Data Protection

1.DATA PROCESSOR. WHO WILL PROCESS MY PERSONAL DATA?

«ERGO SEGUROS DE VIAJE»(hereinafter, «ERGO»), with V.A.T. No. W0040918E and with its registered office situated at Av. Isla Graciosa, 1, 28703 San Sebastián de los Reyes, Madrid, Spain. You may contact us via our customer services email: se.ejaivedsoruges-ogre@dpd or via telephone (+34) 91 344 17 37

The Data Protection Manager (hereinafter, the “DPM”) is the person responsible for safeguarding your privacy at our company. If you need to contact the DPM, you may do so via email: se.ejaivedsoruges-ogre@dpd or by way of letter forwarded to the aforementioned address, including the reference «Data Protection Manager».

2.COMPATIBLE DATA PROCESSIN

We shall only process your personal data in order to comply with out contracts or the requests for insurance policies, as well as, furthermore, to improve our products or services, always in accordance with your needs. The foregoing additional purposes require, as the case may be, that you have either provided us with your consent, or alternatively that you have not objected thereto, by reason that a “legitimate interest” exists in the processing of your personal data. The term “legitimate interest” is defined herein below.

3. PURPOSES. WHAT WILL MY PERSONAL DATA BE USED FOR?

3.1.Mandatory data processing of your personal data for compliance with regulations and the terms of contracts or requests.

Your personal data shall be used to:

• Comply with legal regulations and provisions (laws and other regulations), which implies, occasionally, that your personal data shall be assigned to the authorities, including the Directorate-General for Insurance (in the case of an inspection or the resolution of complaints or claims filed before said Directorate-General) and the State Tax Authority.
• Respond to the requests for contracting with us, as well as to comply with the corresponding insurance contracts.
• Determine the insurance premium, for which an analysis is carried out in relation to the duration of the trip contracted and the destination thereof, as well as the information that you have provided us with during the contracting process, whether directly, or through the policyholder. For example, the longer the trip, and the further the distances travelled, or if travelling to remote places far from developed urban centres, the higher the cost of the insurance policy, because the cost of being able to help and provide you with medical assistance or other types of assistance are also higher. The foregoing implies that it is necessary to create profiles and to apply automated decisions.
• Applicable regulations require us to establish accounting provisions, and accordingly we need to create profiles and adopt automated decisions that enable us to analyse the probabilities of an accident or insurance claim, which means that we are required to use your personal data for said statistical purposes.
• Furthermore, we must also prevent fraudulent practices, and accordingly we must carry out data processing activities that include profiles or automated decisions for the obligations imposed by applicable regulations, as well as carry out the investigations and appraisals or cost adjuster activities that are required in order to analyse the payment of the insurance claims.
• Occasionally, we must also obtain and store the recordings of telephone calls that have taken place.
• Moreover, whenever necessary, we must update your essential personal data (identification particulars and any other information included as necessary information pursuant to each contract) and enhance or correct said information with public data (public registers, cadastral information or any other manifestly public information) in order to comply with the identification obligations and other applicable obligations.
• In the case that you act on behalf of a legal person, or on behalf of a third party, your personal contact information shall also be processed in order to manage the legal relationship.
• Applicable law authorises us, in order to be able to comply with the insurance policy, to carry out the foregoing data processing activities, and accordingly:
• • To determine and manage the necessary medical assistance, as well as the insurance compensation that, as the case may be, is payable, when said compensation payments are required from ERGo.
  • The adequate payment to the healthcare providers (hospitals, medical practitioners, operators, etc.) or the reimbursement to the insured or his or her beneficiaries of the healthcare expenses that had been incurred within the scope of the insurance policy.
  • Furthermore, in the case of ERGO, you are hereby informed that ERGO constitutes a group of companies, and accordingly it may be necessary to communicate information among the companies of the group for the compliance with the supervision obligations established at law. Normally, the information is anonymous or pseudonymised information. In the “recipients” section, you may obtain further information regarding the group.
  • Finally, applicable law also authorises us to communicate to reinsurance companies, if applicable, the data and information that is strictly necessary for the formalisation of the reinsurance contract, in the terms provided for in Section 77 of the Insurance Contract Act 50/1980, of 8 October, as well as the carrying out of related operations, which shall be deemed to mean the carrying out of statistical or actuarial studies, risk analysis or investigations for customers, as well as any other activity related or associated with reinsurance activities.
• If established in applicable legislation, we may be required to carry out a suitability or fitness test for the contracting of certain products.

