A Privacy Guidelines

HABEKO Pensions & Benefits GmbH
Mundsburger Damm 2 | 22087 Hamburg
Germany

T +49 40 180 740 – 0
F +49 40 180 740 – 24
E info@pensions-benefits.de
www.pensions-benefits.de


If you have any questions about the protection of your data, you can get information from our management. You can reach us using the aforementioned contact details. You have the right to lodge a complaint with the supervisory authority in the federal state in which the company is based. For our company, this is:

The Hamburg Commissioner for Data Protection and Freedom of Information

Prof. Dr. Johannes Caspar
Ludwig-Erhard-Str 22
20459 Hamburg

Tel. 040 428 54 – 4040
Fax 040 4279 – 11 811

www.datenschutz-hamburg.de

In the appendix to this policy you will find an overview of the business partners and insurers with whom we usually work. Data is transmitted to them to fulfill our order or legal obligations.

1. Scope

This guideline regulates data protection-compliant information processing and the corresponding responsibilities at the above-mentioned company (and its branch(s)) on the basis of the legal regulations of the European General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG new). All employees are obliged to comply with this policy. It is aimed in particular at: employees, customers and interested parties, insurers and service providers.

The following principles apply here:

• Protection of personal rights
• Purpose limitation of personal data
• Transparency
• Data avoidance and data economy
• Factual correctness/up-to-dateness of the data
• Confidentiality in data processing
• Security in data processing
• Deletion and restriction of the processing of data on request

2.Definitions of Terms(Art. 4 DS-GVO)

Personal data are individual details about personal or factual circumstances of a natural person (data subject). Examples: last name, first name, birthday, address data, contract data, e-mail content. Special personal data is information about racial, ethnic origin, political opinions, religious or philosophical beliefs, union membership, health or sex life, and economic circumstances. Responsible body is any person or body that collects, processes or uses personal data for itself or has this done by others on behalf.

3. Collection, processing and storage of personal data(Art.5 + 6 DS-GVO)

The collection, processing and storage of personal data in our company is based on the broker order we use and the applicable documents (e.g. broker power of attorney, consent to data processing, which are signed separately). Without a specific order and a declaration of consent under data protection law by our customers, we will not take action (in the case of children and young people, the consent is given by the legal guardian). We document our activities extensively via our broker management program and provide specific procedural instructions for the execution of our orders. Profiling does not take place in our company. The data is processed exclusively for the agreed purposes.

After termination of the brokerage contract, the data of our customers will be deleted in accordance with the statutory provisions, in particular the provisions on statutory retention periods. The deadlines can be extended accordingly for the defense of possible legal claims. The restriction of processing takes the place of deletion.

4. Commitment to Confidentiality

All employees are obliged to maintain confidentiality and to comply with the work instructions and this policy when they start their work. The commitment is renewed annually.

5. Processing overviews (Art. 30 DS-GVO)

By means of internal process overviews (list of processing activities), we create transparency within the company and check whether our processes pose any particular risks for the rights and freedoms of those affected and are therefore subject to a prior check/data protection impact assessment. There is an obligation to keep these overviews for inspection by the authorities.

6. Procurement of hardware and software

All hardware required for our work processes (computers, screens, keyboard, mouse and peripheral devices such as scanners or printers) is controlled according to internal guidelines. The computers are already configured for the employees and equipped with the appropriate programs that we use as standard. Additional software may only be installed in consultation with the management.

7. Password Policy

In order to make access to our systems secure, individual authentication is necessary. Internal regulations have been made for this, to which all those involved must adhere.

8. Technical and organizational measures

We take all possible measures that are suitable according to the current state of technology and organizationally to prevent unauthorized persons from accessing the personal data stored by us. We keep separate records to document the security requirements of data processing. Transmission to third countries is not currently planned.

9. Rights of data subjects (Art. 12 -23 DS-GVO)

The person concerned can request information about which personal data of which origin is stored about him and for what purpose. If further rights of inspection of the employer's documents (e.g. personnel files) are provided for in the employment relationship according to the applicable labor law, these remain unaffected. If personal data is transmitted to third parties, information must also be provided about the identity of the recipient or about the categories of recipients. If personal data is incorrect or incomplete, the person concerned can request that it be corrected or supplemented.

