Annual Report 2021
Sustainable value creation
3.4.5
Privacy

Customers or employers applying for insurance or another financial service are asked to provide personal data. They supply these data to a.s.r. either through an advisor or directly, through the a.s.r. website, by email or by phone.

As well as the information provided by customers, a.s.r. may receive data from third parties, such as employers or others, e.g. a financial advisor or insurance broker, Centraal Bureau voor de Statistiek (Statistics Netherlands (CBS)), the Bureau Krediet Registratie (Credit Registration Office (BKR)), Uitvoeringsinstituut Werknemersverzekeringen (Employee Insurance Agency (UWV)), working conditions services or market research firms. a.s.r. registers the sources from which it receives data.

Notifications
of data leaks
to the Dutch DPA

(in numbers)

51

2020: 14

Notifications
of data leaks
to the Dutch DPA

(in numbers)

51

2020: 14

Personal data are necessary for the performance of a.s.r.’s services. Using personal data helps a.s.r. to improve its products, perform marketing activities, reduce risks and trace fraud or cases of abuse. In this context, a.s.r. complies with the Protocol Verzekeraars en Criminaliteit (insurers and crime protocol) and the Protocol Incidentenwaarschuwingssysteem Financiële Instellingen (financial institutions incident warning system protocol). Both protocols were established by the Verbond of Verzekeraars.

All data are handled with due care, and adequate technical and organisational measures are taken to safeguard sufficient protection levels. a.s.r. has put in place technical and organisational measures to protect data against loss or unlawful processing. Examples include measures for using a.s.r.’s websites and IT systems safely and for avoiding abuse, and for protecting physical areas where data are stored. a.s.r. has an information security policy in place and arranges training programmes for its employees in personal data protection. Data can be viewed and processed only by authorised employees.

a.s.r. employees have a duty of confidentiality in respect of the processed data. All employees take an oath or make a solemn affirmation when they start as employees at a.s.r. This oath or solemn affirmation involves declaring that they will act with integrity and care and keep confidential what has been entrusted to them.

Data regarding health are only collected and processed where permitted by applicable laws and regulations. Only a medical advisor and qualified employees under the resposibility of a medical advisor may process health data for drawing up medical opinions. a.s.r. abides by the professional code for medical advisors involved in private insurance cases and / or personal injury cases. a.s.r. processes the health care data of a.s.r. Vitality members, such as exercise information from activity tracking, in the corresponding mobile application. To ensure that data regarding health are processed only within a.s.r. Vitality and not shared with the company’s insurance departments, a.s.r. has set up a separate legal entity, a.s.r. Vitality B.V.

A data leak is a personal data breach, a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data from the organisation. In accordance with the GDPR, a.s.r. is obliged to report directly to the Autoriteit Persoonsgegevens (Dutch Data Protection Authority (Dutch DPA)) any data leaks which could have serious consequences for those involved. Such notifications are made by compliance, in consultation with the data protection officer. While the data leaks that were reported could have had serious consequences for those involved, there were no reports of any damage relating to the misuse or abuse of leaked data in 2021. Most data leaks were due to human error. a.s.r. took appropriate measures to mitigate any risks relating to both reported and unreported data leaks. a.s.r. does - at present - not have any reason to expect any of the data leaks to have a serious impact for those involved. Due to the potential impact of cyber crime-related data breaches (e.g. ransomware, data exfiltration attacks, hacking attacks), the Dutch DPA wished to be notified of all cyber crime related data breaches, regardless of their risk for data subjects. The Dutch DPA thus has an overview of the number of data breaches that occur due to cyber crime, and can support and advise organisations on prevention. The number of data leaks reported to the Dutch DPA increased substantially to 51 (2020: 14), this is among others due to recent acquisitions of a.s.r., increased digital communication via e-mail and mistakes in postal delivery. By executing the digital strategy, a.s.r. expects a decline of these types of data leaks, see chapter 3.1.3 for more information on the digital strategy. Also, the expected change in regulation that will enable life insurers to have access to the Basis Registratie Personen (Dutch registration system) in case of payment of policies will also help to prevent data leaks.

Compliance and the data protection officer report quarterly on the number and type of data leaks to the relevant management, the EB, the Business Executive Committee (BEC) and the A&RC of the SB. When necessary, a.s.r. implemented measures to improve processes for, and awareness of, dealing with data to avoid any future data leaks.

Data are not kept any longer than necessary. Some retention periods are prescribed by law. a.s.r. has a retention policy in place to ensure that data are not kept longer than needed.

Data are only supplied to third parties if this is permitted by law, and where necessary for a.s.r.’s business operations. Occasionally, a.s.r. is legally required to transfer specific personal data to the authorities, e.g. disclosures concerning life insurance policies to the tax authorities. To ensure a sound acceptance and risk policy, and to prevent fraud, a.s.r. records data in the Central Information System of the CIS foundation in The Hague. This concerns data relating to claims received by insurance companies or concerned individuals who have intentionally deceived the insurance company. The CIS foundation supports insurers in their acceptance and claims processes. With regard to information concerning the CIS foundation, a.s.r. is permitted under strict conditions to exchange information via the CIS foundation. For more information see the CIS foundation website.