3.2.Additional data processing based upon a legitimate interest in order to provide you with personalised services and to improve our products and services.

Accordingly, you shall always be able to exercise your rights of objection in respect of data processing activities, at any time whatsoever. Said data processing activities, provided that you continue to be a customer of the company, comprise:

• To forward commercial communications in relation to insurance policies, within your reasonable expectations of privacy (for example, products similar to those that you have contracted), by any channel whatsoever, including via telephone, postal mail and email, SMS, any equivalent communication channel, or an alert or notice while you surf the web.
• To disclose your personal data for fraud prevention and for the creation of common files, in accordance with applicable regulations, as well as to guarantee the security of our networks and information.
• Furthermore, to transfer your personal data within the corporate group and within associated companies, however only for internal administrative purposes, including the customer data processing activities. You may query in the “recipients” section the companies that conform the ERGO group.
• To update your essential personal data (identification particulars and any other information included as necessary information pursuant to each contract) and to enhance or correct said information with public data (public registers, cadastral information or any other information that you have publicly declared) for commercial purposes and for the adequate management of our relationship with you.
• To create behavioural models through pseudonymised and anonymous data, in order to generate new products and services, and to improve said products and services or the customer services that we provide.
• To carry out satisfaction surveys in relation to the contracted products and services.
• The contact particulars of legal persons in relation to the location of professional premises, shall also be processed based upon the legitimate interest principle, for the purposes of establishing commercial relationships or any other types of relationships with the legal person for which you render your services. The foregoing shall also be applicable to the personal particulars of individual sole traders and self-employed persons when related exclusively to said status thereof and when the data is not used in order to establish a relationship with them as natural persons.

3.3.Voluntary data processing may also take place, based upon your consent, if you expressly provide us with your consent.

Consent that may always be revoked without any detriment or penalty to you whatsoever. The foregoing data processing may include:

• The use of “cookies” or other devices to enhance your web browsing, and you may obtain further information through the “cookies policy” section that shall be displayed and that shall request that you accept the terms thereof prior to beginning to surf the web, and that is available on our web site: www.ergo-segurosdeviaje.es.
• The geolocation of your location, when you consent thereto for the provision of a service that requires said function, as explained and in accordance with the device that you are using, or with the corresponding “App”. As you already know, we help you during your trip via the “Travel&Care” App. You can download the app at any time.
• Any other processes that you may consent to in the future, by reason that you trust in us to carry out said processes, such as the incorporation of your personal data into the loyalty channels, promotional surveys, draws or any other special advantages for customers that may be created.

4.»PROFILES» AND AUTOMATED DECISIONS. WHY AND FOR WHAT PURPOSE ARE THEY USED?

Profiling consists of using your personal data to assess certain aspects of you. At ERGO we solely and exclusively analyse the data in relation to the trip itself, and the rest of the data provided, such as your age, in order to determine the insurance premium and to establish accounting provisions. Furthermore, however provided that you may always object to any additional data processing, or alternatively provided that you have expressly consented thereto, we may use the information to adjust our offers to your particular needs.

The foregoing profiles mean that we are able to adopt completely automated decisions, that is to say, without the involvement of any human being, as the profiles enable us to adopt homogeneous decisions, being the same for all persons, and that take into account objective data or propensities. In any event, in said situations, if the decision was to significantly affect you, you shall always have the right to request personalised services from a natural person, to express your point of view and to challenge the decision, as we always to provide you with the most efficient services possible. If required, please contact our DPM or the customer services.

5.PERIOD OF TIME. HOW LONG WILL WE STORE YOUR PERSONAL DATA?

