Privacy Statement

ASR Nederland N.V. and its brands handle your personal data with due care. In doing so, we comply with applicable (privacy) legislation and codes of conduct that further specify this across the sector. All our employees have taken an oath or have made a solemn affirmation to act with integrity and reliably. This also includes: keeping confidential what has been entrusted to them.

When do we process your personal data?
This privacy statement applies to all your personal data that the brands of ASR Nederland N.V. process when you are a customer, when you visit our websites, when you use our apps or the 'Mijn a.s.r.-platform', or when you contact our customer service desk. This statement also applies to other situations, for example if you have applied for a product but have not become a customer. Or if your employer has taken out pension insurance or disability insurance for you with us. Or if you are a beneficiary or have been involved in a claim as a witness or an injured party. Or if your partner takes out a mortage with a.s.r. and you will also be living in the house.

If you are a customer with us, we will use your bank account number to make payments and collect the amounts due (contribution, fee, periodic deposit or interest). In addition, we may have access to your income details if this is necessary for one or more of our financial products.

For some products or services we will need additional information from you, for example your car registration in case of a car insurance or your profession in case of an income protection insurance policy or mortgage. We need these data in order to provide services to you or to assess the risk, determine the conditions or evaluate possible claims. In addition to the name and address details and the financial data, we may also ask for your gender and date of birth if this is necessary for our services. 

In order to accept or implement our insurance policies (which also include the handling of personal injury claims) and other (financial) services, in certain cases we will need information about your health. Occasionally we may need information from your physician. If we need information from your physician, we will always ask for your prior consent. With regard to health data, these are only shared with the medical service.

Life insurance
We ask health questions when we receive applications for our funeral insurance. These are shared with an a.s.r. medical adviser via a secure environment, so that we can assess whether we can insure the risk. 

Group income protection insurance schemes
For group income protection insurance schemes, we process limited health data, such as sickness reports, notifications of recovery or to what extent you are unfit for work. We receive these data from you, your employer, the working conditions service or the UWV (Employee Insurance Agency).

If we support you and your employer in reintegration, our reintegration staff can also process information about your limitations and capabilities, so that we can help you return to work in a responsible way.

Personal injury
In order to assess and handle a personal injury claim, we will process your health data. We may share your data with other parties, such as personal injury firms. Our employees will only process healthcare data they need to carry out their tasks.

Only the medical adviser is allowed to process your health data for the purpose of preparing medical advice. To this end, the medical adviser can request additional health data from you. The medical adviser will only collect health data from you from other sources with your explicit consent, if necessary with authorisation.

Are you dealing with a personal injury claim, for example? You will then receive a separate brochure containing an explanation of the use of your (health) data.

Private disability or private and business accident insurance and travel insurance with accident cover
The medical adviser plays a central role in assessing health in connection with the conclusion of an insurance policy or a claim for benefits due to disability or an accident. If the medical adviser considers it necessary for the assessment of your application of for the assessment of your disability to request health data from others, such as your GP or treating specialist, for the assessment of your application or for the assessment of your disability, he/she will always ask you for your prior consent. The authorisation with which you give this consent states which health data the medical adviser wishes to request and from whom.

By signing the authorisation, you give your consent. The medical adviser is responsible for retaining your health data. When processing health data, we comply with the Code of Conduct for the Processing of Personal Data by Insurers. When processing health data, the medical adviser complies with the Professional Code for Medical Advisers working in Private Insurance cases and/or Perzonal injury cases.

Pension insurance
For group pension insurance, we do not process health data, except for disability cover or if you change your mind about a previously made choice. For example, if you have chosen earlier not to participate in the Anw (Surviving Dependants Act) scheme with us, offered by your employer and at a later date wish to participate nonetheless, we may require health warranties from you.

Health insurance
For the application of your basic insurance, we do not need any health data from you in order to take out this insurance. We do not use risk selection for acceptance, as the basic insurance is subject to a statutory acceptance obligation. The government determines which cover is included in the basic insurance. If you apply for supplementary insurance with us, we may request health data from you in order to assess your application. In the case of supplementary insurance, we are free to decide whether or not to accept your application on the basis of risk selection.

