You Think your Privacy is Important. So Do We!
We are Athora, the parent company of, among others, Zwitserleven and Reaal (Leven). We offer insurance policies and other financial products and services.
We collect your personal data when you purchase products or services from us, when you visit our websites or when you use our mobile apps, if your employer has arranged a pension scheme with us or if you are the beneficiary of an insurance policy. We also need personal data to be able to provide, maintain and improve our products and services. We handle your personal data safely and with due care in everything we do. In this Privacy Statement we explain, among other things, what we do with which personal data, why we need personal data, when we share personal data with third parties, how we protect personal data and what your rights are.
Athora takes your privacy seriously. If you want to exercise your right of access or if you have a question or a complaint, you can contact our Data Protection Officer at email@example.com or by post at Athora, fao Data Protection Officer (functionaris voor de gegevensbescherming), PO Box 274, 1800 BH Alkmaar, the Netherlands. If you are still not satisfied after a complaint has been handled, you can contact the Dutch Data Protection Authority (Autoriteit Persoonsgegevens), the Dutch regulator.
We may amend this Privacy Statement. This Privacy Statement was most recently amended in .
Finally, if you are in doubt about whether a message, app or website originated with us, or if you have discovered a personal data breach, please contact firstname.lastname@example.org.
Who We Are
Athora Netherlands N.V. is responsible for the processing of personal data by Athora Netherlands N.V. and its Dutch subsidiaries.
We process your personal data in accordance with the General Data Protection Regulation (GDPR), which took effect in all of Europe on 25 May 2018, and the Code of Conduct for the Processing of Personal Data by Insurers (Gedragscode Verwerking Persoonsgegevens Verzekeraars). We ensure that Athora Netherlands N.V. and its Dutch subsidiaries comply with the legislation and regulations on privacy that apply to them. Athora Netherlands N.V. has a number of subsidiaries, including:
- SRLEV N.V. – provides term life and pension insurance as well as unit-linked policies (among other things) and provides financial services under the names Zwitserleven, Reaal and Zwitserleven Pensioenadvies.
- Zwitserleven PPI N.V. – administers pension schemes as an Institute of Occupational Retirement Pension (IORP).
Which Personal Data do We Collect?
Personal data is any data that pertains to a person and that can be traced back to that person. Different bits of data, gathered together, are also capable of being traced back to a person. For example: your gender alone does not constitute personal data, but it may well do if it is combined with your postcode and age. The personal data that we collect at Athora is made up of the following four categories:
Personal Data Necessary for Providing Products or Services
This includes, for example, your name, address, place of residence, email address, telephone number, date of birth, bank account number, employer, start and end dates of your employment and income details. It also includes the type and term of the agreement you conclude with us, the premium and the policy number. We also collect data when payout claims are submitted. This also includes the data we record whenever you contact our employees.
Personal Data on Your Use of Our Website, Apps and Social Media
When you visit our websites or use our apps, we record the IP address, the internet service provider, the browser you are using, the operating system, your click behaviour and the web pages you visit. We also record the date and time of your visit and, if applicable, the website from which you were referred to our website. Depending on the preferences you have set on social media sites, certain data may be shared with us. For more information about cookies and other comparable technologies we use, please see our cookie statement.
Special Personal Data
As an insurer, we sometimes need special personal data to enable us to perform our agreements. For example, medical data if you want to take out a life insurance. This personal data is accessible to a small group of employees and only if this is necessary for them to perform their work (see Section 5b). If we do not need the data to perform an agreement, we will only use it if we have a legal obligation to do so or if you give your consent.
Sensitive Personal Data
This includes financial data, social security number, passport, driving licence, location, account login details etc. In addition, a small group of persons process criminal data, but only when necessary for them to perform their work, for the purpose of preventing abuse, fraud and crime.
What Do We Use Personal Data For?
To Be Able to Review, Conclude and Perform the Agreement or the Formation of It
We use personal data for formulating and performing the agreement. We need your personal data to review your application and/or claim, for your employer’s registration of you with a pension scheme and to provide our products and services.
