Privacy Statement

ASR Nederland N.V. is the point of contact for the processing of personal data by the following entities and labels: ASR Levensverzekering N.V., ASR Basis Ziektekostenverzekeringen N.V., ASR Aanvullende Ziektekostenverzekeringen N.V., ASR Schadeverzekering N.V., ASR Vermogensbeheer N.V., ASR Real Estate B.V., ASR Vitaliteit en Preventieve Diensten B.V., ASR Vooruit B.V., ASR Premiepensioeninstelling N.V., Ditzo, Ardanta and Loyalis. 

Visiting address: 
Archimedeslaan 10 
3584 BA Utrecht

Postal address:
PO Box 2072
3500 BA Utrecht

Facebook
Twitter

(a.s.r. )WhatsApp: +31 (0) 623889539
Telephone: +31 (0) 30 257 9111

a.s.r. Vitality and a.s.r. Real Estate have their own privacy statement. For more information, see: https://www.asr.nl/vitality/privacy and https://asrrealestate.nl/privacyverklaring

ASR Nederland N.V. and all its brands handle your personal data with due care. In doing so, we comply with applicable (privacy) legislation and codes of conduct that further specify this across the sector. All employees have taken an oath or have made a solemn affirmation to act with integrity and reliably. This includes keeping confidential what has been entrusted to them.

When do we process your personal data?
This privacy statement applies to all your personal data that the brands of ASR Nederland N.V. process when you are a customer, when you visit our website, when you use our apps or mijn a.s.r., or when you contact our customer service desk. This statement also applies to other situations, for example if you have applied for a product but have not become a customer. Or if your employer has taken out pension insurance or disability insurance for you with us. Or if you are a beneficiary or have been involved in a claim as a witness or an injured party.

If you are a customer with us, we will use your bank account number to make payments and collect the amounts due (contribution, fee, periodic deposit or interest). In addition, we may have access to your income details if this is necessary for one or more of our financial products.

For some products or services we will need additional information from you, for example your car registration in case of a car insurance or your profession in case of an income protection insurance policy or mortgage. We need these data in order to provide services to you or to assess the risk, determine the conditions or evaluate possible claims. In addition to the name and address details and the financial data, we may also ask for your gender and date of birth if this is necessary for our services. 

In order to accept or implement our insurance policies (which also include the handling of personal injury claims) and other (financial) services, in certain cases we will need information about your health. Occasionally we may need information from your physician. If we need information from your physician, we will always ask for your prior consent. With regard to health data, these are only shared with the medical service.

Ardanta/Life insurance
We ask health questions when we receive applications for funeral insurance. These are shared with an a.s.r. medical adviser via a secure environment, so that we can assess whether we can insure the risk. 

Group income protection insurance schemes
For group income protection insurance schemes, we process limited health data, such as sickness reports, notifications of recovery or to what extent you are unfit for work. We receive these data from you, your employer, the working conditions service or the UWV (Employee Insurance Agency).

If we support you and your employer in reintegration, our reintegration staff can also process information about your limitations and capabilities so that we can help you return to work in a responsible way.

Personal injury
In order to assess and handle a personal injury claim, we will process your health data. We may share your data with other parties, such as personal injury firms. Our employees will only process healthcare data they need to carry out their tasks. Only the medical adviser is allowed to process your health data for the purpose of preparing medical advice. To this end, the medical adviser can request additional health data from you. The medical adviser will only collect health data from you from other sources with your explicit consent, if necessary with authorisation.

Are you dealing with a personal injury claim, for example? You will then receive a separate brochure containing an explanation of the use of your (health) data.

Private disability or private and business accident insurance and travel insurance with acident cover
Our medical adviser plays a central role in assessing health in connection with the conclusion of an insurance policy or a claim for benefits due to disability or an accident. If the medical adviser considers it necessary to request health data from others, such as your GP or treating specialist, for the assessment of your application or for the assessment of your disability, they will always ask you for your prior consent. The authorisation with which you give this consent states which health data our medical adviser wishes to request and from whom they wish to request the data. By signing the authorisation, you give your consent. The medical adviser is responsible for retaining your health data. When processing health data, we comply with the Code of Conduct for the for the Processing of Personal Data by Insurers. When processing health data, our medical adviser complies with the Professional Code for Medical Advisers working in Private Insurance cases and/or Perzonal injury cases.

