• Specified access rules allow employees to only access specific parts of the company’s premises.
• Access is denied at all times to unauthorized and external persons. Access can only be granted after explicit approval by an employee along with providing the reason for such access.
• There are security locks as well as a specific regulation for the provision of keys.
• The servers are located in locked rooms.
• Data backups on portable backup media (e.g. CD/DVD, tapes) are stored in access-controlled areas.
• Buildings and premises are protected by an alarm system, video surveillance, motion detectors and lighting..

REFERENCE TO THE RIGHTS OF THE DATA SUBJECTS REGARDING VIDEO SURVEILLANCE

The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the contents of Article 15 GDPR.

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her and (if applicable) to have incomplete personal data completed (Article 16 GDPR).

The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay where one of the grounds stipulated in Article 17 GDPR applies, e.g. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed (right to erasure).

The data subject shall have the right to obtain from the controller restriction of processing where one of the requirements stipulated in Article 18 GDPR is met, e.g. when the data subject has objected to processing for a period enabling the controller to verify the accuracy of the personal data.

The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her. The controller shall then no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims (Article 21 GDPR).

Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data relating to him or her infringes the GDPR (Article 77 GDPR). The data subject can assert this right with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement.

The contact data of the responsible supervisory authority are:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen
Ms. Helga Block
Kavalleriestrasse 2 - 4
40213 Düsseldorf
Germany

T +49 211 38424-0
F +49 211 38424-10
E-Mail: poststelle@ldi.nrw.de

b. System access control

System access and therefore use of the data processing systems shall be denied to unauthorized persons.

• Individual login data such as user name and password are required to use the systems.
• A password policy is in place.
• System access authorizations that are no longer needed will be revoked promptly.
• Logs of all user logins are created.
• All workstation computers are protected by an antivirus software.
• The cleaning staff is selected with care and required by the employer to adhere to all data protection rules.

c. Data access control

Measures ensuring that persons authorized to use a data processing system can only access data covered by their data access permission and that no personal data can be read, copied, altered or removed by unauthorized persons while they are processed, used and after they were stored.

• Permission to read, copy, alter or delete data is only granted to persons entrusted with the task to collect, use and process this data within the framework of the agreed order processing. Clearly specified rules apply for granting data access permissions in this context that include a differentiated data access (read, alter, delete) and regulate data access on different levels.
• Lockable cabinets or drawers can be used to secure printed documents against unauthorized reading or access after an employee has left the workplace.
• A firewall protects your data against access from untrustworthy networks (e.g. the internet).
• These safety devices are regularly examined for their effectiveness.
• Printed documents and mobile data storage media are stored in lockable cabinets, cupboards or drawers ("clean desk" principle).

d. Data separation control

Measures ensuring that data collected for different purposes can be processed separately.

• A logical separation of data is carried out with regard to personal data of different principals (client principle).

2. Integrity

a. Transmission control

Measures ensuring that personal data cannot be read, copied, altered or removed during electronic transmission or during transport or storage on data carriers by unauthorized persons and that it can be checked and verified to whom a transmission of personal data through data transmission devices is intended.

• The use of external data carriers (USB sticks, external hard drives, CDs, DVDs) outside the protected company's premises is not permitted.
• Data destruction in accordance with data protection regulation is ensured. In case of paper documents, destruction is ensured by the use of a shredder in accordance with the required level of protection. Data carriers (e.g. defective hard discs) shall be physically destroyed.

b. Data input control

Measures ensuring that it can be subsequently checked and verified whether and by whom personal data were entered, altered or removed in/from data processing systems.

• Records are kept to ensure that it can be subsequently checked and verified whether and by whom personal data were entered, altered or removed in/from data processing systems.
• Records are also kept on administration activities.
• Write protection prevents overwriting of data.

3. Availability and robustness

a. Availability control

Measures ensuring that personal data are protected against accidental destruction or loss.

• If contractually agreed, data is protected against accidental destruction or loss.
• A backup and recovery concept is in place.
• Regular testing takes place to see whether it is possible to seamlessly restore data on the backups.
• Regular emergency drills are held where emergency situations (e.g. fires) are simulated and the restoration of data is practiced.

b. Immediate recoverability

Measures ensuring that personal data can be immediately recovered in case of a physical or technical incident.

• A concept for the recovery of operations after an emergency is in place.

4. Procedure for regular review, assessment and evaluation

a. Data protection management

• A data protection and security concept, which is reviewed at regular intervals, is in place.
• The data protection and security concept shall be adapted to changing conditions.

b. Order control

Measures ensuring that personal data, which is processed on order, can only be processed in accordance with the principal’s directives.

• The service description agreed on as the basis of the order processing between contractor and principal unequivocally determines the nature, extent and purpose of the data processing.
• All employees responsible for the execution of the order processing are informed about the range of services.
• Cloud solutions are applied, where applicable, for the agreed order processing. The computer centers used are located in the EU. All data communication via cloud is encrypted.
• The contractor has appointed a data protection officer.

8. Standard periods for deletion (Art. 17 EU GDPR))

Various record retention obligations and periods have been laid down by law. Upon expiry of these periods, the respective data is deleted as a matter of routine if it is no longer required for the performance of the contract. Where data is not affected by these regulations, it will be deleted once the purpose and objective specified under No. 4 have ceased to exist.

9. Planned data transfer to third countries (Art. 20 EU GDPR)

A data transfer to third countries will take place. (Google Analytics, https://www.google.de/policies/privacy/ (German))

If you have any questions or comments, please contact our Data Protection Officer directly: