2023 annual report
Purpose and mission
Strategy
Non-life segment
Life segment
Asset Management segment
Bank segment
Distribution and Services segment
Holding and Other segment
Upstream
Business activities
Downstream
Economic & financial markets
Political and regulatory
Environmental, social and governance
Key stakeholders
Material topics
Contribution to the Sustainable Development Goals
Financial targets
Non-financial targets
Sustainable products and services
Prevention of payment problems
Complaints management
IT and the digital strategy
Asset management
Real estate
Mortgages
HR policy and strategy
Employee engagement
Remuneration
Integration of Aegon NL
Developments in 2023
a.s.r. shares
Bonds
Ratings
Carbon footprint own operations
Socially responsible taxpayer
Human rights
Political engagement
a.s.r. foundation
Risk governance
Risk appetite
Identified risks
Compliance risks
Privacy
Integrity and ethical conduct
Awareness
Financial performance
Financial performance
P&C
Disability
Health
Financial performance
Pensions
Funeral and Individual life
Financial performance
Asset management
Real Estate
Mortgages
Financial performance
Market
Products
Strategy and achievements
Outlook 2024
Financial performance
Market
Financial performance
Corporate Governance
General Meeting of Shareholders
Executive Board and Management Board
Supervisory Board
Diversity, equity and inclusion
Sustainability governance
Corporate Governance Codes and Regulations
Meetings of the Supervisory Board
Supervisory Board Committees
Introduction
Remuneration policy
Executive Board
Supervisory Board
Composition of the Works Council
Main themes during 2023
CSRD
Assurance on the non-financial indicators
Climate change
Biodiversity and ecosystems
Water, waste and pollution
Taxonomy regulation
Own workforce
Consumers and end-users
Business conduct
Responsible investor indicators
General information
Statement of compliance
Consolidated balance sheet
Consolidated income statement
Consolidated statement of comprehensive income
Consolidated statement of changes in equity
Consolidated statement of cash flows
Changes in EU endorsed published IFRS Standards and Interpretations effective in 2023
Other changes in presentations
Upcoming changes in published IFRS standards and interpretations, not yet effective in 2023
Key accounting policies
Other accounting policies
Group structure
Segmented balance sheet
Segmented income statement and operating result
Non-life ratios
Acquisitions
Intangible assets
Property, plant and equipment
Investment property
Associates and joint ventures
Investments
Investments related to direct participating insurance contracts
Derivatives
Deferred taxes
Other assets
Cash and cash equivalents
Equity
Subordinated liabilities
Insurance contract liabilities and reinsurance contract assets
Liabilities arising from direct participating insurance contracts
Employee benefits
Provisions
Borrowings
Savings deposits
Due to banks
Other liabilities
Insurance contract revenue
Insurance service expenses
Net expenses from reinsurance contracts
Direct investment income
Net fair value gains and (losses)
Impairments
Net finance income and expenses from (re)insurance contracts
Other finance expenses
Fee income
Other income
Operating and other expenses
Income tax expense
Fair value of assets and liabilities
Offsetting of financial assets and liabilities
Related party transactions
Key management personnel remuneration
Employee Share Purchase Plan
Contingent liabilities and assets
Events after the balance sheet date
List of principal group companies
Profit appropriation
Risk management system
Insurance risk
Market risk
Counterparty default risk
Liquidity risk
Operational risk
Strategic and operational risk management
Capital management objectives
Solvency ratio and a.s.r. ratings
Additional information
Company balance sheet
Company income statement
Notes to the company financial statements
Financial indicators
Investor community indicators
Sustainability ratings
Contact
Publication

DOCUMENT

Message from the CEO
The story of a.s.r.
Value creation model
Business portfolio
Value chain model
Key trends
Stakeholders and material topics
Strategic targets
Becoming the best insurer
Being a responsible investor
Creating a vital and future-proof workforce
Informing the investor community
Operating as a trusted company
Managing risks
Ensuring compliance
ASR Nederland N.V.
Non-life
Life
Asset Management
Bank
Distribution and Services
Holding and Other
Corporate governance
Supervisory Board report
Remuneration report
Employee participation
Statement of the Executive Board
General
Environmental
Social
Governance
Additional
Introduction
Consolidated financial statements
Accounting policies
Group structure and segment information
Notes to the consolidated balance sheet
Notes to the consolidated income statement
Other notes
Risk management
Capital management
Operating result
Company financial statements
About this report
Investor Indicators
Materiality analysis and stakeholder dialogue
Provisions of the Articles of Association regarding profit appropriation
Stichting Continuïteit ASR Nederland
Independent auditor's report
Reasonable and limited assurance report of the independent auditor on the non-financial information and specified non-financial indicators
Non-financial indicators Aegon NL
Glossary
Abbreviations
GRI content index
TCFD recommendations
TNFD recommendations
EU Directive 2014/95/EU
Contact details
At a glanceMessage from the CEOBusiness and strategyHow a.s.r. operatesBusiness performanceGovernanceNon-financial statementsFinancial statementsAdditional informationAppendix
How a.s.r. operates Ensuring compliance Privacy
3.7.2Privacy

a.s.r. intends to use the personal data it collects in a correct and diligent manner to create value for the customer and for the organisation. a.s.r. can only realise growth in a responsible manner when it safeguards the privacy of customers, employees and other individuals correctly, working consciously with personal data and knowing and complying with the rules implies that. By increasing the confidence of customers and employees in the method of a.s.r. regarding data use, opportunities are created to generate value from data.

