Data privacy

DE | EN

Data Protection Information for Users of the App in accordance with the EU General Data Protection Regulation

 

 

1. General Information

 

 

This Privacy Policy is intended to provide you with information about the processing of your personal data by HanseMerkur, the data controller, and the rights you have under data protection law. The ServiceApp ("App") provided by HanseMerkur ("we" or "us") and offers insurance policyholders access to various services associated with their policies.
We are aware that protection of personal data is extremely important. This Privacy Policy is intended to provide you with information about the personal data that we process in connection with use of the App and the ways in which we protect that data.

 

 

2. Data Controller

 

 

Depending on the services offered by HanseMerkur Krankenversicherung AG and HanseMerkur Allgemeine Versicherung AG, the company providing the service is also the controller. The names and contact details are as follows:

 

HanseMerkur Krankenversicherung AG

HanseMerkur Allgemeine Versicherung AG

Siegfried-Wedells-Platz 1
20354 Hamburg
Telephone: 040 4119-1100
Fax: 040 4119-3257
E-Mail-Adresse: [email protected]

 

You can contact our data protection officer by post at the above address or by emailing:[email protected]

 

 

3. Categories of Data Processed

 

 

We process the following categories of data in connection with the use of the App:

  • Name, address and contact details: We record your personal data, including your first name, surname, address, email address and telephone number, so that we can provide you with a personal service. In order to use the e-prescription function and other functions of the telematics infrastructure of the German healthcare system at a later date, a higher level of authentication must be achieved by means of a personal ID card and the associated PIN as a prerequisite. The following data is used from the ID card for authentication purposes in accordance with Section 18(3) of the German Personal Identity Card Act (PAuswG):
    • Surname
    • Name at birth
    • First name(s)
    • Doctoral degree
    • Date of birth
    • Place of birth
    • Address
    • Service and provider-specific ID
  • The telematics infrastructure is a digital platform that networks various stakeholders in the healthcare system with the aim of advancing digitalisation in the healthcare system.
  • Insurance policy details: We record your insurance policy details, such as: policy number, policy benefits, tariffs, premiums and term of the policy, in order to give you a better overview of your insurance and adapt our services more closely to your needs. The App has a summary of your policies, although this may only include certain policies, as some of our insurance products do not make use of the services associated with the App.
  • Login details: We record your login details, comprising your username (your email address) and password, to give you access to our services and ensure that only authorised persons have access to your personal details.
  • Device and connection data: We record certain information in order to facilitate permanent, secure operation of the App and the associated services. This data includes:
    • Date, time, request/process, error message
    • IP address
    • Device ID
    • Model name and operating system version
    • App version
    • Language
    • Any reference number (hereinafter client ID
    • This data is required for the purposes described.

 

4. Purpose of Data Processing

 

 

We process your personal data for the following purposes:

 

  • To provide you with the App and the associated services: We process your personal data to give you access to our services and facilitate use of the App in a form customised to your needs;
  • To fulfil our contractual and legal obligations: We process your personal data to fulfil our contractual obligations to you, including provision of services and regulation of benefits with the associated checks;
  • To monitor use of the App and improve our services

 

5. Legal Basis for Data Processing

 

 

We process your personal data on the basis of the following legal principles:

 

  • To fulfil a contract with you: If we need to process your personal data to fulfil a contract to which you are a contracting party, processing is on the basis of Art. 6(1) point (b) GDPR;
  • To fulfil our legal obligations: If we need to process your personal data to fulfil a legal obligation, processing is on the basis of Art. 6(1) point (c) GDPR;
  • To pursue legitimate interests: If we need to process your personal data to pursue our legitimate interests, processing is on the basis of Art. 6(1) point (f) GDPR;
  • On the basis of consent: If you have given us your consent to process personal data, processing is on the basis of that consent in accordance with Art. 6(1) point (a) GDPR.

 

6. Disclosure of Personal Data

 

 

We only pass on your personal data to third parties if it is necessary to fulfil our contractual or legal obligations or if you have given us your consent to do so. Recipients of your personal data may include:

 

  • External service providers: We commission external service providers to perform our services and to process your personal data. These service providers are contractually obliged only to process your personal data in accordance with our instructions and with the statutory provisions. In the “HanseMerkur ServiceApp”, technical services are performed by our service provider IBM Deutschland GmbH, IBM-Allee 1, 711139 Ehningen, Germany (hereinafter IBM). IBM is a commissioned data processor.
  • Insurance companies: We pass on your personal data to other insurance companies to ensure fulfilment of our contractual obligations to you.
  • The authorities and courts: We pass on your personal data to the authorities or courts if this is necessary to fulfil our legal obligations.

