Annual Report 2022

Governance and organisation

a.s.r. has a Privacy Charter which outlines a.s.r.’s privacy governance. The Charter states that a.s.r. has appointed a Data Privacy Officer (DPO) who is functionally positioned within the Compliance department. The DPO is entitled to scale up critical privacy compliance matters to the highest organisational level or to the SB. The DPO has an escalation to the chair of the A&RC and/or the chair of the SB in order to safeguard the independence of the DPO. As part of the compliance risk and monitoring framework, a privacy risk and control framework is put in place in order to ensure controls are in place which ensure privacy compliance.

The Privacy Charter and a.s.r.’s policies - such as a.s.r.’s privacy policy, cookie policy and retention policy - are applicable to a.s.r. and its subsidiaries except for the intermediary subsidiaries/distribution companies1. This section of the report concerns a.s.r. excluding the aforementioned entities.

Gathering and handling of personal data

Customers or employers applying for insurance or other financial services are asked to provide personal data. They supply these data to a.s.r. either through an intermediary or directly. As well as the information provided by customers or other data subjects, a.s.r. may receive data from third parties.

Personal data are necessary for the performance of a.s.r.’s services. Using personal data helps a.s.r. to improve its products, perform marketing activities, reduce risks and trace fraud or cases of abuse. In this context, a.s.r. complies with the Protocol Verzekeraars en Criminaliteit (insurers and crime protocol) and the Protocol Incidentenwaarschuwingssysteem Financiële Instellingen (financial institutions incident warning system protocol). Both protocols were established, among other organisations, by the Verbond of Verzekeraars.

All data are handled with due care, and adequate technical and organisational measures are taken to safeguard sufficient protection levels. a.s.r. has put in place technical and organisational measures to protect data against loss or unlawful processing. Examples include measures for safe use of a.s.r.’s websites and IT systems and for avoiding abuse, as well as for securing physical areas where data are stored. a.s.r. has an information security policy in place and arranges training programmes for its employees in personal data protection. Data can be accessed and processed only by authorised employees.

a.s.r. employees have a duty of confidentiality in respect of the processed data. All employees take an oath or make a solemn affirmation when they start as employees at a.s.r. This involves, for example, declaring that they will act with integrity and due care and protect the confidentiality of information that has been entrusted to them.

At a.s.r., health data are only collected and processed where this is permitted by applicable legislation and regulations. Only a medical advisor and qualified employees under the responsibility of a medical advisor may process health data (medical data) for drawing up medical opinions. a.s.r. abides by the professional code for medical advisors involved in private insurance cases and/or personal injury cases. a.s.r. processes the health care data of a.s.r. Vitality members, such as exercise information from activity tracking, in the corresponding mobile application. To ensure that data regarding health are processed only within a.s.r. Vitality and are not shared with the company’s insurance departments, a.s.r. has set up a separate legal entity, ASR Vitaliteit en Preventieve Diensten B.V.

Data are not kept any longer than necessary. a.s.r. has a retention policy in place to ensure that data are not kept longer than needed or permitted by Dutch law.

Data are only supplied to third parties if this is permitted by law, and where necessary for a.s.r.’s business operations. Occasionally, a.s.r. is legally required to transfer specific personal data to the authorities, e.g. disclosures concerning life insurance policies to the tax authorities. Financial institutions can record the behaviour of natural persons or legal entities who have been or could be detrimental to financial institutions in an incident register. To ensure a sound acceptance and risk policy, and to prevent fraud, a.s.r. records data in the Central Information System (CIS) of the CIS foundation. This concerns data relating to claims received by insurance companies or the individuals concerned who have intentionally deceived the insurance company. The CIS foundation supports insurers in their acceptance and claims processes. With regard to information concerning the CIS foundation, a.s.r. is permitted under strict conditions to exchange information via the CIS foundation. For more information see the CIS foundation website.

a.s.r. has various privacy statements applicable to different categories of data subjects. a.s.r.’s full privacy statement applicable to the processing of personal data of parties including customers (hereafter: a.s.r.’s privacy statement(s)) can be found on www.asrnl.com2.

a.s.r. may generate profiles of its customers based on data it collects for the purposes of analysis and obtaining insight into (future) actions and preferences. In doing so, a.s.r. complies with relevant laws and regulations. This means, among other things, that a.s.r. asks permission in advance if required by law. In addition a.s.r. assesses applications for a number of products via an automated process. If individuals do not agree with an automated decision, they have the right to obtain human intervention on the part of a.s.r., to express their point of view on the decision made and to contest that decision.

a.s.r. respects the privacy rights of individuals. a.s.r.’s privacy statements contain detailed information on how a.s.r. deals with individual rights requests or other requests or complaints.

Privacy legislation and regulations, including the GDPR prescribe that personal data may only be processed for clearly defined and justified ends (activities). a.s.r. has listed these ends in the processing register. The ASR Nederland N.V. privacy statement includes an accessible translation of these ends for customers. They relate to:

  • The performance of a.s.r.'s services;

  • Reducing risks;

  • Performing marketing activities;

  • Improvement and innovation;

  • Detecting fraud and abuse.

Where a.s.r. works with third parties it ensures that appropriate safeguards are put in place. Where a.s.r. works with third parties which process personal data on a.s.r.’s behalf (processors), a.s.r. puts in place data processing agreements detailing the restrictions regarding personal data (including personal data of customers), all in line with applicable legislation and the a.s.r. privacy statement(s).

If data are transferred by a.s.r., to international organisations or parties outside of the European Economic Area (EEA), appropriate safeguards and arrangements will be made in order to ensure compliance with the rules applicable in the EEA. Following the decision of the Court of Justice of the European Union in July 20203, the European Data Protection Board recommended measures that organisations should take to ensure compliance with the Court’s decision in the event of the transfer of personal data outside the EEA. a.s.r. is implementing the required measures in addition to any measures or actions required after the European Commission (EC) issued an implementing decision on the new Standard Contractual Clauses (SCCs).

Executing a.s.r.’s digital strategy will contribute to improving customer services, while at the same time increasing efficiency. However, the anticipated and related increased use of (personal) data also creates privacy risks, as well as security and ethical risks. In executing the digital strategy, a.s.r. has continuously observed and mitigated these risks and will continue to do so.

Data leaks and complaints

A data leak is a personal data breach, a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data from the organisation. In accordance with the GDPR, a.s.r. is obliged to report directly to the Autoriteit Persoonsgegevens (Dutch Data Protection Authority (Dutch DPA)) any data leaks which could have serious consequences for those involved. Such notifications are made by Compliance, in consultation with the DPO. While the data leaks that were reported could have had serious consequences for those involved, there were no reports of any damage relating to the misuse or abuse of leaked data in 2022. Most data leaks were due to human error. a.s.r. took appropriate measures to mitigate any risks relating to both reported and unreported data leaks. a.s.r. does not, at present, have any reason to expect any of the data leaks to have a serious impact for those involved. The number of data leaks reported to the Dutch DPA stabilised at 41 (2021:43) In the Annual Report 2021 it was reported that 51 data leaks were reported to the Dutch DPA. This number has been corrected to 43. The expected change in regulation that will enable life insurers to have access to the Basis Registratie Personen (Dutch registration system) in the case of payment of policies will also help to prevent data leaks in the future.

Compliance and the DPO report quarterly on the number and type of data leaks to the relevant management, the EB, the Business Executive Committee (BEC) and the A&RC of the SB. When necessary, a.s.r. has implemented measures to improve processes for, and awareness of, dealing with data to avoid any future data leaks.

a.s.r. received 107 complaints from third parties (2021: 91). Most of these complaints relate to data leaks, but also concern individuals exercising their data privacy rights, such as the right of access and the right to be forgotten.

Complaints relating to customer privacy received from third parties 1

(in numbers)

  • 1 Complaints received from regulatory bodies are also included in the figure reported for complaints received from third parties.
  • 1D&S Holding B.V. and its subsidiaries and Corins B.V.
  • 2The privacy statement of ASR Nederland N.V. applies to the following entities and brands: ASR Levensverzekering N.V., ASR Basis Ziektekostenverzekeringen N.V., ASR Aanvullende Ziektekostenverzekeringen N.V., ASR Schadeverzekering N.V., ASR Vermogensbeheer N.V., ASR Vooruit B.V., ASR Premiepensioeninstelling N.V., ASR Re-integratie B.V., Ditzo, Ardanta, Loyalis and Europeesche Verzekeringen. The privacy statement also applies to brands that are no longer used, insofar as personal data are still being processed, such as: ZZP Pensioen, De Amersfoortse, Axent, De Eendragt, and Generali Nederland. ASR Real Estate B.V. (Real estate) and ASR Vitaliteit en Preventieve Diensten B.V. (Vitality) have their own privacy statements
  • 3In July 2020, the Court of Justice of the European Union (CJEU) ruled that the adequacy of the protection of personal data by the US-EU Data Protection Shield (privacy shield) was invalid. The use of the (new) standard contractual clauses (SCCs) remains valid. However, the CJEU places a heavy burden on data exporters which wish to use SCC’s. The data exporter must consider the law and practice of the country to which data will be transferred, in particular if public authorities may have access to the data. Additional safeguards may be required.