Privacy Policy

Information on the protection of your personal data

With this information, we inform you about the processing of your personal data by Generali Health Solutions GmbH and the rights to which you are entitled under data protection law. Please also pass on the information to current and future authorised representatives and beneficial owners as well as other parties involved.

Person responsible for data processing

Generali Health Solutions GmbH
Hansaring 40-50
50670 Cologne
Phone: (0221) 1636 2907
Email address: kontakt.ghs@generali.com
You can reach our data protection officer by mail at the above address with the addition - Datenschutzbeauftragter - or by email at: datenschutzbeauftragter.de@generali.com.

Purposes and legal bases of data processing

We process your personal data in compliance with the EU General Data Protection Regulation (GDPR), the new Federal Data Protection Act (BDSG) and all other applicable laws.

If you request information, e.g., about our company or our company's products or services, we need the information you provide to process your request. If you wish to receive advice, we need your details to pass them on to our sales partner.

If you register on our portal, we need the information you provide to complete the registration process, to participate in the programme and to implement it. Furthermore, we need it to display the participation information in the customer area and to provide messages in your personal mailbox as well as to inform our cooperation partners.

If you go into the customer area after logging into the portal, an authentication code will be sent to your email address for security purposes. Please enter this code as confirmation in the dialogue.

In some health programmes, a self-disclosure takes place before registration. This information is used for quality assurance and to lead you to the most suitable programme level. We store and process this collected health data. If you do not complete the registration, we anonymise your data after one week. From this point on, it is not possible to draw any conclusions about your person.

With the registration for a health programme, we store and process the data collected in the context of the programme participation for the purposes of notification and information in the customer area, for evaluation purposes, for quality assurance purposes and for invoicing purposes.

The legal basis for this processing of personal data for pre-contractual and contractual purposes is Art. 6 para. 1 b) GDPR. Insofar as special categories of personal data are required for this (e.g. your health data during the implementation of the programme), we obtain your consent in accordance with Art. 9 (2) a) in conjunction with Art. 7 GDPR. If we compile statistics with these data categories, this is done on the basis of Art. 9 para. 2 j) GDPR in conjunction with § 27 BDSG. Consent given can be revoked at any time. This also applies to the revocation of declarations of consent that may have been given to us before the DSGVO came into force, i.e. before 25.05.2018.

We also process your data to protect legitimate interests of us or of third parties (Art. 6 para. 1 f) GDPR). This may be necessary in particular:

to ensure IT security and IT operations, including training and further development of technical systems,
to optimise our internal processes,
to anonymise data, e.g., to create statistics from it,
to advertise our own products and for market and opinion surveys,
to prevent and investigate criminal offences.

On the basis of your consent pursuant to Art. 6 (1) a) in conjunction with Art. 7 GDPR, we inform you about products and services by means of personalised emails and, if applicable, by telephone and also ask you about your customer satisfaction. In this context, we analyse your usage behaviour with regard to emails received. This means that we use emails that contain so-called tracking pixels. This enables us to determine whether you have opened and, if applicable, used our e-mail. For example, we can track which elements within the email, i.e. logos, buttons, links, etc., you have clicked on and how long you stayed in certain areas of the email. We evaluate this information in order to take it into account for future emails, i.e. to filter out information that is not of interest to you and to send you notifications tailored to your wishes and needs.

In addition, we process your personal data to fulfil legal obligations such as regulatory requirements, commercial and tax retention obligations or our obligation to provide advice. In this case, the legal basis for the processing is the respective statutory regulations in conjunction with Art. 6 para. 1 lit. c GDPR.

We will provide you with news about the health programmes and service information of Generali Health Solutions GmbH in the Inbox if you have given your consent in accordance with Article 6 (1) a GDPR. This consent can be given or revoked at any time via the settings in the customer area.

Should we wish to process your personal data for a purpose not mentioned above, we will inform you in advance within the framework of the legal provisions.

Categories of recipients of the personal data

Data processing in the group of companies:
Specialised companies or divisions of our Group of companies perform certain data processing tasks centrally for the companies affiliated in the Group. If an insurance contract exists between you and one or more companies in our Group, your data may be processed centrally by a company in the Group, for example, for the central administration of address data, for customer service by telephone, for contract and claims processing, for collections and disbursements or for joint mail processing. If, based on the assessment of the circumstances, we may assume that you have not addressed mail, emails or payments to the legal entity responsible for your concern, we will endeavour in certain cases to forward misaddressed mail and emails as well as payments within the Group to the responsible entity.