We may also use data that is available from public sources, such as Statistics Netherlands (CBS) and the Land Registry, and from market research agencies to enable us to review your application or registration. In addition, in its capacity as an administration agency for pension schemes, Zwitserleven has access to the Persons Database (basisregistratie personen). We use these sources so that you do not have to provide as much information when you fill out your application. Moreover, we use this data to improve the quality of our personal data, to check data provided and to align the price with your personal situation as much as possible.
We may review your application or registration by means of a fully or partly automated process. If this is the case, we will inform you about this. If you do not agree with the result of an automated review and/or handling, please contact us.
After we approve your application or process your registration, we use your personal data to perform the agreement and to provide our products and services. A few examples are listed below.
- We use your contact details to send you your policy and invoices and to answer your questions. We also register your questions in our systems.
- Any changes you notify us of in, for example, the composition of your household. Such changes may affect premiums and/or coverage.
- If you are entitled to a payout, we will use your bank account number for the payment instruction.
- We use your personal data to perform our online services. For example, we make your personal data and policy available within your secure personal account and save your settings preferences.
- We may record telephone conversations for the purpose of training and coaching, to prevent and combat fraud and abuse and to comply with legal obligations. You are entitled to listen to the recorded telephone conversation.
- For the Purpose of Aligning our Products and Services with You and Sending You Relevant Information
For the purpose of aligning our products and services with you and sending you relevant information.
We strive to offer you the very best products and services that make your life as easy as possible. We only send you messages containing news and offers from Athora and its Dutch subsidiaries that are relevant to you. We use several different digital media to send you our messages. These include email, apps, social media and your personal account. We may, for example, send you messages about the latest developments, news, promotions, competitions, loyalty programmes, general offers and our new or existing products or services.
We use your personal data to align our services, products and messages to your preferences and behaviour. We do this based on our legitimate interest. We carefully balance our interests against your interests. We combine and analyse the following personal data within Athora Netherlands N.V. and its Dutch subsidiaries for this purpose (see also Section 10):
- Personal data that you provide to us and data about your purchase of a product or service, such as the type of insurance and its duration.
- Personal data that you share with us when you visit our websites and use our apps, such as your click behaviour (see also Section 2b).
- Data from public sources and from market research agencies. We use these sources to subdivide customers into segments and target groups. This allows us to better align our adverts to your personal situation, wishes and needs (see also Section 10).
- Personal data that you have shared with us via your social media profile, provided that you have given us your consent for this.
- If you no longer wish to receive messages from us, you can easily unsubscribe from all commercial news messages at any time. One way to do this is by clicking on the appropriate link provided in the message.
To Prevent and Combat Fraud and Abuse
As a financial service provider, we strive to prevent customers from abusing our trust by committing fraud. Prior to and during the term of the agreement, we process personal data for the purpose of preventing, identifying, investigating and combating fraud. We do this based on our legitimate interest. We carefully balance our interests against your interests.
Automated processing may be used to perform risk assessments on applications focusing on possible fraud. For this purpose, we collaborate with FRISS, a third party that provides risk assessments and identifies fraud risks for the insurance sector. On the basis of this assessment, we decide whether further investigation by our Fraud & Integrity department is necessary. When you submit an application, we also ask about any criminal record you may have had over, at most, the past eight years prior to the application. We may also record your personal data or consult your personal data held at the Foundation Central Information System (Stichting Centraal Informatie Systeem, “CIS”) of insurance companies operating in the Netherlands, based in The Hague. Among other things, insurers use the CIS database to assess the reliability of claims and to combat fraud. For more information and the CIS privacy statement that applies in such cases, please visit www.stichtingcis.nl.
If you are the beneficiary of a payout under an insurance policy, we may for example check whether your name is listed in an incidents register. In exceptional cases, we may for example use surreptitious surveillance.
