Ensuring compliance as well as the confidentiality, integrity and availability of information is of the utmost importance to us. The most significant rules in this regard are set out with binding effect for all members of staff in our Code of Conduct and in our information security and data privacy policies.

The existing structures of the established compliance organisation are used to implement the requirements of data privacy law. The EU General Data Protection Regulation, which entered into force on 25 May 2018, is an important step towards a harmonised single European market and puts in place a consistent level of data protection Europe-wide. It is not directly applicable to all Hannover Re companies, if their registered office is located outside the EU or EEA. The respective bases in national law are determinative for these companies. Compliance with the GDPR is, however, also required if data subjects in the EU are offered either goods or services by these companies. Irrespective of the scope of application of the GDPR, the designated compliance officers or contact persons are responsible for the local requirements of data protection. They develop local guidelines on data protection as needed and serve as the interface to Hannover Re's Data Protection Officer in Germany.

Our Data Protection Officer assumes all functions, responsibilities and rights as set out according to the GDPR and the new German Federal Data Protection Act (BDSG). In this context, the monitoring of data protection requirements takes place in close consultation with Group Auditing. The findings of the separate reporting on data protection are integrated into the annual compliance report. No complaints were received about privacy breaches affecting personal data or the loss of such data during the period under review. There was therefore no requirement to fulfil the duty to notify data breaches pursuant to Articles 33 and 34 of the GDPR.

An information security management system has been set up Group-wide for operational assurance of the protection requirements under data privacy law, the so-called technical and organisational measures (TOMs), as well as for ensuring the security of all other sensitive information within the company. In organisational terms, information security management is coordinated centrally by the Group Information Security function and incorporates all relevant functions, including for example Group IT for matters of IT security, Facility Management with respect to building security or indeed each individual member of staff as a processor of information.

Risks arising out of the areas of data protection and information security are integrated into the system of risk management as operational risks and monitored here.

In view of the broad spectrum of such risks, many diverse technical and organisational measures for both managing and monitoring such risks are used, including for example a requirement to conclude confidentiality agreements with service providers. In addition, awareness among our employees of such security risks is raised through practically oriented assistance measures, training activities and a staff information campaign.

Our information security management system is geared to ISO 27001. In addition, we conduct an annual NIST-based self-assessment with the support of an outside security consultant. We participate in various cooperative projects undertaken by our industry and engage in a regular dialogue with advocacy groups such as VOICE Bundesverband der IT-Anwender e.V. in the context of the Cyber Security Competence Center.