Unless you have provided your consent, we shall only store your personal data for the time during which you are a customer or during the period in which we have a commercial relationship with you. As from said moment in time, the data that shall be stored, exclusively as restricted information (that is to say, available to the corresponding authorities and in the legal interests of the company) shall be the minimum necessary data in relation to the operations and transactions carried out in order to act in relation to any claim, until the time-barring thereof. Normally the applicable periods are that of 10 years for the Prevention of Money Laundering Act, if applicable, and that of 5 years in order to manage the claims pursuant to travel insurance policies that include personal injuries to natural persons, or that of 2 years for the claims regarding material damages. After the time-barring persons have elapsed, the data shall be completely deleted and cancelled.

If you have registered on our web site, we shall store your personal data for the time in which you are registered, so that you do not have to re-register for the contracting of other insurance policies or claims.

If you are not a customer and you have forwarded us an application for the contracting of an insurance policy, we shall store your personal data during the period in which the offer that has been provided to you remains valid, or, if no period of validity has been established, then for the legally applicable term.

The images captured for video surveillance purposes shall be stored for the period of one month, except when applicable law provides for further storage periods, for example, when said information needs to be stored in order to substantiate the commission of acts against personal integrity, or any damages against property or facilities. The foregoing shall also be applicable to the data regarding access to private buildings, for identification and security purposes.

6. WHAT PERSONAL DATA AND DATA PROCESSING IS MANDATORY AND WHAT ARE THE CONSEQUENCES OF NOT PROVIDING SAID PERSONAL DATA?

In the forms for the provision of relevant data, fields may exist that are marked with an asterisk (*) that are mandatory fields for the formalisation of the contract or policy request. Accordingly, said information shall be required for said purposes and without said information it shall not be possible to continue with the operation. The rest of the information shall always be optional.

7.RECIPIENTS. WHO HAS ACCESS TO MY PERSONAL DATA?

Only ERGO has access to your personal data, unless you have provided us with your consent for the assignment thereof, or when said assignment of your personal data is imposed by legal requirements, as is the case, for example, with the Directorate-General for Insurance and Pension Funds.

Furthermore, the insurers or reinsurers and third party collaborators or suppliers, that for reasons of reinsurance, co-insurance or by reason of the management of insurance claims, are involved in the management of the insurance policy and the claims pursuant thereto, as well as the suppliers or providers of any service shall also receive your personal data, however the foregoing shall always be subject to contracts and guarantees, in accordance with the models approved by the data protection authorities. For example, the expert appraisers or cost adjusters, managers, lawyers, etc. Our suppliers and providers of services include certain related-party companies, such as «DKV SERVICIOS S.A.», «EURO-CENTER HOLDING, S.E.» and its subsidiary “EURO-CENTER MADRID, S.A.”, a leading multinational within its sector, through which we provide travel assistance services throughout the world. In these cases, and through EURO-CENTER, data exchanges may take place to foreign countries outside of the European Union, however the foregoing shall only be carried out at your request if you notify of the need for travel assistance by reason that you are an insured party, and only when strictly necessary, and only when you need to receive the medical assistance or other material services that we are able to provide by virtue of the insurance policy, so that we are able to comply with the terms of the insurance policy and fulfil said obligations. Moreover, occasionally, by means of the foregoing we shall protect your vital interests or that of the rest of the insured persons.

In the case of legitimate interest, for fraud prevention, or for internal administrative activities, or when you have consented thereto, your personal data may be assigned and provided to other branch offices of ERGO, or companies of the ERGO Group to which we belong.

On our web page, in the section “data protection policy”, you will find a list of the categories of suppliers and the companies that form part of our group.

8.RIGHTS. WHAT ARE MY RIGHTS IN RESPECT OF MY PERSONAL DATA?

Right of access in order to verify whether at ERGO any personal data is being processed that relates to you and, if so, you have the right to access your personal data and the additional information that is referred to in Article 15.1 of the Data Protection Regulations.

Right of rectification, , in order to modify your personal data in the case that they are not accurate. Thus, you have the right to request the rectification of the inaccurate data or, as the case may be, to request the deletion thereof when, among other reasons, the personal data is no longer necessary for the purposes for which it was provided, when you have withdrawn or revoked your consent, or other situations, for example to complete your personal data, in accordance with the provisions of Articles 16 and 17 of the Data Protection Regulations.