Governance and organisation

Key to an efficient protection of privacy is an appropriate privacy governance structure. a.s.r. has a Privacy Charter which outlines a.s.r.’s privacy governance model. The privacy governance model within a.s.r. consists of compliance officers, privacy experts and other privacy professionals who help to ensure privacy compliance. a.s.r. has appointed a Data Privacy Officer (DPO) who is functionally positioned within the Compliance department. The DPO is entitled to escalate critical privacy compliance matters to the highest organisational level in a business line, to the Chair of the EB, to the Chair of the A&RC, and/or to the SB. To monitor and controls privacy risks, a privacy risk and control framework is in place (as part of the compliance risk and monitoring framework).

a.s.r. plans to establish a Privacy Office in the organization to further promote privacy compliance and strengthen the privacy governance in the first line.

Transparency and privacy rights

a.s.r. facilitates the privacy rights of individuals. It has various privacy statements applicable to different categories of stakeholders and data subjects. a.s.r.’s general privacy statement is applicable to the processing of personal data of individuals, including customers and partners. a.s.r.’s privacy statement(s) can be found on www.asrnl.com. After the integration with Aegon NL in 2023, the a.s.r. general privacy statement1 has been adapted and now applies to the processing of data of Aegon NL customers as well. 

a.s.r.’s privacy statements contain detailed information on how a.s.r. deals with individual rights requests or other privacy requests or complaints and how customers may exercise their privacy rights.

Processing of personal data

a.s.r. collects the personal data from its customers who apply for an insurance or other financial services, either directly or through an intermediary. a.s.r. may also receive personal data from (other) third parties, e.g., from other insurers.

The processing of personal data is necessary for the performance of a.s.r.’s services. Furthermore, the use of personal data helps a.s.r. to improve its products, perform marketing activities, reduce and assess risks in connection with business transactions and the business operations of a.s.r. and to trace fraud or cases of abuse.

Purposes

In accordance with privacy laws and regulations (including the GDPR), a.s.r. has listed the legitimate purposes for which she processes personal data in its register of processing activities. These purposes are also described and explained in the privacy statement(s). They relate to:

  • The performance of a.s.r.'s services;

  • Reducing and assessing risks;

  • Performing marketing activities;

  • Improving and innovating;

  • Tracing fraud and abuse;

  • Business transactions and business operations.

When processing data for the purpose of tracing fraud and abuse, a.s.r. also complies with the Insurers and Crime Protocol (Protocol Verzekeraars en Criminaliteit) and the Financial Institutions Incident Warning System Protocol (Protocol Incidentenwaarschuwingssysteem). These protocols were established by the Dutch Association of Insurers, among others.

Security measures

All personal data are processed with due care taking adequate technical and organisational measures to safeguard sufficient protection levels and to protect data against loss or unlawful processing. Examples include measures for safe use of a.s.r.’s websites and IT systems and for avoiding abuse, as well as for securing physical areas where data are stored. a.s.r. has an information security policy in place and arranges regular training programmes for its employees in personal data protection. Data can be accessed and processed only by authorised employees.

a.s.r. employees have a duty of confidentiality in respect of the processed data. All employees take an oath or make a solemn affirmation when they start as employees at a.s.r. This involves, for example, declaring that they will act with integrity and due care and protect the confidentiality of information that has been entrusted to them.

At a.s.r., health data are only collected and processed where this is permitted by applicable laws and regulations. Only a medical advisor and qualified employees under the responsibility of a medical advisor may process medical data for drawing up medical opinions. a.s.r. abides by the professional code for medical advisors involved in private insurance cases and/or personal injury cases. a.s.r. processes the health data of a.s.r. Vitality members, such as exercise information from activity tracking, in the corresponding mobile application.

a.s.r. has a retention policy in place to ensure that data are not stored any longer than needed or as permitted by legislation and regulations.

