VIVAT and your privacy
We want you to know how we treat your personal data so that you can trust that your data is in good hands. We process your personal data in accordance with the General Data Protection Regulation (GDPR), that has come into effect on May 25, 2018.
VIVAT NV is responsible for the processing of personal data by all companies within the VIVAT group. We ensure that all companies within the VIVAT group comply with the applicable legislation and regulations on privacy. The VIVAT group comprises VIVAT NV and all its current and future subsidiaries, including:
- VIVAT Schadeverzekeringen NV – provides home contents, liability, occupational disability, travel and car insurance (among other things) and provides financial services under the names Reaal, Zwitserleven, Reaal Dier & Zorg, Route Mobiel, nowGo and Vigi.
- SRLEV NV – provides life, mortality risk and pension insurance as well as unit-linked policies (among other things) and provides financial services under the names Zwitserleven, Reaal and Zwitserleven Pensioenadvies.
- Zwitserleven PPI NV – administers pension schemes as an Institute of Occupational Retirement Pension (IORP).
- Volmachtkantoor Nederland BV – acts as authorised agent for a number of insurance companies and is part of VIVAT Schadeverzekeringen NV
- ACTIAM NV – provides financial services and carries out asset management activities for business clients under the name ACTIAM, and to private customers under the name Zwitserleven Beleggen.
1. What personal data do we collect?
Personal data is any data that pertains to a person and that can be traced back to that person. Different bits of data, gathered together, may also be traced back to a person. For example: your sex alone does not constitute personal data, but it may well do if it is combined with your postcode and age. The personal data that we collect at VIVAT is made up of the following four categories:
- Personal data necessary for providing products or services
This includes, for example, your name, address, place of residence, e-mail address, telephone number, date of birth, bank account number, car registration number, employer, start and end dates of your employment contract, income details and claims history. It also includes the type and term of the agreement you conclude with us, the premium and policy terms and conditions plus the policy number. We also collect data and the amount of any pay out when you submit a claim. This also includes the data we record whenever you contact our employees.
- Personal data on your use of our website, apps and social media
When you visit our websites or use our apps, we record the IP address, the internet service provider, the browser you are using, the operating system, your click behaviour and the web pages you visit. We also record the date and time of your visit and, if applicable, the website from which you were referred to our website. Depending on the preferences you have set on social media sites, certain data may be shared with us. For more information about cookies and other comparable techniques we use, please see our cookie statement.
- Special personal data
As an insurer, we sometimes need special personal data to enable us to perform our agreements. This may include medical data if you want to take out an invalidity insurance, life insurance or mortality risk insurance (see Chapter 4 under b). This personal data is accessible to a small group of employees and only in so far as this is necessary in connection with their position.
If we do not need the data for the performance of an agreement, we will only use it if we have a statutory obligation to do so or if you give your consent.
- Sensitive personal data
This includes financial data (about your pension, but also your bank card and credit card), social security number, passport, driving licence, location, account login details etc. In addition, a small group of persons process criminal data, but only when necessary in connection with their position, for the purpose of preventing abuse, fraud and crime.
3. What do we use personal data for?
a) To be able to review, conclude and perform the agreement or the formation of it
We use personal data for preparating and performing the agreement. We need your personal data to review your application and/or claim, for your employer’s registration with a pension fund, to deliver our products and to perform our services.
We may also use data that is available from public sources, such as Statistics Netherlands (CBS), the Land Registry, the National Vehicle and Driving Licence Registration Authority (RDW) and from market research agencies to enable us to review your application or registration. In addition, in its capacity as an administration agency for pension schemes, Zwitserleven has access to the Persons Database (basisregistratie personen), which replaces the municipal personal records database. We use these sources so that you do not have to provide as much information when you fill out your application. Moreover, we use this data to improve the quality of our personal data, to check data provided and to align the price with your personal situation as much as possible.
We may review your application or registration and you may submit your claim by means of a partially automated process. If this is the case, we will inform you of it. If you do not agree with the result of an automated review and/or handling, please contact us about it. See Chapter 9 under e.