To fulfil legal obligations (e.g., under commercial law) or on the basis of legitimate interests, we may also transfer data to Generali Deutschland AG as the parent company of the German group of companies, to Assicurazioni Generali S.p.A. as the parent company of the international Generali Group and to other companies of the German or international Generali Group.

You will find the companies that participate in centralised data processing in our list of service providers , which we have communicated to you in text form prior to participation, as well as in the respective current version here on the Internet.

External service providers:
We sometimes use external service providers to fulfil our contractual and legal obligations. A list of our contractors and service providers with whom we have more than temporary business relationships can be found in the overview in the customer information you received prior to participation and in the current version on this page.

Insofar as several companies process your personal data under joint responsibility (Art. 26 GDPR), the respective companies have contractually agreed among themselves to fulfil their obligations under data protection law (including information obligations and data subject rights) as a rule under their own responsibility.

Other recipients:
In addition, we may transfer your personal data to further recipients, such as authorities for the fulfilment of legal notification obligations (e.g. social insurance institutions, tax authorities or law enforcement agencies).

Duration of data storage

If your data is no longer required for the above-mentioned purposes, it will be anonymised after three years and deleted after six years. In the process, personal data may be retained for the time during which claims can be asserted against our company (statutory limitation period of three or up to thirty years). In addition, we store your personal data insofar as we are legally obliged to do so. Corresponding obligations to provide proof and to store data result, among other things, from the German Commercial Code (Handelsgesetzbuch), the German Fiscal Code (Abgabenordnung) and the German Money Laundering Act (Geldwäschegesetz). The storage periods are then up to ten years.

Your data protection rights

You can request information about the data stored about you at the above address. In addition, you can request a rectification if we have stored incorrect personal data about you. Taking into account the purposes of the processing, you also have the right to request that your personal data be completed, , if we have stored incomplete data. In addition, you can demand the erasure of your data under certain conditions. You may also have the right to restrict the processing of your data and the right to receive the data you have provided in a structured, commonly used and machine-readable format.

Right to lodge a complaint

You have the right to lodge a complaint with the above-mentioned data protection officer or with a data protection supervisory authority. The data protection supervisory authority responsible for us is:
Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen
Kavalleriestr. 2 - 4
40213 Düsseldorf

Data transfer to a third country

If we transfer personal data to service providers outside the European Economic Area (EEA), we will only do so if the third country has been confirmed by the EU Commission as having an adequate level of data protection or if other appropriate data protection guarantees (e.g. binding internal company data protection regulations or EU standard contractual clauses) are in place. Detailed information on this can be requested by using the contact information above.

Automated individual case decisions

We do not use any automated processes in the context of decision-making.

Amendment of the data protection notice

We reserve the right to change this privacy policy. You can find a current version on this page at any time.

Should we wish to process your personal data for a purpose not mentioned above, we will inform you in advance within the framework of the legal provisions.

Status: 1 October 2022

The protection of privacy and the security of your personal data is also an important concern for us when visiting our website. Our applications comply with the provisions of the European Data Protection Regulation, the Federal Data Protection Act and other sector-specific regulations on data protection on the Internet (e.g. Telecommunications Act and Telemedia Act). All persons working for our company are obliged to comply with the relevant data protection regulations and to maintain confidentiality.

No automated collection, processing or use of personal data takes place when you visit our website without your express consent. You can move around our public websites anonymously. After logging in to our website, the last login times and the number of unsuccessful login attempts are saved. This serves solely to protect the account from unauthorised access.

We collect and use your personal data obtained through the use of our Internet services only with your consent. The data collected is subject to extensive security measures that prevent unauthorised access, prevent misuse and protect against destruction or loss of the data.

Only statistical information is collected from the log data to improve our website. No user profiles are created. In the event of any further use of your personal data, we will inform you and ask for your express consent. We respect your data protection rights, in particular your right to information regarding the data stored about you. If your personal data has been stored as a result of using our Internet services, you have the right to request information about this free of charge. Furthermore, you have the right to have incorrect data corrected, blocked and deleted. Please also note our data protection information, which applies accordingly to the use of our website. In accordance with the German Telemedia Act (TMG), you have the right to view your usage data at any time and to revoke any consent you have given to the collection, processing and use of internet usage data at any time without giving reasons. These data protection principles are adapted and further developed in line with the development of data protection and security technology. Further information can be found in our notes on data security and our cookie policy.

If you still have questions about data protection, please contact the data protection officer: datenschutzbeauftragter.de@generali.com.

Our safety precautions correspond to the current state of the art:

Protected access

As an Internet user, you have free access to all public pages of Generali Health Solutions GmbH. In addition to these public areas, there are protected areas that are reserved for certain user groups. These areas require the user to log in. Since the data accessible in these areas may be worth protecting, careful handling of the information required for logging in (especially passwords) is necessary.