As a health insurance company, we are allowed to process data about your health, to the extent necessary for the implementation of the basic insurance, the supplementary health insurance or Wlz (Long-Term Care Act) insurance. The processing of your health data takes place only within a specially separated unit (functional unit), under the responsibility of our medical adviser. This is a BIG-registered medical specialist. When processing health data, we comply with the Code of Conduct for the Processing of Personal Data by Health Insurers.

We process data about the contact you have had with us in order to be able to see:

We may also automatically convert recorded telephone conversations into text, which will then be used after analysis to improve the quality of our services.

We keep recorded calls no longer than necessary. The retention period varies depending on the purpose for which a conversation was recorded. If a call has been recorded and is still available, in the event of a dispute about the content of the recorded call, you have the right to listen to the call or receive a transcription of it.

In the course of our business services we also process personal data like names of contact persons, shareholders or UBOs (ultimate beneficial owner) of a company. Under the Money Laundering and Terrorist Financing (Prevention) Act and sanction regulations, we must identify the UBOs of our business customers and suppliers.

We use your personal data, among other things, to contact you in order to check whether you can become or remain a customer with us, to consult with you about the products or services that you purchase from us, to implement changes in your personal data or to provide you with (financial) insight and perspective for action via the platform 'Ik denk vooruit' (I think ahead).

We may use your data to manage your products - or the products of your employer, such as absenteeism insurance policies - and to settle (expense) claims and complaints or to receive, pass on and have your order executed.

We are happy to keep you informed. For example through emails, newsletters, offers on our website or via social media. Or with personalised ads on apps and websites of other parties and social media. For this, too, we use your personal data.

We can do this by:

We also use your personal data to improve our products and services and to tailor our range of products to your wishes and needs.

We do this by combining and analysing them. These analyses bring us new ideas and better solutions. Based on these analyses, we may for example:

When tracing fraud, abuse and improper use, we also record personal data. To this end, we may exchange data within a.s.r., with other financial institutions or with external research agencies. In doing so, we comply with the Insurers and Crime Protocol and the Financial Institutions Incident Warning System Protocol (PIFI). Among those involved in the PIFI are:

If a personal investigation in connection with insurance is involved, we follow the rules of the Code of Conduct for Personal Investigations.

Events administration
To safeguard the security and integrity of the various labels within a.s.r., we use a Central Events Administration. This database stores (personal) data that require our special attention in connection with certain events. Data from the Central Events Administration can only be accessed through our Security Department, Special Affairs Department or other authorised staff.

We handle your personal data with due care. We have put in place technical and organisational measures to guarantee an adequate protection protect level and to protect your personal data against loss or unlawful processing. We pay great attention to the optimal security of our systems in which personal data are stored. For example, measures to use our websites and IT systems safely and avoid abuse. But also protection of physical spaces where personal data are stored. We monitor the security of our data traffic 24 hours a day. We have an information security policy in place and arrange training programmes of our staff in the area of personal data protection.

Only authorised employees, who should have access to your data, can view and process your data. All our employees have taken an oath or have made a solemn affirmation in which they have promised or stated that they will comply with the legislation and regulations and codes of conduct and will act ethically. In certain cases (e.g. access to sensitive personal data), employees must first sign an additional confidentiality agreement before being granted access.

We do not store your personal data longer than necessary. In certain cases the law provides how long we may or must store data. In other cases, we have determined on the basis of legislation and regulations how long we need your data. We have drawn up an extensive retention period policy for this.

Policy/customer files for example are stored for at least 7 years after the relationship with a.s.r. has ended. For more information on the specific retention periods, please contact us.

We only provide personal data to third parties if this is permitted by the law and necessary for a.s.r.’s business operations.

Are you a customer of one of our brands or entitities that come under ASR Nederland N.V.? In that case we may exchange your personal data with one of the other entities or brands of ASR Nederland N.V. We do this, for example, for administrative reasons, to ensure a reponsible acceptance policy or to prevent and combat fraud. In addition, we exchange personal data between the various departments of ASR Nederland N.V., for example for the processing of your application or to obtain an overview of the products and services supplied to you. This allows us to provide you with a better service; for example, you only have to pass on a change of address once.

You may receive offers for other products of the entities and brands that come under ASR Nederland N.V. If you do not want any offers for other products, you can indicate this. If you have an adviser, you will usually receive messages from us in consultation with your adviser (see also c).