After we approve your application or process your registration, we use your personal data to perform the agreement and to provide our products and services. A few examples are listed below.
- We use your contact details to send you your policy and invoices and to answer your questions. We also register your questions in our systems.
- We use your claim notice to determine whether you are entitled to a payout.
- Any changes you notify us of in, for example, the composition of your household. Such changes may affect premiums and/or coverage.
- If you are entitled to a payout, we will use your bank account number for the payment instruction.
- We use your personal data to provide you with precautionary advice and to inform you about possibilities for preventing damage.
- We use your personal data to perform our online services. For example, we make your personal data and policy available within your secure personal account and save your settings preferences.
- We may record telephone conversations for the purpose of training and coaching or to prevent and combat fraud and abuse, or to comply with statutory obligations. You are entitled to listen to the recorded telephone conversation.
b) For the purpose of aligning our products and services with you and sending you relevant information
We strive to offer you the very best products and services that make your life as easy as possible. We only send you messages containing news and offers from the VIVAT group that are relevant to you. We use several different digital media to send you our messages. These include e-mail, apps, social media and your personal account. We may, for example, send you messages informing you about the latest developments, news, promotions, competitions, loyalty programmes, general offers and our new or existing products or services.
We use your personal data to align our services, products and messages to your preferences and behaviour. The companies within the VIVAT group combine and analyse the following personal data for this purpose (see also Chapter 9):
- Personal data that you provide to us and data about your purchase of a product or service, such as the type of insurance and its duration.
- Personal data that you share with us when you visit our websites and use our apps, including your click behaviour (see also Chapter 2 under b).
- Data from public sources and from market research agencies. We use these sources to subdivide customers into segments and target groups. This allows us to better align our adverts to your personal situation, wishes and needs (see also Chapter 10 under b).
- Personal data that you have shared with us using your social media profile, provided that you have given us your consent for this.
- If you no longer wish to receive messages from us, you can at all times easily unsubscribe from all commercial news messages. One way to do this is by clicking on the appropriate link provided in the message.
c) To prevent and combat fraud and abuse
As a financial service provider, we strive to prevent customers from abusing our trust by committing fraud. Prior to and during the term of the agreement, we process personal data for the purpose of preventing, identifying, investigating and combating fraud.
Automated processing can be used to perform risk assessments on applications which focus on fraud. For this purpose, we collaborate with FRISS, a third party that provides risk assessments and identifies fraud risks for the insurance sector. On the basis of this assessment, we decide whether further investigation by our Fraud & Integrity department is necessary. When you submit an application, we also ask about any criminal record you may have had over, at most, the past eight years prior to the application, and we consult public sources and the Central Information System Foundation (“Stichting CIS”) for this purpose. The Stichting CIS enables insurers to exchange information. If, for example, you submitted one or more claims to other insurance companies, they will have been recorded in this database and VIVAT may attach consequences to this. The data that we record with Stichting CIS is also used for statistical analyses and for the benefit of the security and integrity of the financial sector. For more information, please go to www.stichtingcis.nl.
If you submit a claim for a payout under an insurance policy, we may for example check whether your name is listed in an incident register. In exceptional cases, we may for example use surreptitious surveillance.
VIVAT also maintains its own events records comprising events that may be relevant to VIVAT’s security and integrity. For this, we adhere to the Insurers and Criminality Protocol (Protocol Verzekeraars en Criminaliteit) and the Protocol Incident Warning System for Financial Institutions (Protocol Incidentenwaarschuwingssysteem Financiële Instellingen) of the Dutch Association of Insurers (Verbond van Verzekeraars).
Data from the incident registers may be exchanged within VIVAT. Only a restricted group of employees has access to this data. If it is proved that you have committed fraud, your personal data will be entered in the incident register and sanctions may be imposed. The possible sanctions are set out in our fraud policy, which is available on our website. We may, for example, decide not to pay out the damage claimed or to report the fraud to the police.
d) For the purpose of complying with our statutory obligations
As a financial service provider, specific laws sometimes require us to record certain personal data. The Money Laundering and Terrorist Financing (Prevention) Act (Wet ter voorkoming van witwassen en financieren van terrorisme, “Wwft”) requires us to determine and verify the identity of our customers. In addition, under the Sanctions Act (Sanctiewet), we are required to check data pertaining to our customers against lists of sanctioned persons (terrorism) compiled by recognised authorities.