Right of challenge, by means of which you may request that your personal data not be processed for certain purposes, and in particular for data processing in relation to the creation of profiles or automated decisions. In said cases, ERGO shall cease to process your personal data, except for legitimate purposes, or for the filing or the legal defence of any possible claims, and all of the foregoing in accordance with the provisions of Article 21 of the Data Protection Regulations.

Right of cancellation or deletion, pursuant to which you may request the deletion of your personal data in the cases provided for in Article 17 of the Data Protection Regulations.

Right to limit the data processing, pursuant to which you may request the limitation or restriction of the processing of your personal data, in which case your personal data shall only be stored for the filing or the legal defence of any claims, or for the purposes of judicial requests or legal requirements.

In relation to decisions based solely and exclusively upon automated data processing that result in legal effects or that significantly affect you similarly to that of the foregoing legal effects, you have the right to request human intervention in relation to said decision, as well as to express your point of view, and you may also challenge said decision.

Transfer of personal data. When the data processing is based upon your express consent and said data processing is carried out by automated processes, you have the right to request the transfer of your personal data that you have provided to us, and to receive said personal data in a structured format, commonly used and for typed reading, and that said personal data be transferred to another data processor, in accordance with the provisions of Article 20 of the Data Protection Regulations.

Revocation of your consent. At any time whatsoever, you may revoke your consent that you have previously provided to us, without any type of detriment or penalty to you whatsoever.

Claims. . In any event, you may file a claim with the Data Protection Manager of the company by way of an email forwarded to the email address: se.ejaivedsoruges-ogre@dpd. Moreover, you also have the right to file any claim whatsoever before the competent supervisory authority, in Spain, the Spanish Data Protection Agency, without prejudice, as the case may be, to the functions and powers of any other regional or supranational authorities, in accordance with the Data Protection Regulations and national regulations, depending upon your place of residence or location.

9. RIGHTS. HOW TO EXERCISE MY RIGHTS?

You may exercise your rights by way of letter addressed to “ERGO SEGUROS DE VIAJE EUROPAÏSCHE REISEVERSICHERUNG AG”, SPANISH BRANCH at Av. Isla Graciosa, 1, 28703 San Sebastián de los Reyes, Madrid, Spain, or by way of email to: se.ejaivedsoruges-ogre@dpd. In both cases, you must also attach a copy of your D.N.I. (National Identification Document), or equivalent official identification document.

10. SOURCE OF MY PERSONAL DATA. WHERE IS MY PERSONAL DATA OBTAINED?

If you have contracted your insurance policy via the internet, or in the case that you contact us in order to file a claim, the personal data shall be provided by you, or by third parties that you have authorised for said purposes, for example in the case of the legal representatives of minors or incapacitated persons for which the insurance policy is contracted or for which a policy is to be managed, or from the person that is filing the claim on your behalf.

In the case of collective insurance policies, your minimum personal data (name, surname(s) and, occasionally, your D.N.I. (National Identification Document)) shall be provided by the policyholder or the person that contracts the insurance policy (the travel agency, for example).

11. CATEGORIES OF PERSONAL DATA THAT IS PROCESSED

Identification particulars, such as your name, surname(s), address, telephone, as well as postal addresses or email addresses.

In relation to the «cookies», a specific cookies policy exists that you can read on our web page.

Financial and socio-economic information, for example your age, family or marital situation, occupation, etc., however only when specifically required.

Identification codes or passwords, such as user names and passwords that are generated so that you can use our “web site”, as well as the “IP” addresses associated with a specific operation.

Your voice, if you use telephone services to file your claim or for other purposes.

12. WHAT OBLIGATIONS DO I HAVE WHEN PROVIDING MY PERSONAL DATA?

We presume that the personal data that you have provided to us is correct and accurate. Please notify us of any modifications that take place in relation to the personal data that you have provided to us. The foregoing is particularly important in the cases in which, for example, you change your address (so that our letters to you are not forwarded to an incorrect address), your email or your telephone number.

Furthermore, if you provide personal data regarding a third party, such as insured parties, or beneficiaries, you must have obtained the consent thereof and provide them with a copy of these clauses that they shall be deemed to have accepted.