Athora also maintains its own incidents register comprising incidents that may be relevant to Athora’s security and integrity. Data from the incidents register may be exchanged within Athora as well as outside Athora with, for example, other financial institutions if a match is found in the external reference register. In doing so we adhere to the Insurers and Criminality Protocol (Protocol Verzekeraars en Criminaliteit) and the Incident Warning System for Financial Institutions Protocol (Protocol Incidentenwaarschuwingssysteem Financiële Instellingen) of the Dutch Association of Insurers (Verbond van Verzekeraars). Only a restricted group of employees has access to this data. If it is proved that you have committed fraud, your personal data will be entered in the incidents register and sanctions may be imposed. The possible sanctions are set out in our fraud policy. We may, for example, decide not to pay out or to report the fraud to the police.
For the Purpose of Complying with Our Legal Obligations
As a financial service provider, specific laws sometimes require us to record certain personal data. The Money Laundering and Terrorist Financing (Prevention) Act (Wet ter voorkoming van witwassen en financieren van terrorisme, “Wwft”) requires us to determine and verify the identity of our customers. In addition, under the Sanctions Act (Sanctiewet), we are required to check data pertaining to our customers against lists of sanctioned persons (terrorism) compiled by recognised authorities.
In addition, we are obliged to transfer personal data to government institutions, supervisory authorities, courts or other financial institutions upon request; for instance to the Dutch Tax & Customs Administration, the Netherlands Authority for the Financial Markets (AFM), the Netherlands Authority for Consumers and Markets (ACM), De Nederlandsche Bank (DNB), the Pensions Register Foundation (Stichting Pensioenregister) (www.mijnpensioenoverzicht.nl) or an investigative authority such as the police, the Fiscal Intelligence and Investigation Service (Fiscale Inlichtingen- en Opsporingsdienst (FIOD)) or the Public Prosecution Service.
For the Purposes of Research and Innovation
In order to improve, evaluate and innovate our products and services, we carry out research, sometimes in conjunction with universities and universities of applied sciences, into general trends in the use of our products and services and the general features and preferences of our customers and potential customers. We carry out customer and market research, for example, on the purchase of products and our service provision. We do this based on our legitimate interest. We carefully balance our interests against your interests.
For such research, we often use data that is no longer traceable to you personally. Research and analysis sometimes require the use of personal data, but the outcomes and results are often based on data at segment or target group level (see also Section 10). In all cases, we take measures to secure your personal data.
Central Storage and the Exchange of Personal Data within Athora Netherlands N.V. and its Dutch subsidiaries
We store personal data in a central location. This personal data is also available to the Dutch subsidiaries of Athora Netherlands N.V., in so far as this is necessary. We do this for the following reasons:
- to ensure that information can be retrieved from one central location and can be released in a controlled manner to the persons who need it for the performance of their work;
- for the purposes of maintaining a responsible acceptance policy and preventing and combating fraud and abuse;
- to better assess risks and premiums;
- to be able to quickly answer any general questions you may have about the products and services of the Dutch subsidiaries of Athora Netherlands N.V.;
- to provide you with a high-quality and efficient service;
- for the purpose of aligning our products and services to you, for sending you appropriate and relevant information and for contacting you about other products if you have given us your consent for this;
- to guarantee the quality of the personal data;
- for the purposes of research and innovation; and
- for use in internal reports and management reports.
To Whom do We Provide your Personal Data?
Advisers, Intermediaries and Authorised Agents
For some services and products, we collaborate with independent advisers, intermediaries and/or authorised agents. They are each independently responsible for processing your personal data. You can use such advisers to submit an application or to report changes. We may also exchange your personal data with independent advisers and franchisees for use in marketing activities, but only if you have given your consent for this.