Transfer of personal data

In accordance with the applicable legislation and regulations and the a.s.r. privacy policy, a.s.r. has appropriate safeguards in place where a.s.r. works with third parties e.g., data processing agreements detailing the restrictions regarding the processing of personal data. If a.s.r. transfers personal data to parties outside of the European Economic Area (EEA), appropriate safeguards and arrangements are in place to ensure compliance with the rules applicable in the European Union.

a.s.r. only supplies personal data to third parties if this is permitted by law and necessary for a.s.r.’s business operations. Occasionally, a.s.r. is legally required to transfer certain personal data to the authorities, e.g., disclosures concerning life insurance policies to the tax authorities. To ensure a sound acceptance and risk policy and to prevent fraud, a.s.r. records data in the Central Information System (CIS) of the CIS foundation. These data relate to claims received by insurance companies, or the individuals concerned who have intentionally deceived an insurance company. The CIS foundation supports insurers in their acceptance and claims processes. a.s.r. is permitted, under strict conditions, to exchange information via the CIS foundation. For more information, see the CIS foundation website.

Digital Strategy

a.s.r.’s digital strategy will contribute to improving customer services, while at the same time increasing efficiency. However, the anticipated and related increased use of (personal) data also creates privacy risks, as well as security and ethical risks. In executing the digital strategy, a.s.r. continuously observes and mitigates these risks and will continue to do so.

Ethical frameworks

a.s.r. implemented the ethical framework for data driven decision-making of the Dutch Association of Insurers and has processes and procedures in place to assess the ethical risks of data driven applications. a.s.r. will continue to adapt these processes and procedures where necessary to keep up with technological developments such as the use of Artificial Intelligence.

Profiling

a.s.r. may generate profiles of its customers using data it collects for the purposes of analysis and obtaining insight into (future) actions and preferences only in accordance with the relevant legislation and regulations. This means, among other things, that a.s.r. asks permission in advance if required to do so by law. Furthermore, a.s.r. assesses applications for several products via an automated process. If individuals do not agree with an automated decision, a process is in place to ensure human intervention on the part of a.s.r. In this process, the individual may express its point of view on the decision made and contest that decision.

Data breaches and complaints

a.s.r. has taken appropriate measures to mitigate risks related to personal data breaches (a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data from the organization). a.s.r. has procedures in place to ensure that personal data breaches can be easily reported internally and that breaches are followed up to mitigate the consequences and avoid breaches in the future. Reporting data breaches is an important tool to improve technical and organisational measures to protect personal data and to help mitigate the consequences of any breach for the affected individual. Awareness of these procedures and the importance to take due care when processing personal data to avoid breaches, are part of the awareness programme.

Compliance and the DPO report quarterly on the number and type of data breaches to the highest organisational level in a business line, the MB, NFRC, Risk Committee and the A&RC of the SB. Most breaches were caused by human errors, the use of outdated postal addresses and lost mail items. a.s.r. takes measures to prevent the cause of the breach where possible, e.g. review of processes.

In accordance with the GDPR, a.s.r. is obliged to notify the Dutch DPA (DDPA) of any data breaches which present a risk to the affected individuals. Such notifications are made by the Compliance department, in consultation with the DPO. In 2023, 87 data breaches were reported to the DDPA (2022:41)1. a.s.r. took measures to mitigate any risks for the individuals and has no reason to expect any of the reported breaches to have a serious impact for those involved. The increase of the breaches reported to the DDPA was mainly caused by the exchange of data with third parties. Options for improvement of this process are being further investigated.

Complaints about privacy issues help a.s.r. to improve processes to enhance privacy compliance. a.s.r. observes a still increasing privacy awareness amongst customers leading to increasing numbers of questions and complaints regarding privacy. In 2023, a.s.r. received 149 complaints from customers and third parties including one complaint from regulatory bodies (2022:107). Most of these complaints relate to data breaches, but also to individuals exercising their privacy rights, such as the right of access and the right to be forgotten.

Complaints relating to customer privacy received from third parties12

(in numbers)

  • 1 Complaints received from regulatory bodies are also included in the figure reported for complaints received from third parties.
  • 2 As of reporting year 2023, a more complete classification approach is applied to the figure complaints related to customer privacy received from third parties. The 2022 figure has been adjusted to align with the 2023 approach accordingly.
  • 1The a.s.r. general privacy statement applies to the following entities and brands: ASR Levensverzekering N.V., ASR Basis Ziektekostenverzekeringen N.V., ASR Aanvullende Ziektekostenverzekeringen N.V., ASR Schadeverzekering N.V., ASR Vermogensbeheer N.V., ASR Real Estate B.V., ASR Vitaliteit en Preventieve Diensten B.V., ASR Vooruit B.V., ASR Premiepensioeninstelling N.V., ASR Re-integratie B.V., Aegon Hypotheken B.V, Aegon Levensverzekering N.V., Aegon Cappital B.V., Aegon Advies B.V., Aegon Bemiddeling B.V., Aegon Administratie B.V., Aegon Administratieve Dienstverlening B.V., Aegon Spaarkas N.V., a.s.r., Aegon and Loyalis a.s.r. Vitality and a.s.r. real estate have their own privacy statement.
  • 2Figures in this chapter exclude Corins and D&S entities.
careers (in dutch)Privacy statementCookiesDisclaimerFraud prevention policyPhishingdigital vulnerability reporting centre © a.s.r.