Data Privacy Statement of Munich Re PCC Limited – Savings & Investments Cell
Version: August 2019
We, Munich Re PCC Limited, a cell company formed in accordance with the provisions of the Companies Act (Cell Companies Carrying on Business of Insurance) Regulations (Subsidiary Legislation 386.10 of the Laws of Malta), having Company Registration Number C 81097, appearing hereon on our own behalf and in respect of the Savings & Investments Cell and having its registered office at Level 4, Whitehall Mansions, Ta´ Xbiex Seafront, Ta´ Xbiex, Malta, are incorporated and existing under the laws of Malta and under such laws we are licensed to conduct insurance and reinsurance business.
We thank you for your interest in our Garden Mobile Application (hereinafter "Mobile App") and our Garden website (www.getgarden.de, hereinafter "Website"). Our Mobile App and Website contain information about, and offers for, our various financial products, in particular life insurances.
This Data Privacy Statement explains how, when, for what purposes and for how long we collect, store, process, transfer and use your personal data relating to you and what corresponding rights you have. We are committed to ensuring the protection of all personal data that we hold and to fulfilling our responsibilities and obligations under applicable data protection legislation and regulation, in particular the European General Data Protection Regulation (Regulation (EU) 2016/679, hereinafter "GDPR") and the Data Protection Act (Cap. 586 of the Laws of Malta) as amended.
The Mobile App and Website are not intended for children, and we do not knowingly collect data relating to children
1 General Information
1.1 Controller and Data Protection Officer
The following entity is the data controller and responsible for your personal data:
Munich Re PCC Ltd.
Level 4, Whitehall Mansions, Ta' Xbiex Seafront, Ta' Xbiex, XBX 1026, Malta
You can contact our data protection officer by using the following contact details:
Münchener Rückversicherungs-Gesellschaft AG
Aktiengesellschaft in München
Telephone: +49 (89) 39 91-0
Telefax: +49 (89) 39 90 56
1.2 Your Duty to Inform Us of Changes
It is imperative that the personal data we hold about you is accurate and current at all times. Please keep us informed if your personal data changes during your relationship with us.
1.3 Definition of Personal Data
Personal data means any information concerning an identified or identifiable natural person ("data subject"). This includes, for example, information like your name, e-mail address, postal address, telephone number or information that may be used to identify you, such as an online ID or other special features, provided that the information is in each case attributable to you. Other information that is not directly related/linked to you and cannot be related/linked to your identity, such as aggregated data or anonymised data does not fall under this category.
2 What Data are Processed
You are not required to provide personal data when using the Mobile App or browsing our Website. There are, however, services with regard to which we need your personal data, for example, in order to conclude a contract with you or to send you information on a contract or other contractually relevant information. Without these data, the desired services cannot be rendered.
Based on information you have provided we render a personalised risk analysis in order to assess which financial products to offer you. For example, certain data you have entered and topics you are most interested in will be analysed by us in order to assess which of our products and services suit you best, now and in the future.
2.1 Personal Data Collected When Using the Mobile App and Website
If you make use of the Mobile App or Website to purchase our insurance products and services, we will ask you for personal data and store and process such data which is necessary for us to be able to provide the services which you request. These data include, for example: your name, e-mail address, mobile telephone number, date of birth, place of birth, gender, postal address, passport information (in accordance with applicable law) and potentially a photograph for verification via video (see Online Identity Verification below), and payment information (such as bank account information). We will protect and store these personal data in accordance with applicable law and prevailing market standards.
2.2 Personal Data Collected during Online Identity Verification
In the course of an online identity verification we collect, process and store the following personal data: your full name, place of birth, date of birth, nationality, gender, registered address and mobile phone number. In order to verify your identity, we are obliged to cross-check the information provided by you with your national ID card or passport.
In accordance with our legal obligations under applicable anti-money laundering legislation and regulations, we are further obliged to collect, process and store the type of document you have used to verify your identity, the national ID/passport number and the issuing authority. For this purpose, we will store a copy (e.g. screenshot) of your national ID card or passport. We are also under a legal obligation to store all data collected within the online identity verification process for at least five years due to statutory retention periods.
2.3 Personal Data and Third Party App Stores
3 Legal Basis and Purposes for Which We Process Your Personal Data
We process your personal data in compliance with the provisions of the GDPR and all other applicable data protection laws.
The specific legal basis for the data processing depends on the context within which and the purpose for which we receive your data.
As a rule, your personal data are collected and processed for the purposes of performing the contract concluded with you, which is concluded upon your acceptance of our Terms and Conditions and the use of our services. This also includes communicating with you and sending you the requested information in relation to the services you request.
In particular, we will use the personal data to understand your risk profile and your monetary goals so that we can give you tailored recommendations in order to fulfil our contractual obligations with you and provide the services you request.