Doctors and Medical Advisers
We require your medical personal data for some financial products and services. Within Athora, this personal data is only accessible to a small group of employees and only in so far as this is necessary for the performance of their work. We also work closely with medical consultancies and occupational health and safety companies and reintegration firms. We conclude agreements with these parties to ensure that they safeguard the security of your personal data. Only registered medical advisers (doctors) who are bound by professional confidentiality and persons under their direct supervision have access to your medical file.
We have subcontracted the provision of medical advice for occupational disability insurance as part of pension and life insurance policies to specialist consultancies. These consultancies also handle the medical administration. Athora’s claim adviser remains the primary point of contact for customers who receive benefits under an occupational disability policy.
Employers, in Connection with Personal Pension Scheme
When we administer a personal pension scheme that was taken out for your benefit, we may share your personal data with your employer in specific circumstances. We will ensure that we do so in a secure manner.
Other Companies We Work With
Several examples of types of companies we work with are listed below. We sometimes do this because it is more efficient or because these parties are better than we are at one aspect of our service provision. We only provide these parties with the personal data they require to perform the subcontracted work. We have taken the requisite contractual and organisational measures with these parties to ensure that your personal data are processed for these purposes only and that this is done in a secure manner.
- Service providers that specialise in the acceptance and administration of mortgages.
- Debt collection agencies for preventing or restricting payment arrears.
- Companies we engage to increase the operational efficiency of our company. They provide us with support for the purpose of improving our services, achieving faster lead times and helping us to handle seasonal peaks better.
Government Institutions, Regulators and Other Financial Institutions
We will only provide your personal data to government institutions (such as the Dutch Tax & Customs Administration and the police) and to regulators (such as the Netherlands Authority for the Financial Markets and De Nederlandsche Bank) if we have a legal obligation to do so. In addition, in some cases, we may need to register you in warning systems used by insurers (Stichting CIS). Finally, we may also be compelled by a court order to provide personal data.
Service Providers for Mail, Printing, IT, etc.
We may engage third parties to carry out certain activities. These include PostNL and IT service providers that maintain, design and improve our IT systems, tools and portals.
Universities, Universities of Applied Sciences and Research Agencies
See Section 3e.
There are some major risks that Athora cannot or does not want to bear itself and that have therefore been transferred to reinsurers. Reinsurers take on some of the risk. They may also carry out audits and inspect personal data.
International Transfer of Personal Data
In principle, Athora does not transfer personal data to countries outside the EEA (European Union and Norway, Iceland and Liechtenstein). Some of our suppliers or the third parties we work with are established in countries outside the EEA, or they store data outside the EEA. Regulations in these countries do not always afford the same level of protection as those within the EEA. This is why we conclude agreements with these parties to ensure that privacy is safeguarded to a similar extent as in the EEA.
Security of Your Personal Data
We have taken appropriate technical and organisational security measures to protect your personal data against misuse and unlawful or unauthorised use. To this end, we have implemented an IT security policy based on the ISO27001 standard. Our IT processes and structure are based on this policy, and these processes in turn give further protection to personal data.
We adhere to strict access and security policies that apply to all personal data. Moreover, all of our employees are obliged to keep your personal data secret.
Be careful with the devices you use for our online services and take your own security measures. If you are unsure about whether a message, app or website originates with us, or if you discover a weak spot in our services, please contact us via email@example.com. Where necessary, we will inform the Dutch Data Protection Authority of this.
We do not use your personal data for any longer than is necessary for the purposes for which we obtained it.
The period during which certain personal data are stored depends, among other things, on the nature of the personal data, the purposes of the processing and legislation. Tax law, for example, requires us to keep data for at least 7 years.
In some cases, it is our choice to retain personal data for a long time, sometimes even for years after you have stopped being our customer or if you have died. This is not for commercial purposes but because, on the basis of our duty of care, we want to be able to make payouts if any beneficiaries should come to us. We may also retain your personal data for a longer period if we expect we will need it for legal proceedings in the future.
In other words, the retention period can differ for each business unit and each purpose. Athora has a policy for storing data and monitors compliance with the measures taken. We will share this policy with you upon request.
