a.s.r. intends to use the personal data it collects in a correct and diligent manner to create value for the customer and for the organisation. a.s.r. can only realise growth in a responsible manner when it safeguards the privacy of customers, employees and other individuals correctly, working consciously with personal data and knowing and complying with the rules implies that. By increasing the confidence of customers and employees in the method of a.s.r. regarding data use, opportunities are created to generate value from data.
Governance and organisation
Key to an efficient protection of privacy is an appropriate privacy governance structure. a.s.r. has a Privacy Charter which outlines a.s.r.’s privacy governance model. The privacy governance model within a.s.r. consists of compliance officers, privacy experts and other privacy professionals who help to ensure privacy compliance. a.s.r. has appointed a Data Privacy Officer (DPO) who is functionally positioned within the Compliance department. The DPO is entitled to escalate critical privacy compliance matters to the highest organisational level in a business line, to the Chair of the EB, to the Chair of the A&RC, and/or to the SB. To monitor and controls privacy risks, a privacy risk and control framework is in place (as part of the compliance risk and monitoring framework).
a.s.r. plans to establish a Privacy Office in the organization to further promote privacy compliance and strengthen the privacy governance in the first line.
Transparency and privacy rights
a.s.r. facilitates the privacy rights of individuals. It has various privacy statements applicable to different categories of stakeholders and data subjects. a.s.r.’s general privacy statement is applicable to the processing of personal data of individuals, including customers and partners. a.s.r.’s privacy statement(s) can be found on www.asrnl.com. After the integration with Aegon NL in 2023, the a.s.r. general privacy statement1 has been adapted and now applies to the processing of data of Aegon NL customers as well.
a.s.r.’s privacy statements contain detailed information on how a.s.r. deals with individual rights requests or other privacy requests or complaints and how customers may exercise their privacy rights.
Processing of personal data
a.s.r. collects the personal data from its customers who apply for an insurance or other financial services, either directly or through an intermediary. a.s.r. may also receive personal data from (other) third parties, e.g., from other insurers.
The processing of personal data is necessary for the performance of a.s.r.’s services. Furthermore, the use of personal data helps a.s.r. to improve its products, perform marketing activities, reduce and assess risks in connection with business transactions and the business operations of a.s.r. and to trace fraud or cases of abuse.
Purposes
In accordance with privacy laws and regulations (including the GDPR), a.s.r. has listed the legitimate purposes for which she processes personal data in its register of processing activities. These purposes are also described and explained in the privacy statement(s). They relate to:
The performance of a.s.r.'s services;
Reducing and assessing risks;
Performing marketing activities;
Improving and innovating;
Tracing fraud and abuse;
Business transactions and business operations.
When processing data for the purpose of tracing fraud and abuse, a.s.r. also complies with the Insurers and Crime Protocol (Protocol Verzekeraars en Criminaliteit) and the Financial Institutions Incident Warning System Protocol (Protocol Incidentenwaarschuwingssysteem). These protocols were established by the Dutch Association of Insurers, among others.
Security measures
All personal data are processed with due care taking adequate technical and organisational measures to safeguard sufficient protection levels and to protect data against loss or unlawful processing. Examples include measures for safe use of a.s.r.’s websites and IT systems and for avoiding abuse, as well as for securing physical areas where data are stored. a.s.r. has an information security policy in place and arranges regular training programmes for its employees in personal data protection. Data can be accessed and processed only by authorised employees.
a.s.r. employees have a duty of confidentiality in respect of the processed data. All employees take an oath or make a solemn affirmation when they start as employees at a.s.r. This involves, for example, declaring that they will act with integrity and due care and protect the confidentiality of information that has been entrusted to them.
At a.s.r., health data are only collected and processed where this is permitted by applicable laws and regulations. Only a medical advisor and qualified employees under the responsibility of a medical advisor may process medical data for drawing up medical opinions. a.s.r. abides by the professional code for medical advisors involved in private insurance cases and/or personal injury cases. a.s.r. processes the health data of a.s.r. Vitality members, such as exercise information from activity tracking, in the corresponding mobile application.
a.s.r. has a retention policy in place to ensure that data are not stored any longer than needed or as permitted by legislation and regulations.