The person concerned can object to the processing of their personal data for advertising or market and opinion research purposes. For these purposes, the data must be restricted (blocked) for processing. The person concerned is entitled to request the deletion of his data if the legal basis for the processing of the data is missing or has ceased to exist.

The same applies in the event that the purpose of data processing no longer applies due to the passage of time or for other reasons. Existing retention requirements and interests worthy of protection that conflict with deletion must be observed. The data subject has a fundamental right to object to the processing of his data with effect for the future, which must be taken into account if his interests worthy of protection outweigh the interest in processing due to a special personal situation. This does not apply if there is a legal obligation to carry out the processing. The data subject has a right to data portability.

This means the right to receive personal data in a structured, commonly used and machine-readable format. The freedoms and rights of other people must not be impaired by this. The person concerned has a right of appeal to the supervisory authority in whose federal state the company is based. The contact details can be found at the beginning of the description of our data protection organization.

10. “Data Breach” Procedure (Art. 33 DS-GVO)

Every employee should report violations of this data protection guideline or other regulations for the protection of personal data (data protection incidents) to their respective supervisor, management or the DPO without delay. The responsible manager is obliged to inform the DPO immediately about data protection incidents. In cases of unlawful transmission of personal data to third parties, unlawful access by third parties to personal data, or loss of personal data, the reports provided for in the company must be made immediately, thus in accordance with national law existing reporting obligations of data protection incidents can be fulfilled.

B Declaration on the protection of your data when visiting our website

1. Forms

You can use the contact form on our website to contact us electronically. If you enter your personal data such as name, date of birth, address, bank details or other data in a form, e.g. to prepare an offer or report damage, these will be stored by us and processed exclusively for these purposes. We knowingly collect personal data about minors only for legal guardians and only if and to the extent that personal processing and use is necessary to fulfill a contractual relationship.

2. Incorporation and Use of Third-Party Content

Content from third parties, in particular offer programs, comparison calculators and product offers, e.g. B. be involved by insurers. This content can be in the design of our website. The data protection declarations of the third party, which are linked at the appropriate point or can be seen on the website of the third party, apply to this content.

3. Server-Log-Data

The provider of the pages automatically collects and stores information in so-called server log files, which your browser automatically transmits to us.

These are:

• Browser type and browser version
• Operating system used
• Referrer URL
• Host name of the accessing computer
• Time of server request
• IP -Address This data is not merged with other data sources. The basis for data processing is Art. 6 (1) lit. f GDPR, which permits the processing of data to fulfill a contract or pre-contractual measures.

C Declaration of consent to data processing and contact

In order to be able to work for you, we must collect and store data from you and pass it on to third parties. We do this, for example, when we record your risk situation and pass this data on to various insurers in order to receive suitable offers for you. We also use so-called broker service providers for this purpose. It is often also necessary for us to request data relating to you from third parties.

These are primarily insurers, but data from doctors, tax consultants or lawyers and credit bureaus may also be required handling claims and claims. You can grant these consents individually and revoke them at any time with effect for the future. Please note that we may then no longer be able to work for you. For more information, please see our privacy policy with list of business partners.

Consent to collect and request data

You agree that we collect data from you and request it from third parties. If we request health data from doctors, we will inform you beforehand.

Consent to collect and request data

You agree that we store and process the collected and requested data to the required extent or have them stored and processed by authorized third parties.

Consent to Share Data

You agree that we pass on data to third parties as part of our brokerage activities. Third parties here are, for example, insurers, brokerage service providers, workshops, appraisers or other service providers. You can find an overview of potential recipients in the business partner overview. On request, you will of course also receive information as to who we have actually transmitted data concerning you to.

Consent to be contacted

Customer information is part of our work. You have used the option of contacting us electronically via the forms and are expecting a response to your request, for which we will use the contact details provided. Therefore, we need your consent to be able to carry out our activities.

D Changes within the Privacy Policy

We reserve the right to adapt the data protection guidelines if necessary so that they comply with current legal and technical requirements. These then apply when you visit again. We indicate a change with the revision status.

E Attachment

• List of business partners
• List of insurers