Pension insurance
For group pension insurance, we do not process health data, except for disability cover or if you change your mind about a previously made choice. For example, if you have chosen not to participate in the Anw (Surviving Dependants Act) scheme offered by your employer with us, and at a later date wish to participate as yet, we may require health warranties from you.

Health insurance
For the application of your basic insurance, we do not need any health data from you in order to take out this insurance. We do not use risk selection for acceptance, as the basic insurance is subject to a statutory acceptance obligation. The government determines which cover is included in the basic insurance. If you apply for supplementary insurance with us, we may request health data from you in order to assess your application. In the case of supplementary insurance, we are free to decide whether or not to accept your application on the basis of risk selection.

As a health insurance company, we are allowed to process data about your health, in so far as this is necessary for the implementation of the basic insurance, the supplementary health insurance or Wlz (Long-Term Care Act) insurance. The processing of your health data takes place only within a specially separated unit (functional unit), under the responsibility of our medical adviser. This is a BIG-registered medical specialist.

When processing health data, we comply with the Code of Conduct for the Processing of Personal Data by Health Insurers.

We process data about the contact you have had with us in order to be able to see:

In the course of our business services we also process personal data; names of contact persons, shareholders or UBOs (ultimate beneficial owner) of a company. Under the Money Laundering and Terrorist Financing (Prevention) Act and sanction regulations, we must identify the UBOs of our business customers and suppliers.

We use your personal data, among other things, to contact you in order to check whether you can become or remain a customer with us, to consult with you about the products or services that you purchase from us, to implement changes in your personal data or to provide you with (financial) insight and perspective for action via the platform 'Ik denk vooruit' (I think ahead).

We may use your data to manage your products - or the products of your employer, such as absenteeism insurance policies - and to settle (expense) claims and complaints or to receive, pass on and have your order executed.

We are happy to keep you informed. For example through emails, newsletters, offers on our website or via social media. Or with personalised ads on apps and websites of other parties and social media. For this, too, we use your personal data.

We can do this by:

We also use your personal data to improve our products and services and to tailor our range of products to your wishes and needs.

We do this by combining and analysing them. These analyses bring us new ideas and better solutions. Based on these analyses, we may for example:

When tracing fraud, abuse and improper use, we also record personal data. To this end, we may exchange data within a.s.r., with other financial institutions or with external research agencies. In doing so, we comply with the Insurers and Crime Protocol and the Financial Institutions Incident Warning System Protocol (PIFI). Among those involved in the PIFI are the Dutch Association of Insurers, the Dutch Banking Association, the Mortgage Fraud Prevention Foundation, the Dutch Finance Houses' Association and the Association of Dutch Health Insurers. If a personal investigation in connection with insurance is involved, we follow the rules of the Code of Conduct for Personal Investigations.

Events administration
To safeguard the security and integrity of the various labels within a.s.r., we use a Central Events Administration. This database stores (personal) data that require our special attention in connection with certain events. Data from the Central Events Administration can only be accessed through our Security Department, Special Affairs Department or other authorised staff.

We handle your personal data with due care and take the necessary technical and organisational measures to guarantee an adequate protection level. We have put in place technical and organisational measures to protect your personal data against loss or unlawful processing. We pay great attention to the optimal security of our systems in which personal data are stored. For example, measures to use our website and IT systems safely and avoid abuse. But also protection of physical spaces where personal data are stored. We monitor the security of our data traffic 24 hours a day. We have an information security policy in place and arrange training programmes of our staff in the area of personal data protection.

Only authorised employees who should have access to your data can view and process your data. All our employees have taken an oath or have made a solemn affirmation. Employees promise or state that they will comply with the legislation and regulations and codes of conduct and will act ethically. In certain cases (e.g. access to sensitive personal data), employees must first sign an additional confidentiality agreement before being granted access.

We do not store your personal data longer than necessary. In certain cases the law provides how long we may or must store data. In other cases, we have determined on the basis of legislation and regulations how long we need your data. We have drawn up an extensive retention period policy for this.

