Privacy policy 

Depending on the type of contract, we process in particular:  

• Master data (e.g. name, address, date of birth)
• Contract data (e.g. insurance policy number, tariff information)
• Health data (e.g. diagnoses, treatments, medications)
• Communication data (e.g. emails, letters)
• Payment data (e.g. bank details, payment status)

We only process your personal data if this is legally permitted. This is the case in the following situations:

On the basis of consent, Art. 6 (1) (a) GDPR

In certain cases, we process your personal data on the basis of your express consent, e.g. for advertising and marketing purposes. Consent is voluntary and can be revoked at any time with effect for the future.

For the performance of a contract, Art. 6(1)(b) GDPR

We require certain data in order to initiate, conclude and execute an insurance contract with you.

To fulfil legal obligations, Art. 6 (1) c) GDPR

In some cases, we are legally obliged to process or pass on data, e.g. for tax purposes or reports to supervisory authorities.

To protect vital interests, Art. 6(1)(d) GDPR

If it is necessary to protect your vital interests or those of another person (e.g. in an emergency), we may process your data.

On the basis of legitimate interests, Art. 6(1)(f) GDPR

In certain cases, we process data to protect our legitimate interests or the interests of third parties, e.g. to combat abuse or to assert and defend legal claims. In doing so, we carefully weigh up the interests involved to ensure that your fundamental rights and freedoms are not impaired.

On the basis of consent, Art. 9 (2) a GDPR

We require your express consent for the processing of special categories of personal data, in particular health data. This may be necessary, for example, to check benefits under the insurance contract or to calculate premiums. You can revoke your consent at any time with effect for the future. Please note, however, that we require this data for the processing of claims, for example. If you withdraw your consent, we will no longer be able to process claims and thus provide the contractually agreed services. 

We only pass on personal data if this is necessary for the execution of the insurance contract, to fulfil legal obligations or on the basis of legitimate interests. If we use external service providers for data processing, this is done exclusively on the basis of a data processing agreement in accordance with Art. 28 GDPR. These service providers are carefully selected and are contractually obliged to process personal data only in accordance with our instructions and in compliance with appropriate technical and organisational measures. We will be happy to provide an overview of the processors currently used on request.        

If you are served by an intermediary, they will receive the information they need to initiate and manage your contract. This includes, for example, application data or details of existing insurance policies.

Within the DR-WALTER Group, data can be processed centrally, e.g. in customer service, for contract and service processing, billing or mail processing. This allows processes to be designed efficiently and uniformly. 

Processors (Art. 28 GDPR): These include service providers who support us in areas such as IT operations, telecommunications, web hosting or document destruction. They act strictly in accordance with our instructions and are legally and contractually obliged to comply with data protection regulations.

Independently responsible parties: Some entities process your data on their own responsibility because they are legally responsible for fulfilling their tasks. These include insurance companies, banks (payment processing), doctors and experts (medical assessments) or credit agencies (credit checks).

Joint controllers (Art. 26 GDPR): In certain cases, we work closely with other insurance companies or partners (e.g. assistance companies) and jointly determine how data is processed in accordance with legal requirements.  

We will provide you with a current list of the service providers commissioned or involved upon request at [email protected].  

In addition, it may be necessary to transfer your personal data to other recipients, such as authorities, in order to comply with statutory notification obligations (e.g. social security institutions, tax authorities or law enforcement agencies). 

We store personal data for the duration of the business relationship (initiation, execution, termination) and in accordance with the respective statutory retention obligations (e.g. Sections 257 HGB, 147 AO, generally 6 to 8 years). In addition, data is stored until the expiry of statutory limitation periods (e.g. for the defence and/or pursuit of claims). Once the purposes and legal obligations no longer apply, the data is deleted or anonymised. 

Under the General Data Protection Regulation (GDPR), data subjects have the following rights with regard to the processing of their personal data: 

Right of access, Art. 15 GDPR 

Data subjects have the right to obtain information about the data processed, the purposes of processing and the recipients. In exceptional cases, information may not be disclosed if there are overriding legitimate interests of third parties or if legal confidentiality obligations apply. 