Transfer of personal data
In accordance with the applicable legislation and regulations and the a.s.r. privacy policy, a.s.r. has appropriate safeguards in place where a.s.r. works with third parties e.g., data processing agreements detailing the restrictions regarding the processing of personal data. If a.s.r. transfers personal data to parties outside of the European Economic Area (EEA), appropriate safeguards and arrangements are in place to ensure compliance with the rules applicable in the European Union.
a.s.r. only supplies personal data to third parties if this is permitted by law and necessary for a.s.r.’s business operations. Occasionally, a.s.r. is legally required to transfer certain personal data to the authorities, e.g., disclosures concerning life insurance policies to the tax authorities. To ensure a sound acceptance and risk policy and to prevent fraud, a.s.r. records data in the Central Information System (CIS) of the CIS foundation. These data relate to claims received by insurance companies, or the individuals concerned who have intentionally deceived an insurance company. The CIS foundation supports insurers in their acceptance and claims processes. a.s.r. is permitted, under strict conditions, to exchange information via the CIS foundation. For more information, see the CIS foundation website.
Digital Strategy
a.s.r.’s digital strategy will contribute to improving customer services, while at the same time increasing efficiency. However, the anticipated and related increased use of (personal) data also creates privacy risks, as well as security and ethical risks. In executing the digital strategy, a.s.r. continuously observes and mitigates these risks and will continue to do so.
Ethical frameworks
a.s.r. implemented the ethical framework for data driven decision-making of the Dutch Association of Insurers and has processes and procedures in place to assess the ethical risks of data driven applications. a.s.r. will continue to adapt these processes and procedures where necessary to keep up with technological developments such as the use of Artificial Intelligence.
Profiling
a.s.r. may generate profiles of its customers using data it collects for the purposes of analysis and obtaining insight into (future) actions and preferences only in accordance with the relevant legislation and regulations. This means, among other things, that a.s.r. asks permission in advance if required to do so by law. Furthermore, a.s.r. assesses applications for several products via an automated process. If individuals do not agree with an automated decision, a process is in place to ensure human intervention on the part of a.s.r. In this process, the individual may express its point of view on the decision made and contest that decision.
Data breaches and complaints
a.s.r. has taken appropriate measures to mitigate risks related to personal data breaches (a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data from the organization). a.s.r. has procedures in place to ensure that personal data breaches can be easily reported internally and that breaches are followed up to mitigate the consequences and avoid breaches in the future. Reporting data breaches is an important tool to improve technical and organisational measures to protect personal data and to help mitigate the consequences of any breach for the affected individual. Awareness of these procedures and the importance to take due care when processing personal data to avoid breaches, are part of the awareness programme.
Compliance and the DPO report quarterly on the number and type of data breaches to the highest organisational level in a business line, the MB, NFRC, Risk Committee and the A&RC of the SB. Most breaches were caused by human errors, the use of outdated postal addresses and lost mail items. a.s.r. takes measures to prevent the cause of the breach where possible, e.g. review of processes.
In accordance with the GDPR, a.s.r. is obliged to notify the Dutch DPA (DDPA) of any data breaches which present a risk to the affected individuals. Such notifications are made by the Compliance department, in consultation with the DPO. In 2023, 87 data breaches were reported to the DDPA (2022:41)1. a.s.r. took measures to mitigate any risks for the individuals and has no reason to expect any of the reported breaches to have a serious impact for those involved. The increase of the breaches reported to the DDPA was mainly caused by the exchange of data with third parties. Options for improvement of this process are being further investigated.
Complaints about privacy issues help a.s.r. to improve processes to enhance privacy compliance. a.s.r. observes a still increasing privacy awareness amongst customers leading to increasing numbers of questions and complaints regarding privacy. In 2023, a.s.r. received 149 complaints from customers and third parties including one complaint from regulatory bodies (2022:107). Most of these complaints relate to data breaches, but also to individuals exercising their privacy rights, such as the right of access and the right to be forgotten.
(in numbers)
- 1 Complaints received from regulatory bodies are also included in the figure reported for complaints received from third parties.
- 2 As of reporting year 2023, a more complete classification approach is applied to the figure complaints related to customer privacy received from third parties. The 2022 figure has been adjusted to align with the 2023 approach accordingly.
- 1The a.s.r. general privacy statement applies to the following entities and brands: ASR Levensverzekering N.V., ASR Basis Ziektekostenverzekeringen N.V., ASR Aanvullende Ziektekostenverzekeringen N.V., ASR Schadeverzekering N.V., ASR Vermogensbeheer N.V., ASR Real Estate B.V., ASR Vitaliteit en Preventieve Diensten B.V., ASR Vooruit B.V., ASR Premiepensioeninstelling N.V., ASR Re-integratie B.V., Aegon Hypotheken B.V, Aegon Levensverzekering N.V., Aegon Cappital B.V., Aegon Advies B.V., Aegon Bemiddeling B.V., Aegon Administratie B.V., Aegon Administratieve Dienstverlening B.V., Aegon Spaarkas N.V., a.s.r., Aegon and Loyalis a.s.r. Vitality and a.s.r. real estate have their own privacy statement.
- 2Figures in this chapter exclude Corins and D&S entities.