In addition, we are obliged to transfer personal data to government institutions, supervisory authorities, courts or other financial institutions upon request; for instance to the Dutch Tax & Customs Administration, the Netherlands Authority for the Financial Markets (AFM), the Netherlands Authority for Consumers and Markets (ACM), De Nederlandsche Bank (DNB), the Pensions Register Foundation (Stichting Pensioenregister) (mijnpensioenoverzicht.nl) or an investigative authority such as the police, the Fiscal Intelligence and Investigation Service (Fiscale Inlichtingen- en Opsporingsdienst (FIOD) or the Public Prosecution Service.
e) For the purposes of research and innovation
In order to improve, evaluate and innovate our products and services, we carry out research, sometimes in conjunction with universities and universities of applied sciences, into general trends in the use of our products and services and the general features and preferences of our customers and potential customers. We carry out customer and market research, for example, on the purchase of products, claim behaviour and our service provision.
For such research, we often use data that is no longer traceable to you personally. Research and analysis sometimes require the use of personal data, but the outcomes and results are often based on data at segment or target group level (see also Chapter 9). In all cases, we take measures to secure your personal data.
3. Central storage and the exchange of personal data within the VIVAT group
We store personal data in a central location. This personal data is also made available to other VIVAT companies, in so far as this is necessary. We do this for the following reasons:
- to ensure that information can be retrieved from one central location and can be released in a controlled manner to the persons who need it for the performance of their work;
- for the purposes of maintaining a responsible acceptance policy and preventing and combating fraud and abuse;
- to be able to better assess risks and the amount of premiums;
- to be able to quickly answer any general questions you may have about the products and services of the various VIVAT companies;
- to provide you with a high-quality and efficient service;
- for the purpose of aligning our products and services to you, for sending you appropriate and relevant information and for contacting you about other products, provided that you have given us your consent for this;
- to guarantee the quality of the personal data;
- for the purposes of research and innovation; and
- for use in internal management reports.
4. To whom do we provide your personal data?
a) Advisers, intermediaries and authorised agents
For some services and products, we collaborate with independent advisers, intermediaries and/or authorised agents. They are each independently responsible for the processing of your personal data. You can use such advisers to submit an application or a claim. We may also exchange your personal data with independent advisers and franchisees for use in marketing activities, but only if you have given your consent for this.
b) Doctors and medical advisers
We require your medical personal data for some financial products and services. Within VIVAT, this personal data is only accessible to a small group of employees and only in so far as this is necessary for their position. We also work closely with medical consultancies and health and safety and rehabilitation firms. We conclude agreements with these parties to ensure that they safeguard the security of your personal data. Only registered medical advisers (doctors) who are bound by professional confidentiality and the persons who are under their direct supervision have access to your medical file.
We have subcontracted the provision of medical advice for personal injury claims, invalidity insurance and invalidity insurance as part of a personal pension plan that is not covered by the Dutch Pensions Act (Pensioenwet) to specialist consultancies. These consultancies also handle the medical administration. VIVAT’s claim adviser remains the primary point of contact for customers who receive benefits under an invalidity insurance policy.
c) Employers, in connection with personal pension plans
When we administer a personal pension plan that was taken out for your benefit, we may share your personal data with your employer under specific circumstances. We will ensure that we communicate with your employer in a secure manner.
d) Other companies with which we work
Several examples of types of companies with which we collaborate are listed below. We may work with these companies because it is more efficient or because these parties are better than we are at one aspect of our services. We only provide these parties with the personal data they require to perform the subcontracted work. We have taken the requisite contractual and organisational measures with these parties to ensure that your personal data are processed for these purposes only and that this is done in a secure manner.
- Service providers that specialise in the acceptance and administration of mortgages.
- Debt collection agencies for preventing or restricting overdue payments.
- Companies we engage to increase the operational efficiency of our company. They provide us with support for the purpose of improving our services, achieving faster lead times and helping us to handle seasonal peak loads better.