Right to rectification, Art. 16 GDPR 

Data subjects have the right to request the immediate rectification of inaccurate personal data or the completion of incomplete personal data. 

Right to erasure, Art. 17 GDPR 

Data subjects have the right to request the erasure of their personal data, provided that the legal requirements are met. This may be the case, for example, if processing is no longer necessary or consent has been revoked. 

Instead of erasure, the data is blocked if erasure conflicts with statutory, constitutional or contractual retention obligations, if there is reason to believe that erasure would prejudice the legitimate interests of the data subject, or if erasure is not possible or would involve disproportionate effort due to the special nature of the storage. Personal data will also be blocked if its accuracy is disputed by the data subject and neither its accuracy nor its inaccuracy can be determined. 

Right to restriction of processing, Art. 18 GDPR 

Data subjects may request the restriction of the processing of their data if the conditions for this are met, for example if the accuracy of the data is disputed or the processing is unlawful. 

Right to object, Art. 21 GDPR 

Data subjects have the right to object to the processing of their personal data at any time, in particular if the processing is based on legitimate interests or is used for direct marketing. 

Your consent and the release from confidentiality can be revoked at any time with effect for the future; the lawfulness of the processing until revocation remains unaffected. Insofar as certain processing operations are contractually necessary, revocation may result in services not being able to be provided or not being able to be provided in full. 

The objection must be sent to the above-mentioned controller by post, fax or email, stating your full name, email contact details and, if available, your insurance number.  

Exercising data subject rights 

To exercise the above rights, data subjects may contact the company's data protection officer at any time in writing or by email (DR-WALTER GmbH, Data Protection Officer, Eisenerzstraße 34, 53819 Neunkirchen-Seelscheid or [email protected]) Proof of identity may be required to protect data. 

Right to lodge a complaint with a supervisory authority, Art. 77 GDPR 

Data subjects have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of their habitual residence, place of work or place of the alleged infringement. You can contact the authority responsible for us in Germany as follows: 

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen 
Postfach 20 04 44 
40102 Düsseldorf 
Germany 
E-Mail: [email protected] 

Some service providers/recipients may process data in third countries. In such cases, we ensure an adequate level of data protection, e.g. through an adequacy decision by the EU Commission (including the EU–US Data Privacy Framework) or standard contractual clauses (SCCs) of the EU Commission, with additional technical and organisational measures where necessary. 

Automated decision-making, including profiling within the meaning of Art. 22 GDPR, does not take place. 

We protect your personal data through a variety of technical and organisational measures that are state of the art and are regularly reviewed and further developed. Access to our buildings, IT systems and data processing facilities is restricted to authorised persons only and is secured by access controls. Within the company, authorisations are designed in such a way that employees can only access the data they need to perform their tasks. Server rooms and data storage media are specially protected.

Personal data is processed exclusively by trained employees who are bound to confidentiality. Our systems are protected against unauthorised access by firewalls, antivirus programmes and regular security checks. Paper documents and mobile data carriers are secured in accordance with the ‘clean desk’ principle and in lockable containers. For the secure transmission of data via our online services, we use encryption technologies in accordance with recognised standards (SSL/TLS), so that access by unauthorised persons is largely impossible.

To ensure the integrity and traceability of data processing, we log entries and accesses. Data and data carriers are deleted or destroyed in accordance with data protection regulations. Backups are created and tested regularly, and emergency and recovery concepts ensure the availability of data even in the event of a crisis.

Please note: If you contact us directly by e-mail, the transmission is usually unencrypted. In this case, there is a residual risk that messages may be viewed by third parties. For confidential communication, we therefore recommend using the online forms provided in the service area [https://www.dr-walter.com/service/] or contacting us by telephone.

We continuously adapt our measures to current security requirements and risks in order to ensure a level of protection that is appropriate to the risk at all times.