Policy/customer files for example are stored for at least 7 years after the relationship with a.s.r. has ended. For more information on the specific retention periods, please contact us.

We only provide personal data to third parties if this is permitted by the law and necessary for a.s.r.’s business operations.

Are you a customer of one of the brands that come under ASR Nederland N.V.? In that case we may exchange your personal data with one of the other brands of ASR Nederland N.V.. We do this, for example, for administrative reasons, to ensure a reponsible acceptance policy or to prevent and combat fraud. In addition, we exchange personal data between the various departments of ASR Nederland N.V., for example for the processing of your application or to obtain an overview of the products and services supplied to you. This allows us to provide you with a better service; for example, you only have to pass on a change of address once.

You may receive offers for other products of the brands that come under ASR Nederland N.V. If you do not want any offers for other products, you can indicate this. If you have an adviser, you will usually receive messages from us in consultation with your adviser (see also c).

Your personal data are stored in a.s.r.'s central customer administration. The storage of these personal data in the central customer administration is done for internal administrative purposes, including the matching of your data. This means that we check whether the same data about you are used in the various business units. It is important to check that we have the right information about you. By matching data, we can work more efficiently and provide you with a better service.

Sometimes we are statutorily required to pass on certain personal data to the authorities. For example the Tax and Customs Administration, the Employee Insurance Agency, the police, the judiciary, or regulators such as the Dutch Central Bank, The Netherlands Authority for the Financial Markets (AFM) and the Dutch Data Protection Authority.

We engage other companies to perform services for us relating to our services. For example a debt-collection agency, a loss adjustment firm, a working conditions service or a reinsurer. We also share your data with the Emergency Centre as the executor of (breakdown) assistance. If you have taken out a legal expenses insurance with a.s.r., we will share your data with DAS as the provider of the legal assistance. With all parties, we lay down agreements to safeguard your privacy.

We may also outsource the processing of personal data to third parties, for example (IT) service providers for maintenance and support functions. In most cases, these (IT) service providers are to be considered as processors because they do not have independent control of the personal data that are made available by a.s.r. to the IT service provider in the context of the services. In these situations, ASR Nederland N.V. remains responsible for the careful processing of your personal data.

Financial institutions may record in an Incidents Register the conduct of persons or legal entities that has led or may lead to prejudicing financial institutions. An External Reference Index is linked to this Incidents Register. This External Reference Index only contains referral data (e.g. a name and date of birth or Chamber of Commerce number) to the Incidents Register that may be included under strict conditions in accordance with the Protocol on the Financial Institutions Incident Warning System Protocol (PIFI). Every financial institution that is affiliated to one of the participating industry associations has access to (part of) the External Reference Index.

Your data are mostly processed within the EEA. If we share data with a service provider based in a country outside the EEA or if personal data are processed outside the EEA, we make arrangements with them so that we will abide by the rules agreed in the European Economic Area. In doing so, we make use of the Standard Contractual Clauses; this is a model endorsed by the European Union in which it is agreed that a sufficient protection level for the protection of personal data is put in place. 

You have the right to ask us what personal data we process about you and to have incorrect data adjusted. We will ask verification questions or ask you for a copy of your proof of identity* to identify yourself.

After identification, you will receive our response within four weeks.
In certain cases we may choose not to give you any data about your health, for example if we consider it wiser that your GP provides an explanation. In such cases we will inform you about the way in which the information can be shared or requested.

*Proof of identity
When you provide a copy of your ID, you need to make your passport photo and citizen service number (BSN) invisible. We also recommend that you state on the copy that this copy serves to exercise your rights relating to your personal data.

In certain cases and under certain conditions, you have the right to have the personal data that we have about you deleted. This is the case if: 

The right to be forgotten is not an absolute richt. We may decide not to comply with your request and not delete your data if your request is not based on one of the above grounds, or (i) in order to exercise the right to freedom of speech and information; (ii) to satisfy a statutory obligation; or (iii) to institute, exercise or substantiate a claim.
If we do not honour your request to have your personal data deleted, we will inform you about the reasons why we will not comply with your request.