- Start-up companies to stimulate innovation. We only exchange personal data with these start-up companies after you have given your consent for this.
e) Government institutions, regulators and other financial institutions
We will only provide your personal data to government institutions (such as the Dutch Tax & Customs Administration and the police) and to regulators (such as the Netherlands Authority for the Financial Markets and De Nederlandsche Bank) if we have a statutory obligation to do so. In addition, in some cases, we may need to register you in warning systems used by insurers (Stichting CIS). Finally, we may also be compelled by a court order to provide personal data.
f) Service providers for mail, printing, IT, etc.
We may engage third parties to carry out certain activities. These include PostNL (for shipping packages) or IT service providers that maintain, design and improve our IT systems, tools and portals.
g) Universities, universities of applied sciences and research agencies
See Chapter 2 under e.
There are some major risks that VIVAT cannot or does not want to bear itself and that have therefore been transferred to reinsurers. Reinsurers take on some of the claims. They may also carry out audits and inspect personal data.
5. International transfer of personal data
In principle, VIVAT does not transfer personal data to countries outside the EEA (European Union and Norway, Iceland and Liechtenstein). Some of our suppliers or third parties with which we collaborate are established in countries outside the EEA, or they store data outside the EEA. The regulations of these countries do not always afford the same level of protection as those within the EEA. This is why we conclude agreements with these parties to ensure that privacy is safeguarded to a similar extent as in the EEA.
6. Security of your personal data
We have taken appropriate technical and organisational security measures to protect your personal data against abuse and unlawful or unauthorised use. To this end, we have implemented an IT security policy based on the ISO27001 standard. Our IT processes and structure are based on this policy, and these processes in turn given further protection to personal data.
We adhere to strict access and security policies that apply to all personal data. Moreover, all of our employees are obliged to keep your personal data secret.
Be careful with the devices you use for our online services and take your own security measures. If you are unsure about whether a message, app or website originates from us, or if you discover a weak spot in our services, please contact us via firstname.lastname@example.org. Where necessary, we will inform the Dutch Data Protection Authority of this.
7. Retention period
We do not use your personal data for any longer than is necessary for the purposes for which we obtained it.
The period during which certain personal data are stored depends, among other things, on the nature of the personal data, the purposes of the processing and legislation. Tax law, for example, requires us to keep data for at least 7 years. And we even have to keep medical data for 15 years.
In some cases, it is our choice to keep personal data for a long time, sometimes even for years after you have stopped being our customer of if you have died. This is not for commercial purposes but because, on the basis of our duty of care, we want to be able to make payouts if any surviving dependents should come to us. Or, alternatively, if the personal injury caused by an accident turns out to be more serious than initially expected. Also, in specific cases, we may retain your personal data for a longer period if we expect to need it for legal proceedings in the future.
In other words, the retention period can differ for each business unit and purpose. VIVAT has a policy for storing data and monitors compliance with the measures taken. We will share this policy with you upon request.
After expiry of the retention period, your personal data will be deleted or converted into data that can no longer be traced back to you. We will then only use the data for historical, statistical or scientific purposes.
8. Other environments and social media
Depending on the preferences you have set on social media, certain personal data may be shared with us when you use social media. One example of this is using social media to contact us. We will then receive the information linked to your public profile. We can use Facebook to ensure that only our customers and users can view our messages via Facebook. For more information, please go to facebook.com/business/a/custom-audiences. For more information about social media cookies, please see our cookie statement.
If you use social media to contact us, we cannot guarantee the security of any personal data that you share with us via unsecured social media such as WhatsApp. Many social media providers are established outside the EEA and store your personal data outside the EEA. For this reason, it is possible that your personal data does not enjoy the same level of protection there as it does within the EEA. This is your own responsibility. We therefore recommend that you do not disclose any confidential, special and/or sensitive personal data to us via social media. We will never use social media to share such information with you.
For more information on the personal data we receive and to adjust your settings, please consult the website and the privacy statement of the social media provider. The use of these services is your own responsibility. This privacy statement does not apply to third-party services.
