a.s.r. is committed to using the collected personal data responsibly and diligently to create value for both customers and the organisation. Sustainable growth can only be achieved by effectively safeguarding the privacy of customers, employees, and other individuals. This involves a conscious approach to handling personal data, along with a thorough understanding and adherence to relevant regulations.
Governance and organisation
A robust governance structure is essential for effective personal data protection. The privacy governance model is outlined in the a.s.r. Privacy Policy. The Executive Board (EB), in particular the CTO, is responsible for compliance with data protection regulations. In 2024, a central Privacy Office was established to manage privacy policies and strengthen the privacy compliance in the first line. A privacy risk and control framework was developed (as part of the compliance risk and monitoring framework) to help monitor privacy-related risks.
The Data Protection Officer (DPO) independently monitors and promotes privacy compliance within a.s.r. by advising and raising awareness. The DPO operates alongside the Compliance department. The DPO has the authority to escalate critical privacy compliance matters to the highest levels of the organisation, including the CEO, the Chair of the A&RC and/or the SB.
a.s.r. standards for the processing of personal data
a.s.r. always informs data subjects clearly and in advance about how and why a.s.r. processes their personal data. This is done through several types of privacy notices. a.s.r.’s general Privacy Statement is published on the website at www.asrnl.com and includes information about a.s.r.’s contact details, the purposes of the processing, the legal basis for the processing, the recipients of the data, the retention period and the rights of the data subjects.
a.s.r. has established a clear set of standards for the processing of personal data of customers, employees, intermediaries and other parties (‘data subjects’). These standards are detailed in the a.s.r. privacy policies and their translations. Furthermore, a.s.r. adheres to the Insurers and Crime Protocol (Protocol Verzekeraars en Criminaliteit) as well as the Financial Institutions Incident Warning System Protocol (Protocol Incidentenwaarschuwingssysteem) when processing data to detect fraud and abuse. These protocols were established by the Dutch Association of Insurers and Health Insurers Netherlands.
See section 3.1.3.2 for more information about IT and the digital strategy, and 5.4.3.1.3 for risks related to cyber and information security.
Data breaches and complaints in 2024
Measuring and reporting of data breaches is a crucial way to enhance technical and organisational measures to protect personal data. It also helps mitigate the consequences of any breach for the affected individuals.
a.s.r. has a procedure in place to register personal data breaches to a Data Breach Team. This team assesses whether a data breach needs to be reported to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens – AP) and whether data subjects need to be informed.
Raising awareness of these procedures and of the importance of taking due care when processing personal data to avoid breaches falls under the awareness programme. Compliance and the DPO report quarterly on the number and type of data breaches to the highest organisational level in a business line – the MB, NFRC, Risk Committee and the A&RC of the SB. Most breaches have been attributed to human errors, outdated postal addresses and lost mail items. a.s.r. implements measures to mitigate the causes of these breaches whenever possible, such as reviewing and improving processes.
In 2024, 134 data breaches related to Personal Identifiable Information (PII) were reported to the AP (2023: 87), this increase is partially due to inclusion of Aegon NL in the 2024 figures . According to the privacy regulations, the AP must be notified of data breaches that present a probable risk to the affected individuals. These figures exclude Corins and D&S entities, who have their own data breaches processes. a.s.r. took measures to mitigate any risks for the individuals concerned and has no reason to expect any of the reported breaches to have a serious impact for those involved.
Complaints about privacy issues enable a.s.r. in refining processes to boost privacy compliance. a.s.r. has noted a growing awareness of privacy among customers, resulting in an increase in questions and complaints. In 2024, a.s.r. received 190 complaints from customers and third parties, including three complaints from a regulatory body (2023: 149, of which one from a regulatory body). Most complaints relate to data breaches, but many relate to individuals exercising their privacy rights, such as the right of access and the right to be forgotten.
(in numbers)
- 1 Complaints received from regulatory bodies are also included in the figure reported for complaints received from third parties.
- 2 As of reporting year 2023, a more complete classification approach is applied to the figure complaints related to customer privacy received from third parties.
- 3 These figures are not in scope of CSRD and limited assurance.
- 1Section 5.5.2 is in scope of CSRD and limited assurance (ESRS S1, S4).