As part of our business activities we process and store personal data. The data are required primarily in the context of underwriting, for providing customer- and contract-related services as well as in claims and benefit management. Furthermore, personal data are collected, processed and stored in connection with, among other things, human resources management and shareholder administration. We also process personal data in order to assert our own legitimate interests or those of third parties. In particular, this may be necessary in order to safeguard IT security and IT operations and to meet official requirements. It is incumbent on the Hannover Re Group to uphold the statutory data privacy rights of data subjects, and we have implemented appropriate procedures and methods for this purpose. The general principle is that personal data may only be collected, processed and stored by Group employees to the extent that this is necessary for a precisely defined purpose as part of their lawful task fulfilment or a corresponding basis exists in law. We make use of external service providers to some extent in order to perform our contractual and statutory duties. These external data recipients are to be viewed as part of the data processing operations, as is the case with brokers, outside experts and business partners. All external recipients are contractually bound to comply with statutory data protection requirements and are checked in this regard.
The EU General Data Protection Regulation (GDPR), which entered into force on 25 May 2018, is an important step towards a harmonised single European market and puts in place a consistent level of data protection Europe-wide. It does not directly affect all Hannover Re entities if their registered office is located outside the European Union or European Economic Area. The respective national legal frameworks are primarily determinative for these companies, although defined minimum data protection standards of the Hannover Re Group must be observed. Compliance with the GDPR is, however, also required if data subjects in the EU are offered either goods or services by these companies. The existing structures of the established compliance organisation are used to implement the minimum standards required by data privacy law. Irrespective of the geographical scope of application of the GDPR, the designated compliance officers and contact persons are responsible for local data protection requirements. As necessary, they draw up additional local data privacy guidelines and serve as the interface to Hannover Re's Data Protection Officer in Germany.
The Data Protection Officer coordinates overarching aspects of the installed data privacy management system within the Hannover Re Group. He gives advice on how to resolve specific data privacy issues and monitors compliance with the EU General Data Protection Regulation and other data protection standards. In this connection, the monitoring of data privacy requirements takes place in close coordination with Group Auditing. The findings of the separate reporting on data protection are integrated into the annual compliance report. No complaints were received about privacy breaches affecting personal data or the loss of such data during the period under review. There was therefore no requirement to fulfil the duty to notify data breaches pursuant to Articles 33 and 34 of the GDPR.
An information security management system geared to ISO 27001 has been set up Group-wide for operational assurance of the protection requirements under data privacy law as well as for ensuring the security of all other sensitive information within the company. In organisational terms, information security management is coordinated centrally by the Group Information Security function and incorporates all other relevant functions, including for example Group IT for matters of IT security or Facility Management with respect to building security. In addition, awareness among our employees of such security risks is raised through practically oriented assistance measures, training activities and a staff information campaign. Risks arising out of the areas of data protection and information security are integrated into the system of risk management as operational risks and monitored here.
In view of the broad spectrum of such risks, many diverse technical and organisational measures for both managing and monitoring such risks are used, including for example a requirement to conclude confidentiality agreements with service providers.
In addition to an annual, externally supported self-assessment of the management system's readiness level, we participate in various cooperative projects undertaken by our industry and engage in a regular dialogue with advocacy groups such as the Bundesverband der IT-Anwender e. V. in the context of the Cyber Security Competence Center.