Your personal data are stored in a.s.r.'s central customer administration. This is done for internal administrative purposes, including the matching of your data. This means that we check whether the same data about you are used in the various business units. It is important to check that we have the right information about you. By matching data, we can work more efficiently and provide you with a better service.

Sometimes we are statutorily required to pass on certain personal data to the authorities. For example the Tax and Customs Administration, the Employee Insurance Agency, the police, the judiciary, or regulators such as the Dutch Central Bank, The Netherlands Authority for the Financial Markets (AFM) and the Dutch Data Protection Authority.

We engage other companies to perform services for us relating to our services. For example a debt-collection agency, a loss adjustment firm, a working conditions service or a reinsurer. We also share your data with the Emergency Centre as the executor of (breakdown) assistance. If you have taken out a legal expenses insurance with a.s.r., we will share your data with DAS as the provider of the legal assistance. When you take out a health insurance policy with a.s.r., we will share your personal data, but no special category personal data (such as health data), with Zorgdomein, to promote referral flows by healthcare providers to other healthcare providers. With all parties, we lay down agreements to safeguard your privacy.

We may also outsource the processing of personal data for maintenance and support functions to third parties, for example (IT) service providers. In most cases, these (IT) service providers are to be considered as processors because they do not have independent control of the personal data that a.s.r. makes available to the IT service provider in the context of the services. In these situations, ASR Nederland N.V. remains responsible for the careful processing of your personal data.

In connection with business transactions and business operations, as explained under 5.f., we may share personal data with third parties. This may include parties that are themselves involved in the business transactions and business operations, such as (potential) buyers of assets or an opposing party in legal proceedings. But it may also include professional advisors to those parties or, for example, a bailiff, if this is necessary for the business transaction or business operations.

To ensure a sound acceptance and risk policy and to prevent fraud, we record your personal data in and consult the Central Information System of the CIS Foundation in The Hague. In this register we record, among other things, your claims. In doing so, we adhere to the rules of the CIS user protocol. With the insurers affiliated with the CIS Foundation we may, under strict conditions, exchange information. We consult this register in the acceptance process and in the event of a claim notification. More information on this and the privacy regulations of CIS can be found on the website of the CIS Foundation.

Financial institutions may record in an Incidents Register the conduct of persons or legal entities that has led or may lead to prejudicing financial institutions. An External Reference Index is linked to this Incidents Register. This External Reference Index only contains referral data (e.g. a name and date of birth or Chamber of Commerce number) to the Incidents Register that may be included under strict conditions in accordance with the Protocol on the Financial Institutions Incident Warning System Protocol (PIFI). Every financial institution that is affiliated to one of the participating industry associations has access to (part of) the External Reference Index.

Your data are mostly processed within the European Economic Area (EEA). If we share data with parties based in a country outside the EEA or if personal data are processed outside the EEA, we ensure that your personal data remains adequately protected. In doing so, we for example make use of the Standard Contractual Clauses (European Model Clauses). We put in place clear agreements with parties, to ensure that the processing takes place in accordance with European legislation.

Your personal data will not be sold.

You have the right to ask us what personal data we process about you and to have incorrect data adjusted. We will ask verification questions or ask you for a copy of your proof of identity* to identify yourself.

After identification, you will receive our response within four weeks.
In certain cases we may choose not to give you any data about your health, for example if we consider it wiser that your GP provides an explanation. In such cases we will inform you about the way in which the information can be shared or requested.

*Proof of identity
When you provide a copy of your ID, you need to make your passport photo and citizen service number (BSN) invisible. We also recommend that you state on the copy that this copy serves to exercise your rights relating to your personal data.

In certain cases and under certain conditions, you have the right to have the personal data that we have about you deleted. This is the case if: 

The right to be forgotten is not an absolute right. We may decide not to comply with your request and not delete your data, if your request is not based on one of the above grounds, or (i) in order to exercise the right to freedom of speech and information; (ii) to satisfy a statutory obligation; or (iii) to institute, exercise or substantiate a claim. If we do not honour your request to have your personal data deleted, we will inform you about the reasons why we will not comply with your request.

If you are of the opinion that we process your personal data unlawfully, you may request that the processing be restricted. This means that the data will not be processed by us for a certain period of time. 