As indicated in Section 2.2 above, we may also need to collect personal data in order to comply with our legal obligations. In particular, we are obliged to collect identification verification documentation in compliance with our applicable anti-money-laundering and identification (KYC – Know Your Customer) legal obligations.
In limited circumstances, we shall request your consent in order to be able to process your personal data. In particular, we shall request your consent in order to use your name and contact details in order to send you marketing information.
Any further collection, storage, processing, transfer or use of your personal data is subject to a separate consent (unless it is permitted or required by applicable law). If you have expressly given us your consent to e-mail advertising, its content will correspond with the following declaration of consent:
Permission for E-Mail Advertising
"I agree to receive personalised information about Garden via e-mail on a regular basis (I can unsubscribe at any time)"
We will record any consent declaration according to the statutory requirements and make them available to you at any time. You may revoke your consent(s) at any time with effect for the future. In such a case, processing that has been carried out before the revocation will, however, remain lawful.
3.1 Push Notifications/In-App Messages
In order to provide you with the most efficient service in furtherance of our contract with you and with your consent, we might send you push notifications or in-app messages to inform you about our products and services; you may deactivate such notifications or in-app messages in the respective settings of your mobile device at any time.
3.2 Google Analytics for Firebase
For the above-defined purposes, we create pseudonymised user profiles by third-party services: Please see below for further information on the transfer of your data. Only the Mobile App (but not our Website) uses Google Analytics for Firebase ("Google Analytics"), a web analytics service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"), which compiles user profiles by using pseudonyms. These user profiles are used to analyse user behaviour and are employed pursuant to Article 6 (1) sentence 1f) GDPR in order to improve and personalise the design of our offers. The information generated by the used Tracking-Code about your user behaviour in the Mobile App (including your IP address) is transferred to and stored on a server operated by Google in Ireland. In individual cases, personal data may also be transferred to Google LLC in the USA, over which we have no control. Google LLC is registered under the terms of the EU-US Privacy Shield Agreement, which guarantees compliance with European data protection laws ( https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active ).
By activating the IP anonymisation function of Google Analytics, the IP address will be abbreviated by Google within the member states of the European Union or in other states that are a party to the Agreement on the EEA. Only in exceptional cases will the entire IP address be transmitted to the Google server in Ireland and will be abbreviated there. The IP anonymisation function is active in our Mobile App. On our behalf, Google will use the collected information to analyse user behaviour in the Mobile App, compile reports on user activities and perform other services with regard to the use of the Mobile App and the internet. The IP address submitted by your device to Google Analytics will not be combined with other data by Google. After the processing purpose has ceased to exist and we have stopped using Google Analytics, the data collected in this connection will be deleted. In all other respects, we have pre-set the settings via Google Analytics so that your data will be automatically deleted after 26 months, and we have disabled the option "Reset on new activity".
Opt Out for Mobile App: You may refuse the use of Google Analytics within the Mobile App by selecting the appropriate settings within your mobile device (see under More/ Marketing & Analytics). Furthermore, you may prevent the collection of the data related to the use of our Mobile App (including your IP address) by Google as well as the processing of such data by Google by disabling Google Analytics within the settings of the Mobile App (see above). However if you do so, please note that you may not be able to use the full functionality of the Mobile App.
You can find further information regarding the conditions of use and data protection relating to Google Analytics under https://firebase.google.com/terms/analytics/ or https://firebase.google.com/policies/analytics/.
3.3 Facebook Analytics SDK
Within our Mobile App (but not within our Website) we also use the Software Development Kit (SDK) of Facebook Inc., Menlo Park, California, USA ("Facebook"). By integrating the Facebook SDK, we can link various Facebook services to our Mobile App and analyse the use of our Mobile App. For more information on Facebook Analytics SDK for iOS, visit https://developers.facebook.com/docs/ios and for Android, visit https://developers.facebook.com/docs/ios .
When using our Mobile App (but not when browsing our Website), personal data is transferred to Facebook. Facebook is certified under the Privacy Shield Agreement and thus offers a guarantee of compliance with European data protection law ( https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active ).
For more information about your privacy on Facebook, please visit https://www.facebook.com/privacy/explanation .
We have a legitimate interest in the user analysis of our Mobile App. Legal basis for the processing is Article 6 (1) sentence 1f) GDPR. In the settings of our Mobile App you can object to the use of Facebook Analytics SDK for the mentioned purposes at any time (see under More/ Marketing & Analytics).
4 Transfer of Personal Data to and Processing by Third Parties (including Service Providers)
We may need to share personal data with certain authorities, governmental and regulatory bodies, as well as court and police authorities.
We may need to share your data with local agents or other service suppliers (in their capacity as data processors) which is necessary for us to provide the services you request.