Complaints relating to customer privacy
In numbers20212020
Complaints received from third parties9189
Complaints received from regulatory bodies132
  • 1 The complaints received from regulatory bodies are also included in the figure reported for complaints received from third parties.

Executing a.s.r.’s digital strategy will contribute to improving customer services, while at the same time increasing efficiency. The anticipated and related increased use of (personal) data however also creates privacy risks, as well as security and ethical risks. In executing the digital strategy a.s.r. has and will continuously observe and mitigate these risks.

In 2021 compliance conducted a privacy assessment across the business. The assessment shows that generally there is a sufficient level of compliance with privacy laws and regulations (including GDPR) within the business lines and that there is a sufficient degree of privacy awareness. Any findings for further improvement in managing identified risks have been assigned and are addressed by the respective businesses within a.s.r.

a.s.r. received 91 complaints from third parties, of which three were received from the Dutch DPA. Most of these complaints relate to data leaks, but also concern individuals exercising their data privacy rights, such as, the right of access and the right to be forgotten. The complaints received from the Dutch DPA are related to privacy violations, in particular with regard to the fulfilment of rights of data subjects. Customers have various rights to maintain control over their personal data. a.s.r. is currently evaluating the processes that implement requests made by customers regarding data subject rights. This is partly in response to a complaint submitted to the Dutch DPA by a person regarding a request to inspect the personal data of this person that a.s.r. has processed. The Dutch DPA asked a.s.r. for a response about this complaint.

a.s.r. respects the privacy rights of individuals. a.s.r.’s privacy statement contains detailed information on how a.s.r. deals with individual rights requests or other requests or complaints.

Privacy laws and regulations (including GDPR) prescribe that personal data may only be processed for clearly defined and justified ends (activities). a.s.r. has listed these ends in the processing register. The ASR Nederland N.V. privacy statement includes an accessible translation of these ends for customers. They relate to:

  • the performance of a.s.r.'s services

  • reducing risks

  • performing marketing activities

  • improving and innovating

  • detecting fraud and abuse

a.s.r.’s full privacy statement1 can be found on www.asrnl.com. It does not cover suppliers. The use of social media is everyone’s individual responsibility. a.s.r.’s privacy statement does not apply to the way in which social media platforms deal with the personal data provided by individuals. a.s.r. may generate profiles of its customers based on data it collects for the purpose of analysing it and obtaining insight into (future) actions and preferences. In doing so, a.s.r. complies with relevant laws and regulations. This means, among other things, that a.s.r. asks permission in advance if required by law. In addition a.s.r. assesses applications for a number of products via an automated process. If individuals do not agree with an automated decision, they may express their point of view and contest the decision, in which case the assessment will be carried out by a human.

Where a.s.r. works with third parties, a.s.r. puts in place a service agreement detailing the restrictions regarding personal data (including customer personal data), all in line with applicable law and the a.s.r. privacy statement(s).

Financial institutions can record the behaviour of (legal) persons who have been or could be detrimental to financial institutions in an incident register. If data are transferred to organisations, companies or other third parties outside of the European Economic Area (EEA), appropriate safeguards and arrangements will be made in order to ensure compliance with the rules applicable in the EEA at all times. Following the decision of the Court of Justice of the European Union in July 20202, the European Data Protection Board (EDPB) recommended measures that organisations should take to ensure compliance with the Court’s decision in the event of the transfer of personal data outside the EEA. a.s.r. is implementing the required measures, on top of any measures or actions required after the European Commission (EC) issued an implementing decision on the new Standard Contractual Clauses (SCC).

  • 1The privacy statement of ASR Nederland N.V. applies to: ASR Nederland N.V., ASR Levensverzekering N.V., ASR Basis Ziektekostenverzekeringen N.V., ASR Aanvullende Ziektekostenverzekeringen N.V., ASR Schadeverzekering N.V., ASR Vermogensbeheer N.V., ASR Real Estate B.V., ASR Vitaliteit en Preventieve Diensten B.V., ASR Vooruit B.V., Ditzo, Ardanta and Loyalis. The other entities within a.s.r. (notably the intermediary subsidiaries / distribution companies) apply their own privacy statements.
  • 2In July 2020, the Court of Justice of the European Union (CJEU) ruled that the adequacy of the protection of personal data by the US-EU Data Protection Shield (privacy shield) was invalid. The SCC’s remained valid. However, the CJEU sets out a heavy burden on data exporters which wish to use SCC’s. The data exporter must consider the law and practice of the country to which data will be transferred, in particular if public authorities may have access to the data. Additional safeguards may be required.