You are entitled to a copy of the personal data you have provided to us for the performance of an agreement you have concluded with us or if you have given us permission to use them. This only concerns personal data that we received from you yourself, not data we received from third parties. The purpose of this right is to enable you to easily transfer this data to another party.

You may at any time object against the processing of your personal data that takes place on the basis of our justified interest or the justified interest of a third party. In that case we will no longer process your data unless there are urgent, justified grounds for the processing that bear more weight, or which are related to instituting, exercising or substantiating a claim.

You have the right to unsubscribe from newsletters or personal offers via various channels (for example email, phone and mail) for our insurance and other (financial) services. In commercial offers we always point to the possibility to unsubscribe. Our staff may call you for commercial purposes. If you receive such calls from us, you can indicate during the telephone conversation that you no longer wish te be called. You can also contact us yourself and let us know that you no longer wish to be called. When we make profiles to make personal offers for products and services that match your personal preferences and interests, you can object at any time to the use of your personal data for this purpose.

Before we communicate with your via email, we will ask your consent for this, unless you have already given us permission.

If you have a pension insurance with us through your employer, we will not ask you for permission to communicate with you via email, because the legislator has chosen digital communication as the starting point for pension insurance.

You can opt to chat with us on our website or contact us via our social media pages such as Facebook, LinkedIn and Twitter or via WhatsApp. If you approach us via one of these channels, we will retain the data you provide to us via these channels in a secured environment. To respond to personal questions in your social media message, we will ask you in a personal message (direct message or email) to share your contact details with us. This allows us to check whether we are communicating with the right person.

This privacy statement applies to the data we receive from you via these platforms. The use of social media is your own responsibility. This privacy statement does not apply to the way in which social media platforms deal with the personal data provided by you. Please note that many social media platforms are established outside the European Union and store data outside the European Union. The European Union’s privacy legislation usually doesn’t apply in that case. We would advise you to consult the privacy statement of these social media channels for more information about the way in which they process your personal data.

Profiling
We make profiles of our customers on the basis of the data we collect with the purpose of analysing these data and thus, among other things, managing risks, making connections, and obtaining insight into (future) actions and preferences. We can then anticipate these. For example, by using these data to estimate the contribution or to send customers targeted advertisements/information. When we do so, we comply with legislation and regulations. This means, among other things, that we ask your permission beforehand if this is statutorily required. For example in the event of profiling based on sensitive personal data.

Automated decision-making
In particular cases we may use an automated process to assess an insurance application or a claim notification. This enables us to offer you a faster and better service . If you apply for an insurance, the data you supply will automatically be assessed in accordance with our acceptance criteria. This allows us to make a risk assessment of your application. In the event of a claim notification, your supplied data will automatically be assessed in accordance with our damage assessment criteria. This allows us to check whether a damage is covered. In both processes we will verify the supplied and available data. The decision about your application or claim notification will be based on the data you provide, risk- and fraud indicators and data from (public) sources such as the CIS database. After that,  the application can be automatically accepted or the claim can automatically be paid. However, in case of  a deviation in the regular process, for example if the application or claim is rejected your application or claim notification will be assessed by an a.s.r. employee. You have the right to obtain human intervention on the part of a.s.r., to express your point of view on the decision made and to contest that decision.

If you apply for basic or additional health insurance your data will be processed through an automated process. Data will be retrieved from the electronic application form that you have filled out. Additionally, authorization requests and declarations are screened to judge whether the application is covered within the insurance. Judgement of these criteria can be performed through an automated process. The outcome of the review of the declaration, either approval or rejection, will be communicated to you. You have the right to obtain human intervention on the part of a.s.r., to express your point of view on the decision made and to contest that decision.

A number of bodies monitor how we process personal data:

Privacy legislation is not static. Therefore we can amend this privacy statement in order to keep it up-to-date. We will do so if there are new developments, for example if there are changes in our business activities or in the law or case law. Therefore you are advised to regularly check this privacy statement when visiting one of our websites. In case of a material change to this privacy notice, a notification will be provided (for example through our website). 

a.s.r.
Attn. the Data Protection Officer
Afdeling Integriteit (Integrity department)
PO Box 2072
3500 HB Utrecht