 

7. Use of Self-service Options

 

 

The App includes forms that can be used to make contact with us electronically and to make direct changes to insurance-related information. This function is available if the user has registered with two-factor authentication. If the user makes use of this option, the data entered on the input screen is transferred to us and stored. Certain boxes on the form are pre-filled.
The personal data that you provide to us via service functions and forms with your declaration of consent for us to collect, process and use the data is sent to our servers over the internet in encrypted form via a secure connection, where it is saved and protected. The security procedures used in this context correspond to the state of the art (TLS or SSL).
The other personal data processed during the submission process is used to prevent misuse of the contact form and to ensure that our IT systems remain secure.
When you submit your personal data in this way, you are giving your consent to the storage and processing of that data to process your enquiry and (if you so request) to receive a reply as necessary. Depending on the issue, it may be necessary to forward the data to authorised third parties or to process it automatically.
The user may withdraw their consent to processing of their personal data at any time.

 

 

8. Processing and Storage of Metadata

 

 

We collect and process certain items of metadata to improve our ServiceApp, when you need support and for statistical purposes. These include:

  • Date, time, request/process, error message
  • IP address
  • Device ID
  • Model name and operating system version
  • App version
  • Language
  • Any client ID

This metadata is only ever analysed in anonymised and aggregated form and serves exclusively to improve the quality and efficiency of our ServiceApp. It is also sent if the user of the App has a problem with the corresponding function of the App and requires support.

 

The metadata is not passed on to third parties unless this is prescribed by law or we are instructed to do so by court order.

 

If certain items of data are not made available, the “HanseMerkur ServiceApp” may not be able to fulfil some or all of its functions.

 

 

9. Transfer of Personal Data to Third Countries

 

 

Your personal data is transferred to a third country only if it is necessary to fulfil our contractual or legal obligations or if you have given us your consent to do so.
Transfer to a third country may also take place, however, if it is necessary to carry out the commissioned data processing – if, for example, we use external service providers from third countries. In this case, we ensure that the transfer of your personal data to a third country is carried out with appropriate guarantees in accordance with Art. 46 GDPR, such as the EU-US Data Privacy Framework.

 

 

10. Storage Period

 

 

We only store your personal data for as long as is necessary to fulfil our contractual or legal obligations or to pursue our legitimate interests. Once the storage of your personal data for fulfilment of our obligations ceases to be necessary, we erase or anonymise your data, unless there are legal retention obligations or other legitimate interests in storing it.

 

 

11. Data Security

 

 

We implement a wide range of technical and organisational measures to protect your personal data against loss, misuse and unauthorised access. These measures are subject to technological progress and are under continuous development.

 

 

12. Rights of Data Subjects

 

 

As a data subject, you have certain rights in relation to your personal data. These include:

 

  • Right to access information: You have the right to demand information about the personal data belonging to you that we process.
  • Right to rectification: You have the right to demand rectification of inaccurate or incomplete personal data.
  • Right to erasure: You have the right to demand erasure of your personal data, unless there are legal retention obligations or other legitimate interests in storing it.
  • Right to restrict processing: You have the right to demand restriction of processing of your personal data if you contest the accuracy of the data, the processing is unlawful or you have objected to the processing.
  • Right to data portability: You have the right to receive your data in a structured, standard and machine-readable format and to have it transferred to another controller if the processing is based on your consent or on a contract.
  • Right to object: You have the right to object to the processing of your personal data at any time for reasons resulting from your particular situation, provided that the processing is based on legitimate interests.
  • Right to withdraw consent: If the processing of your personal data is based on your consent, you have the right to withdraw that consent at any time.

 

13. Right to Lodge a Complaint

 

 

You have the right to lodge a complaint with the competent data protection supervisory authority if you believe that the processing of your personal data breaches applicable data protection law. The contact details of the supervisory authority are as follows:

 

The Hamburg Commissioner for Data Protection and Freedom of Information
Ludwig-Erhard-Strasse 22, 20459 Hamburg, Germany
Tel.: 040 / 428 54 – 4040
Fax: 040 / 428 54 – 4000
[email protected]

 

14. Amendments to this Privacy Policy

 

 

We reserve the right to amend this Privacy Policy at any time in order to adapt it to changes in the legal position or in the event of changes to our services or the processing of your data. The latest version of the Privacy Policy is always available in the ServiceApp. If an amendment is made, your attention will be drawn to it actively the next time you open the App and you must agree to the amendment.

 

 

Current as of: January 2026