To this end, we may transfer your personal data to third parties involved in the execution of the transaction (e.g., payment service providers). In order to process payments effected over our Mobile App we may need to transfer your personal data to credit and financial institutions in order to effect such transactions. Such service providers may also act as data controllers in their own right and to this end, you are encouraged to read their privacy policies and similar data protection notices in order to learn more about how such third parties may process your personal data.
If in the course of any commissioned data processing on our behalf, personal data are processed by customer support and IT service providers or other service providers, such service providers will also have to comply with the GDPR, the Data Protection Act (Cap. 586 of the Laws of Malta) and any applicable laws.
We transfer personal data to Münchener Rückversicherungs-Gesellschaft AG, Königinstraße 107, 80802 Munich, which processes the data on our behalf for the purposes of implementing and administering policies and transfers the data to the following service providers (as sub-contractors) for the following purposes:
- Amazon Web Services Inc., 410 Terry Avenue North, Seattle WA 98109, United States, for the purpose of storing personal data on servers in Europe;
- Auth0 Inc., 10 authzeros, Siena Court, The Broadway, Maidenhead SL6 1NJ, United Kingdom, for the purpose of storing your log-in e-mail address and encrypted passwords in Europe to ensure the integrity and reliability of the systems and services;
- On Service GmbH, Stresemannstraße 23, 22769 Hamburg, as service provider for our customer support for the purpose of providing contract administration and customer support services on our behalf;
- Mongo DB Inc, Potsdamer Platz, Stresemannstraße 123, 10963 Berlin, for the purpose of providing database services and the encryption of data;
- Beltios GmbH, Sonnenstraße 27, 80331 Munich, for the purpose of administering our contracts;
- Thetaris GmbH, Leopoldstraße 244, 80807 Munich, for the purpose of providing technical support for the Mobile App, Website and the contract administration system.
Furthermore, we transfer personal data to Willis Towers Watson Management (Malta) Limited, Development House, St. Anne Street, Floriana, FRN 9010, Malta, which assists us in managing the company in Malta in terms of accounting, supervisory and other issues.
Any data transfer to and data access/processing by such service providers is covered by data processing agreements pursuant to Article 28 GDPR that ensure processing on our behalf in compliance with applicable data protection law.
5 Data Security
During transmission your personal data are encrypted by means of SSL. We protect our data received via the Mobile App or Website and other systems by technical and organisational means against loss, destruction, unauthorised access, modification and distribution of your personal data. We store personal data collected for different purposes separately.
6 Information You Provide About Other Parties
Where you submit personal data to us and any additional information relating to other parties, we rely on you to have first obtained appropriate consents for the transfer and processing of such data and information to or by us and third parties acting on our behalf.
You must not submit such data and information to us unless you have obtained the appropriate permissions and consents.
7 How Long We Store Your Data
We delete your personal data as soon as they are no longer required for the above-mentioned purposes and legal duties regarding evidence and retention. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
By and large, retention of most data shall not exceed the period of six (6) years from the date of termination or completion of the Services. This period of retention enables us to use the data for the defence of possible future legal claims (taking into account the applicable prescriptive period at law, plus a slight grace period past the expiry of prescription). In certain cases, we may retain your data for a period which will not exceed eleven (11) years from the date of termination or completion of the Services. This will be retained in order to comply with applicable accounting and tax laws and to be able to fulfil the corresponding conditions.
If you disable your user account, your personal data will be blocked and can no longer be used; after expiry of the retention periods applicable under tax and commercial laws, your personal data will be deleted unless you have explicitly consented to continued use of your personal data or continued storage is required or permitted by law.
8 Your Rights
You have the right to:
Request access to your personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
- Request correction or rectification of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected and/or updated, though we may need to verify the accuracy of the new data you provide to us.
Request erasure of your personal data. This enables you to ask us to delete or remove personal data where:
- there is no good reason for us continuing to process it;
- you have successfully exercised your right to object to processing (see below);
- we may have processed your information unlawfully; or
- we are required to erase your personal data to comply with local law.
Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes.
In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios:
- if you want us to establish the data's accuracy;
- where our use of the data is unlawful but you do not want us to erase it;
- where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or
- you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
- Request the transfer (data portability) of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
- Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. Withdrawal of consent may, however, affect or impair the possibility of us providing you with the Services. We will advise you if this is the case at the time you withdraw your consent.
No fee usually required
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
Time limit to respond
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
You have the right to lodge a complaint at any time to the competent supervisory authority in your jurisdiction on data protection matters. You can find the contact details of the European supervisory authorities on the following link: http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm .
Please contact us at any time using the contact details stated at the beginning of this data privacy statement should you have any questions regarding the collection, processing or use of your data or any queries regarding further information and the exercise of your rights.