After the expiry of the retention period, your personal data will be deleted or converted into data that can no longer be traced back to you. We will then only use the data for historical, statistical or scientific purposes.
Other Environments and Social Media
Depending on the preferences you have set on social media, certain personal data may be shared with us when you use social media. One example of this is using social media to contact us. We will then receive the information linked to your public profile. We can use Facebook to ensure that only our customers and users can view our messages via Facebook. For more information, please go to facebook.com. For more information about social media cookies, please see our cookie statement.
If you use social media to contact us, we cannot guarantee the security of any personal data that you share with us via social media such as WhatsApp. Many social media providers are established outside the EEA and store your personal data outside the EEA. For this reason, it is possible that your personal data does not enjoy the same level of protection there as it does within the EEA. This is your own responsibility. We therefore recommend that you do not disclose any confidential, special and/or sensitive personal data to us via social media. We will never use social media to share such information with you.
For more information on the personal data we receive and to adjust your settings, please consult the website and the privacy statement of the social media provider. The use of these services is your own responsibility. This Privacy Statement does not apply to third-party services.
Profiling for commercial purposes
Profiling is a way of making predictions about a person’s future situation, preferences, interests and behaviour by analysing data on individuals and events and making connections between them. Athora uses profiling for commercial purposes.
Profiling may result in an incorrect representation of an individual. For this reason, when developing our computer programs, we implement controls to prevent any unwanted effects for you and for us. Moreover, prior to using profiling, Athora is required to carry out an investigation into the necessity and the risks associated with this processing. Finally, you have a number of rights if profiling is used, like the right to object.
We use, analyse and combine public sources of data with internal data of large groups of customers and your data to make predictions to align our advertisements accordingly. We can also use such analyses to predict when you might cancel. This may lead us to send you a new offer.
We use tracking cookies to register details about which of our website pages you visit, your click behaviour and the search terms you enter. We record this data in a user profile. We update your profile each time you visit our website. We also use advertising cookies to show you offers and advertisements that may be of interest to you, both on our apps and on our websites. We will only do this with your prior consent.
As a customer or user of our services, you have a number of rights which are described below. If you wish to invoke these rights, you can contact our Data Protection Officer at firstname.lastname@example.org. Before we can handle your request, we may ask you to identify yourself. We do this to make sure that we do not disclose any of your personal data to an individual posing as you.
We will send you a first response within five working days. We aim to provide you with a reasoned response within a month’s time. This is, however, not always possible if the case is a complicated one. In that case, we will inform you of this in good time, stating when you can expect to receive a reply from us.
Right of Access
You have a right to see all your personal data processed by us and you have a right to know the purposes for which we use this personal data and, where applicable, to which third parties we have disclosed this personal data.
Right of Rectification
You may give instructions to change your personal data if it is incorrect.
Right to Have Personal Data Deleted
You have the right to have your personal data deleted if we no longer need it for the purpose for which it was collected. It is possible, however, that we do have an interest in retaining your file for a longer period of time, for example because a legal retention period applies or due to fraud. In that case, we may not be able to comply with your request fully or at all.
Right to Object
You may object to our use of your personal data if we use your personal data for other purposes or on other bases than the performance of an agreement, compliance with a legal obligation or Athora’s legitimate interests. You may, for example, object to the use of your personal data for profiling as referred to Section 10 or for research.
Right to restriction of processing
Under certain circumstances you have the right to restriction of the processing of your personal data. If this right applies we will temporarily refrain from using your personal data. We will however retain them.
Right not to be Subjected Only to Automated decision-making
The review of your application may be partly automated. If this is the case, we will expressly inform you about this. If you do not agree with the result of an automated decision, please contact us.
Right to Data Portability
You have the right to request us to transfer the personal data you have provided to us to another insurer and/or to have the relevant personal data sent to you.
Right to Withdraw Consent
In those cases where we can only use personal data with your explicit consent, you have the right, at any time, to withdraw the consent you granted previously.