Profiling is a way of making predictions about a person’s future situation, preferences, interests and behaviour by analysing data on individuals and events and making connections between them. VIVAT uses profiling for two different purposes: for risk assessments and setting premiums, and for commercial purposes.
Profiling may result in an incorrect representation of an individual. For this reason, when developing our computer programmes, we implemented controls to prevent any unwanted effects for you and for us. Moreover, prior to using profiling, VIVAT is required to carry out an investigation into the necessity and the risks associated with this processing. Finally, you have a number of rights if profiling is used. Please see Chapter 10 for more information.
a) Profiling for risk assessment and setting premiums
Because we store your personal data in a central location and combine it with data from public sources, we can make predictions based on historical analyses of data of groups of customers. We then use computer programmes to make predictive analyses of the behaviour of customers or other data subjects and we use these to determine the relevant risk (of claims or fraud) and to align our prices to this. We do this to be able to perform our agreement with you as optimally as possible. See Chapter 2 under a and under c.
It also enables us to assess individuals with a profile or risk profile. This allows us to offer you a customised premium. We can, for example, deduce from our data that if you live in a specific postcode and are a certain age, your chances of damage are lower. This affects the premium you pay.
b) Profiling for commercial purposes
In addition, we use, analyse and combine public sources of data with internal data of large groups of customers and your data to make predictions about your purchasing behaviour and to align our advertisements and prices accordingly. We can also use such analyses to predict when you will probably cancel. This may cause us to send you a new offer.
We use tracking cookies to register details about which pages of our website you visit, your click behaviour and the search terms you enter. We record this data in a user profile. We update your profile each time you visit our website. We also use advertising cookies to show you offers and advertisements that may be of interest to you, both on our apps and on our websites. We will only do this with your prior consent. These offers pertain to discounts on products that you purchase regularly, or that we believe you are going to purchase. We base this information on previous purchases and on the purchases made by other customers who bought similar products. See also Chapter 2 under b and Chapter 8.
10. Your Rights
As a customer or user of our services, you have a number of rights which are described below. If you wish to invoke these rights, please contact us. Before we can handle your request, we ask you to share some information and provide us with a copy of your identification. We use this to identify you and to make sure that we do not disclose any of your personal data to an individual posing as you.
We will send you a first response within five working days. We aim to provide you with a reasoned response within a month’s time. This is, however, not always possible if the case is a complicated one. In that case, we will inform you of this in good time, stating when you can expect to receive a reply from us.
a) Right of access
You have a right to see if, and if so what, personal data is processed by us and you have a right to know the purposes for which we use this personal data and, where applicable, to which third parties we have disclosed this personal data.
b) Right of rectification
You may give instructions to change your personal data if it is incorrect.
c) Right to have personal data deleted
You have the right to have your personal data deleted if we no longer need it for the purpose for which it was collected. It is possible, however, that we do have an interest in retaining your file for a longer period of time, for example because a statutory retention period applies or if fraud is involved. In that case, we may not be able to comply with your request fully or at all.
d) Right to object
You may object to our use of your personal data if we use your personal data for purposes other than the performance of an agreement, compliance with a statutory obligation or VIVAT’s legitimate interests. You may, for example, object to profiling as referred to in Chapter 9 under b or to the use of your personal data for research.
e) Right not to be subjected to exclusively automated processing
The review of your application may be partially automated. If this is the case, we will expressly inform you of it. If you do not agree with the result of such a review, please contact us about it.
f) Right to data portability
You have the right to request us to transfer the personal data you have provided to us to another insurer and/or to have the relevant personal data sent to you.
g) Right to withdraw consent
In those cases where we can only use personal data with your explicit consent, you have the right, at any time, to withdraw the consent you granted previously.
Please contact us if you have any questions about this Privacy Statement.
If you wish to invoke your right of access, or if you have a question or a complaint, please contact us. You can also contact our data protection officer by email on email@example.com or by posting a letter to VIVAT, attn. Data Protection Officer. If you are unhappy about the way we handle your complaint, you can contact the supervisory authority, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).
Afdeling Corporate Communicatie
1800 BH Alkmaar