If you are of the opinion that we process your personal data unlawfully, you may request that the processing be restricted. This means that the data will not be processed by us for a certain period of time. 

You are entitled to a copy of the personal data you have provided to us for the performance of an agreement you have concluded with us or if you have given us permission to use them. This only concerns personal data that we received from you yourself, not data we received from third parties. The purpose of this right is to enable you to easily transfer this data to another party.

You may at any time object against the processing of your personal data that takes place on the basis of our justified interest or the justified interest of a third party. In that case we will no longer process your data unless there are urgent, justified grounds for the processing that bear more weight, or which are related to instituting, exercising or substantiating a claim.

You have the right to unsubscribe from newsletters or personal offers for our insurance and other (financial) services. In commercial offers we always point to the possibility to unsubscribe. Our staff may call you for commercial purposes. In doing so, we will adhere to the rules of the Do-not-call-me register (Bel-me-niet register). On the website www.bel-me-niet.nl you can unsubscribe your telephone number for commercial calls and read more about the Bel-me-niet-register. Blockades in the Bel-me-niet Register only apply to companies and organisations with which you have no relationship. Even if you are registered in the Bel-me-niet Register, you may still receive calls from companies or organisations of whom you are or have been a customer for a similar product or service. (Source: bel-me-niet.nl)

Before we communicate with your via email, we will ask your consent for this, unless you have already given us permission.

If you have a pension insurance with us through your employer, we will not ask you for permission to communicate with you via email, because the legislator has chosen digital communication as the starting point for pension insurance.

You can opt to chat with us on our website or contact us via our social media pages such as Facebook, LinkedIn and Twitter or via WhatsApp. If you approach us via one of these channels, we will retain the data you provide to us via these channels in a secured environment. To respond to personal questions in your social media message, we will ask you in a personal message (direct message or email) to share your contact details with us. This allows us to check whether we are communicating with the right person.

This privacy statement applies to the data we receive from you via these platforms. The use of social media is your own responsibility. This privacy statement does not apply to the way in which social media platforms deal with the personal data provided by you. Please note that many social media platforms are established outside the European Union and store data outside the European Union. The European Union’s privacy legislation usually doesn’t apply in that case. We would advise you to consult the privacy statement of these social media channels for more information about the way in which they process your personal data.

Profiling
We make profiles of our customers on the basis of the data we collect with the purpose of analysing these data and thus, among other things, managing risks, making connections, and obtaining insight into (future) actions and preferences. We can then anticipate these. For example, by using these data to estimate the contribution or to send customers targeted advertisements/information. When we do so, we comply with legislation and regulations. This means, among other things, that we ask your permission beforehand if this is statutorily required. For example in the event of profiling based on sensitive personal data.

Automated decision-making
We assess your application for a number of products - such as car insurance, term life insurance - via an automated process. The data you enter are automatically checked against our acceptance criteria. We check whether these data are correct. In addition, we check your application against a number of fraud indicators and make a risk assessment based on the information you provide and data from (public) sources. This assessment may have consequences for the level of your premium, for example. If there is a deviation in the regular application process, this deviation is always assessed by an a.s.r. employee. If you do not agree with an automatic decision, you can ask for the reasons and also lodge an objection. The assessment will then always take place by a person.

A number of bodies monitor how we process data:

Privacy legislation is not static. Therefore we can amend this privacy statement in order to keep it up-to-date. We will do so if there are new developments, for example if there are changes in our business activities or in the law or case law. Therefore you are advised to regularly check this privacy statement when visiting one of our websites. 

Do you have any questions about this privacy statement?

Please contact the Data Protection Officer of ASR Nederland N.V.
Send an email to: privacy@asr.nl. Or send a letter to:

a.s.r.
Attn. the Data Protection Officer
Afdeling Integriteit (Integrity department)
PO Box 2072
3500 BA Utrecht

If you have any complaints about privacy, please contact us using the complaint form on our website. You can also file a complaint with the Personal Data Authority www.autoriteitpersoonsgegevens.nl (tel. 0900-2001201).

Privacy statement most recently updated 3 June 2022.