Dealing with passwords

A good password should be at least 8 characters long, should not contain names or words, and should contain numbers and special characters as well as letters. It should be changed at regular intervals and should not be stored on your PC or in the browser. The German Federal Office for Information Security (BSI) has compiled more detailed information on how to handle passwords (see links below).

Transmission of sensitive data

If you call up pages within our Internet offer with the option of entering data and are requested to enter and send data about yourself, we use the encryption technology SSL (Secure Socket Layer) with a key length of at least 128-bit when sending this data for data transmission via the Internet. To date, there are no known ways of analytically decrypting such 128-bit encryption. You can recognise the use of SSL by the address (which in such a case begins with HTTPS) or by the lock in the status bar of your web browser, among other things.

Emails

The registration confirmation email is sent unencrypted. This does not contain any personal data other than your e-mail address. We do not send other messages containing personal data unencrypted by e-mail.
If you send unencrypted e-mails to us yourself, please note that these are not protected against being read or manipulated by unauthorised third parties during transmission via the Internet.
Before you send us an e-mail, please bear in mind that its content is not protected against unauthorised reading, falsification, etc. on the Internet.

Phishing

Phishing scammers forge emails and websites to obtain your confidential data, such as passwords or other sensitive data. Please note that we will never send e-mails or text messages asking you to provide strictly confidential personal data such as your bank account details, credit card number or password, sometimes with bizarre reasons (e.g. end of insurance cover). Further information on phishing e-mails and how you can protect yourself can be found, for example, on the website of the Federal Office for Information Security.

Use of cookies

A cookie is a data element that a website can send to your browser in order to store it on your system for later use. We only use cookies to increase the comfort of our websites (e.g. avoiding multiple entries). The cookies created are automatically deleted after the end of the visit to our pages.

You have the option of setting your browser so that either cookies are not received or that you are notified when cookies are received. You can then decide whether you want to accept the cookie or not. Your privacy thus remains protected. The use of the website may be restricted by the rejection of cookies.

For more information about the technologies we use for marketing and statistical analysis of our websites, please refer to our Cookie Policy.

Use of JavaScript

JavaScript programs are simple programs downloaded from the server for execution in the browser that enable us to facilitate the operation of our site. We use JavaScript, for example, to improve the visual presentation options of our website, to navigate between individual pages and to make it easier for you to use our forms via which you can contact us.
If you disable the use of JavaScript in your browser settings, you will no longer be able to use our website.
Other active content (Java applets and ActiveX controls) is not used on our website.

Access protection measures

Our data processing systems are protected from the outside world by firewall systems. Login procedures and authorisation systems ensure that internal applications are only accessible to authorised persons.

Encryption

Methods that can perform encryption are e.g. RSA, DES, RC4 and DES3. If the same key is used for encryption and decryption, this is called a symmetric encryption method. If different keys are used for encryption and decryption, it is called an asymmetric encryption method. The longer the key, the more time it takes to crack it.

SSL (Secure Socket Layer) is a procedure that consists of a combination of asymmetric and symmetric encryption procedures. First, the browser sends a self-generated session key with the public 1024-bit key (RSA) of the web server (asymmetric procedure) to the web server itself. Decryption takes place there using the secret RSA key, so that from now on the web server and browser communicate in encrypted form using the session key. Each time you log in again, a new session key is generated. Our web servers support a key length of 128 bits (RC4) for the session key.

You can recognise an internet connection secured via SSL by the address in your browser, among other things. If this begins with 'https://', this is a sign of a secure connection (e.g. https://secure.generali.de). Another signal is, for example, the closed, yellow lock in the lowest edit bar of your browser. In Internet Explorer, for example, you can also view more detailed information about the encryption of the page by right-clicking on the page -> Properties.
To ensure secure data transmission, however, it is not necessary to encrypt the page itself, but only the transmission itself. Encryption can therefore only be used, for example, when the data record is sent by clicking on 'Send', 'Submit' or similar.

To date, there are no known ways to analytically decrypt a 128-bit encryption. The only "attack possibility" is a "brute force attack", i.e. a complete trial of all possibilities. For a "brute force attack", for example, 1 billion computers that could try out 1 billion keys per second would need longer to find the right key than the universe exists according to current knowledge.

The currently effective encryption is negotiated between the web browser and the web server when the connection is established, taking into account the options available in each case. Due to previously applicable US export restrictions, many browser versions are only equipped with comparatively weak encryption options. In concrete terms, this means that the maximum effective key length is often limited to 40 bits.

Further information: Further information on the subject of safety on the Internet can be found under the following links: