I. Introduction
Any references to “we” or “us” in this Privacy Policy shall refer to the company dhig GmbH.

The aim of this Privacy Policy is to explain you what personal data we process, why we do it and what do we do with it, as well as to inform you on your rights related thereto and the ways to implement them. We care about safety and due processing of your personal data. It is important to us that you are well informed about the processing of your personal data, therefore, we encourage you not to hesitate in contacting us should you have any questions. You will find our contact details in the part XIV of this Policy.

You may find the description of key terms used in this Policy at its very end in the part XV.

When processing your personal data we are subject to respective European Union legislation, including the Regulation (EU) 2016/679 of the European parliament and of the council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). This Policy was prepared based on the General Data Protection Regulation.

If you intend to include other individuals in your insurance / you want to enter into insurance contract for the benefit of other natural persons, this Policy should be brought to the attention of these natural persons. Moreover, if you provide to us personal data about other natural persons (e.g. your family members or other persons that you want to insure), you must obtain their consent prior to your disclosure of their personal data to us.

By providing your personal data / personal data of natural persons included in your insurance (or otherwise insured by you), you recognize our right to process such personal data strictly within the limits and under the conditions as set in this Policy.

We reserve the right to amend this Policy from time to time, for instance – whenever necessary due to changes in applicable legislation, or due to changes in use technologies, and etc. We therefore kindly encourage you to periodically check the webpage https://dhig.net for the latest version of the Policy. We shall effectively inform you about any subsequent substantive or material changes to this Policy.

II. dhig GmbH and our role in processing of your personal data
We are a part of the Daily Health International Group engaged in arranging and provision of insurance and reinsurance solutions for insuring natural persons. Our core business is insurance and reinsurance intermediation, claims handling and underwriting. In our daily activities we mainly distribute products of insurance companies and arrange ceding of risks related thereto; whenever authorized by insurers/reinsurers, we also assist insurance / reinsurance companies in administration and servicing of insurance contracts (for instance, we do the underwriting, we administrate insurance contracts, we handle claims, and etc.).

In the course of our activities we have to process personal data of natural persons interested in our distributed insurance products, as well as of persons insured under policies which distribution or reinsurance is intermediated by us, and other persons disclosing their personal data to us (e.g. our employees, and etc.).

Depending on the circumstances, under which your personal data is disclosed to us, we are:

the controller of your personal data – when you or another person wishing to insure you (for instance, your employer) apply to us in order to obtain a quote or information on insurance products distributed by us, or when you visit our webpage
the processor of your personal data – for instance, when we are authorized by your insurer to handle your insurance claims and/or (as the case may be) to administer the insurance contracts concluded for your benefit. We act as a processor of your personal data also in case when a reinsurer (i.e. entity reinsuring the risks of the insurance concluded for your benefit) authorizes us to administer respective reinsurance contract or when we are authorized by other controller of your personal data. In example cases described herein, the controller of your personal data may be: (i) the insurance company, which has issued the insurance for your benefit; or (ii) the reinsurance company, reinsuring the risks of your insurance. We are the processor of your personal data based on respective data processing agreement between us and the controller of your personal data.
When we act as a processor of your personal data, the primary responsibility for processing of your personal data lies with the controller. This means, that we might have to re-direct an inquiry about our processing of your personal data to the controller. Should this be the case, you shall be duly informed about this.

Please do not hesitate to contact us (our contact details are indicated in the part XIV of this Policy), should you wish to know our specific role in processing your personal data.

III. Our Fundamental Privacy Principles
Processing of your personal data by us is based on the following key principles:

Lawfulness, fairness and transparency
We process your personal data with due care, lawfully, fairly and in a transparent manner. We only process your personal data if we have a lawful basis to do so.

Purpose limitation
We only process your personal data to fulfil specific, explicit and legitimate purposes, which are set prior to such processing. We may change these purposes in a legitimate and transparent manner. Should we wish to process your personal data for a new purpose (i.e. for other purpose than it was collected for), then we shall ask for your respective approval.

Data minimization
Your personal data as processed by us shall be adequate and relevant, i.e. we shall process your personal data adequately and only to the extent it is necessary for the purposes of processing. We shall implement this principle taking into consideration the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for your rights and freedoms. In order to ensure data minimization, we shall implement appropriate technical and organizational measures, such as pseudonymization, and integrate other safeguards (as may be necessary).

Accuracy
Your personal data as processed by us shall be accurate and (where necessary, regarding the purposes of its processing) kept up to date. We shall take every reasonable step to promptly erase or rectify your inaccurate personal data, whenever it is necessary regarding the purposes of its processing.

Storage limitation
We shall keep your personal data only for as long as it is necessary to meet the purposes it is processed for or as required by law. We shall dispose of or anonymize your personal data (in a way that you stay anonymous and may no longer be identified) after it is no longer needed.

Integrity and confidentiality
We ensure appropriate security of your personal data, including its protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.

Data protection by default principle
We shall implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. This will also be applicable to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. We will make sure that by default your personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.

When we are a processor of your personal data, we act based on and within the authorizations as given to as by the controller of your personal data.
We do not sell your personal data.
IV. The Ways We Collect Your Personal Data
We collect your personal data only when and to the extent it is necessary for the purposes of their processing as established in this Policy. There are two main ways how we collect your personal data: directly from you or from other sources (third parties and other). We collect your personal data from you when you disclose it to us in any way (for instance, during a telephone conversation, per e-mail, in your application, when using our website, and etc.). We may collect your personal data from other sources, such as your insurer (for instance, whenever we are engaged by your insurer for execution / implementation of your insurance contract), doctors and other medical professionals, your family members or other authorized persons (for instance, in case when you are not able to communicate to us directly), checking data basis, and etc. Please find below more detailed descriptions of the ways we collect your personal data:

We collect your personal data directly from you:

whenever you inquire about insurance products as distributed by us
through requests for quotes, application forms and other insurance related documentation filled in by you
whenever you purchase insurance as distributed by us
via telephone calls with you, which may be recorded
when you use our website – via cookies, IP address
in other cases when you share your personal data with us.
We may collect your personal data from other sources as follows (depending on circumstances, purposes and lawful basis of such processing):

from natural / legal person (e.g., from your family members, your employer or an association that you are a member of) insuring you (i.e. person, who acquires an insurance for your benefit)
from third parties executing underwriting
from insurance companies (when we are mediating entry into an insurance contract, administrating your insurance contract and/or handling insurance claims)
from insurance intermediaries, which mediate or otherwise participate in the process of arranging an insurance for you (for instance, when you are insured by your employer, who is represented by its insurance broker)
from reinsurance intermediaries and reinsurers, that mediate or otherwise participate in the process of arranging reinsurance in respect of your insurance
from banks and other financial institutions as may be necessary to arrange payment / reimbursement of insurance premium, as well as in respect of other payment due based on your insurance contract
from public registers and records, credit reference agencies, social media (especially when fraud is suspected)
from third parties in the course of presenting, handling and paying your insurance claims:
from your family members or your authorized persons when you yourself are not able to provide relevant information;
from persons arranging your insurance (for instance, from your employer when it insures you)
from doctors and other medical professionals;
from hospital, ambulances and other providers of medical and related services;
from third parties engaged in insurance claims handling and/or administration (for instance, third parties evaluating eligibility of your claims)
from third parties arranging provision of necessary help and other assistance under the terms and conditions of your insurance;
from banks and other financial institution as may be necessary to arrange payment of your insurance claims.
V. Your personal data that we collect
Firstly, your personal data that we collect shall always depend on the following:

on the nature of our relationship with you (e.g. on the reason that you apply to us, if your employer applies to us for insuring you, etc.)
on the nature of authorizations we were granted by your insurance company or by its reinsurer (s) (for instance, if we are authorized to evaluate insurance risk (underwriting) and define adequate insurance rate in respect of you; if we are authorized to arrange entry into insurance contract in respect of you; if we are authorized to administer your insurance contract, handle your insurance claims; if we are authorised to arrange reinsurance in respect of your insurance; etc.).
Secondly, your personal data that we process also depends on the insurance products that you are interested in (for instance, we would need different personal data for travel and medical insurances).

In all cases, we shall collect and otherwise process only such personal data, which is objectively necessary for respective processing purposes.

We may collect the following personal data:

identification information, such as your full name age, date and place of birth, gender, national insurance number, driving license, passport or other identification document, signature, photo, nationality, citizenship, etc.
your contact details, such as the country of residence, data related to planning on moving out of the country of residence, home country, email address, telephone numbers, etc.
social security related data (including social security card number and other related data)
employment related data – occupation / profession (current and previous), employment start and termination date, vacation, pregnancy, as well as other working time and absence from work related data (e.g. in case when you are to be insured by your employer under a group insurance contract)
membership in an organization (e.g. when an organization arranges your insurance)
travel related data (e.g. when you are interested in a travel insurance)
your lifestyle and social circumstances, for example: your interests, such as whether you do sports, your housing status and number of dependents; your marital status; other family details (e.g. it may be relevant in case of medical insurance, depending on the type of the insurance cover)
your insurance history related information (e.g. exclusions, limitations and other special terms and conditions that were previously applicable in respect of you)
personal data about your family members or any other person included in your insurance (and their relationship to you)
results of criminal checks relating to prevention of fraud and/or terrorist activities – if mandatory requested by applicable laws
bank and related financial/taxation data (including copies of bank cards, credit/debit card and bank account details, information obtained as a result of our credit checks)
details of political and economic sanctions, which would prevent an insurer from implementing insurance coverage or from claims payments in certain areas)
information relevant to your insurance claim or your involvement in the matter giving rise to this claim
records of phone calls
sensitive personal data:
health and medical history, medical condition related personal data, such as, for example: data resulting from medical reports or from death certificates; medical and medical claims history; details of physical and psychological health or medical conditions; and etc.
details concerning sexual life or sexual orientation (for example, marital status)
details regarding criminal offences (for instance, bankruptcies, previous criminal convictions)
IP addresses and other data obtained through our use of cookies, when you visit our websites
your marketing preferences
other personal data as requested by an insurer of insurance product that we are distributing and/ or by its reinsurer
other personal data that may be shared with us by you or third parties (e.g. other information (i.e. other than listed above) included in a medical report that we receive for handling of your medical claim).
VI. Why and on what lawful basis we use your personal data
We process your personal data only for the purposes it was collected for. Furthermore, we only use your personal data if we have a respective lawful basis to do so. For each specific purpose we shall process only your personal data, which is necessary for this purpose.

Lawful basis for processing of your personal data

Lawful basis for us to process your personal data depend on our role in processing your personal data:

Whenever we are a controller of your personal data – we process your personal data on the following lawful basis:
processing is necessary for the performance of a contract to which you are a party, or to take steps (at your request) to enter into a contract
processing is necessary to comply with a relevant legal obligation (e.g. where we are obliged to process your personal data for tax or accounting purposes)
processing is necessary to protect your vital interests or those of another natural person (e.g. in emergency cases)
processing is necessary to perform a task in the public interest or to exercise an official authority vested in us
processing is necessary for the purpose of our legitimate interest – processing of your personal data is necessary to undertake actions for our legitimate interest or the legitimate interest of a third party, except where it is overridden by your interests or fundamental rights and freedoms which require protection of your personal data. Please see below examples of cases when we may process your personal data based on our legitimate interest:
we process your personal data to duly respond to an inquiry / request regarding our distributed insurance product – this may include reviewing respective application for insurance, providing quotes, underwriting, and etc.
we process your personal data to prepare for execution an insurance contract in respect of you
we process your personal data to prepare for execution of a reinsurance contract in respect of your insurance.
Before processing of your personal data for the purpose of legitimate interest we execute a balancing test to establish if your interests / fundamental rights do not override our legitimate interest. You may request from us information on such balancing test. Please also note that you are entitled to object to us processing your personal data for the purpose of our legitimate interest (you may find detailed description of this your right in the part VII of this Policy).

your consent – we may also process your personal data based on your consent. Wherever we process your personal data based on your consent, you are entitled to withdraw such consent at any time. We shall provide you with the possibility to withdraw your consent as easy as it was to give it. We shall inform you about your right to withdraw your consent before obtaining it. We shall also inform you about the consequences of such withdrawal. Furthermore, we shall keep records demonstrating your consent to processing of your personal data. Should we ask for your consent to data processing in the contest of a declaration concerning also other matters, we shall ensure that such our request is clearly distinguishable from other matters, is easily accessible and intelligible, formulated using plain and clear language. Please note that in some cases, should you withdraw your consent, we may no longer be able to execute actions for execution of which such processing is necessary.
Lawful basis for processing your sensitive personal data:
We only process your sensitive personal data if the processing is necessary for one of the following reasons:

you have given your explicit consent to the processing of your personal data for one or more specified purposes, if it is permitted by applicable laws
processing is necessary to protect your vital interests or the vital interests of another natural person where you are physically or legally incapable of giving consent (e.g. in emergency cases);
processing relates to personal data which are manifestly made public by you;
processing is necessary for the establishment, exercise or defense of legal claims.
Whenever we are a processor of your personal data (i.e. whenever we process your personal data on behalf of your insurer or other controller of your personal data) our lawful basis to process them is a respective data processing agreement. Besides other provisions, such agreement shall include:
our obligation to processes your personal data only on documented instructions from the controller of your personal data (including with regard to transfers of your personal data to a third country or an international organization outside the EEA);
our commitment to confidentiality;
our obligation to ensure security of processing of your personal data;
terms and conditions subject to which we are allowed to engage sub-processors (another processors) for processing of your personal data, should we be allowed to do that;
our obligation, at the choice of the controller of your personal data, to delete or return all your personal data to the controller after the end of the provision of services relating to such processing; our obligation to delete existing copies of your personal data, unless applicable legislation requires storage of your personal data;
our obligation to make available to the controller of your personal data information necessary to demonstrate our compliance with obligations and to allow for and contribute to audits by the controller of your personal data.
Purposes we may process your personal data for

In the capacity of the controller of your personal data, we may process your personal data:
– to duly respond to an inquiry / request regarding our distributed insurance product – this may include reviewing respective application for insurance, providing quotes, underwriting, and etc.;
(i.e. whenever we process your personal data on behalf of your insurer or other controller of your personal data) we shall process your personal data only for specific purposes as we are authorized. Among such purposes may be the following:
to execute, perform and service your insurance contract – this may include such activities as underwriting, providing with offers / renewal offers/ information about quotation, assessing individual insurance application or health questionnaires, managing and administrating the insurance contract, handling insurance claims and providing other services in accordance with the insurance contract;
to arrange reinsurance or co-insurance in respect of your insurance;
to assist the controller of your personal data in meeting relevant legal obligations;
to administrate your debt recoveries;
to prevent, detect and investigate fraud.
VII. Your Rights
You have various rights in respect of processing of your personal data, which we summarize below. Whenever you apply to us wishing to exercise your right – we shall either do what you are asking for, or explain why we can’t do that (this would usually (but not always) be the case when legal or regulatory norms oblige us/the controller of your personal data to act differently). You may exercise your rights by contacting us / our data protection officer per e-mails: contact@dhig.net or data@dhig.net.

The right to access your personal data

You have the right to obtain from us a confirmation as to whether or not we process your personal data; and, where that is the case, access to such personal data and the following information related thereto:

the purposes of the processing;
the categories of personal data as processed by us;
to whom (recipients or their categories) your personal data have been or will be disclosed by us,
where your personal data are intended to be transferred outside the EEA you have the right to be informed about safeguards under which your personal data is transferred outside EEA and to obtain a copy of them or be referred to where they are available;
duration of storage of your personal data or the criteria used to determine that period;
your right to request rectification or erasure of your personal data or restriction of processing of your personal data or to object to such processing;
your right to lodge a complaint with a supervisory authority;
the sources we get your personal data from (when get it not from you directly)
the existence of automated decision-making, including profiling.
Upon your respective request we shall provide you with the copy of your personal data as processed by us (for any further copies requested by you, we reserve the right to ask for a reasonable fee based on administration costs). Should you make your request in electronic form, we shall also respond to you in the electronic form (unless you request an answer to be presented differently).

The right to rectification

We take reasonable steps to ensure that the personal data we hold about you is accurate and complete (taking into account purposes of processing). You have the right to ask us to correct the inaccurate personal data that we are processing without undue delay. You have the right to have your incomplete personal data completed, including by means of providing a supplementary statement.

The right to erasure (“right to be forgotten”)

You have the right to ask us to erasure your personal data as processed by us when:

your personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
you withdraw your consent for the processing of your personal data (where there is no other legal ground for these personal data by us);
you object to processing of your personal data that is based on legitimate interest, including profiling related thereto. We shall no longer process your personal on these grounds, unless there are overriding legitimate grounds for continued processing;
your personal data have been unlawfully processed;
your personal data must be erased to comply with the applicable European Union (or its Member State) law;
the personal data relates to a child or a natural person whose personal data were collected when he/she was a child in relation to services provided via information society services (internet, website, apps etc.).
If we have made your personal data public and are obliged to erase them, we shall take reasonable steps to inform other controllers which are processing such your personal data about your request for erasure of any links to, or copy or replication of, those personal data.

We may refuse to act on your request to erase your personal data, when processing of your personal data is necessary:

for exercising the right of freedom of expression and information;
for compliance with a legal obligation which requires processing by applicable European Union (or its Member State) law;
for the establishment, exercise or defense of legal claims.
The right to restriction of processing

You have the right to ask us to restrict the processing of your personal data if:

you contest the accuracy of processing of your personal data, for a period enabling us to verify the accuracy of the personal data processed by us;
the processing is unlawful and you do not want us to erase your personal data;
your personal data is no longer needed for original purposes of processing, but they are required by you to establish, exercise or defend legal claims and therefore you do not want us to delete this personal data;
you have objected to processing of your personal data carried out because of legitimate interest, while we verify if our legitimate interests override yours.
Where processing of your personal data has been restricted as foreseen above, with the exception of storage, such personal data may only be processed:

if you give us your consent; or
for the establishment, exercise or defense of legal claims; or
for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
Once processing of your personal data has been restricted by you, we will inform you before lifting the restriction.

The right to data portability

If we process your personal data by automated means (by computer) based on your consent or to fulfill a contract, you have the right:

to receive your personal data, which you have provided us in a structured, commonly used and machine-readable format, and
to transmit those data to another controller or request that we do that (where technically feasible).
Your right to data portability shall be without prejudice to your right to erasure. Execution of your right to data portability shall not adversely affect the rights and freedoms of others.

The right to object to processing

You have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data based on our legitimate interest or for performing a task in the public interest or to exercise an official authority vested in us. If you object to such processing, we have a possibility to demonstrate that we have a compelling legitimate interest which overrides your rights and freedoms.

The right to object to direct marketing

You have the right to object at any time to processing of your personal data for direct marketing, which includes profiling to the extent that it is related to such direct marketing.

The right to object to automated individual decision-making, including profiling

You have the right to object to any decision producing legal effects concerning you or similarly significantly affecting you, if this is based solely on automated decision-making (automated processing of your personal data without human intervention). This includes automated decisions based on profiling. We may refuse your request if the decision in questions is:

necessary for entering into, or performance of, a contract with you;
permitted by the applicable European Union or its Member State law; or
based on your explicit consent.
Even if we refuse your request as mentioned above, you still have the right to contest our decision and to request human intervention in the automated individual decision-making in question.

We shall make decisions relying solely on automated processing that involve your sensitive personal data only if you have given your explicit consent for that.

The right to withdraw your consent

In cases where we process your personal data based on your provided consent, you shall always have the right to withdraw it. Please note that in some cases, should you withdraw your consent, we may no longer be able to execute actions for which such processing is necessary.

The right to lodge a complaint

You can make all requests using the contact details provided to you in your insurance documentation (insurance policy or certificate) or using our contact details as provided in the part XIV of this Policy.

Should you have any objections with regards to how we process your personal data in the capacity of the processor (i.e. whenever we process your personal data on behalf of your insurer), you have the right to complain to this insurer using the contact details provided to you in your insurance documentation (insurance policy or certificate).

You have the right to lodge a complaint with a supervisory authority (i.e. an independent public authority responsible for monitoring the application of the GDPR), in particular in the EEA Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of your personal data infringes GDPR.

We are a company incorporated and existing under (and therefore, subject to) the legislation of the Republic of Austria. Therefore, you have also the right to complain to Österreichische Datenschutzbehörde (webpage: https://www.dsb.gv.at/; address: Barichgasse 40-42 ,1030 Vienna, Austria; Telephone: +43 1 52 152-0; E-Mail: dsb@dsb.gv.at) at any time if you object to the way in which we process your personal data.

VIII. Automated individual decision-making, including profiling
We hereby inform you that, should you apply for an individual insurance cover, some of our decisions in respect of you (which could eventually produce legal effects concerning you or similarly affect you) shall be made automatically (by electronic means), without human involvement. This happens as follows – some personal data as processed by us is put in the system, the system electronically evaluates such personal data and makes a decision based on specific criteria. We shall execute automated individual decision-making (including profiling) only based on above mentioned legal grounds in the following situations:

processing of your application for insurance (including preparing quotes, underwriting, calculating insurance premium, checking on special terms and conditions of insurance to be applicable in respect of you)
We will use automatic decision making when assessing your individual application for insurance, in order to (for instance) identify health and financial risks related to insuring you and, subsequently, to calculate an insurance premium and determine other special insurance terms and conditions (like, exclusions, limitations or other), which would be applicable. Please find below a short description of an example situation in case of international medical insurance as distributed by us:

We receive your direct application for insurance. Depending on the specific type of insurance cover as requested by you, we could ask for some of your personal data (like your age, gender, profession, your country of residence, your style of life (if, for instance, you smoke cigarettes). In some cases (under some types of insurance covers) we would also need some of your sensitive personal data (medical history). We would put the necessary data in our system and do profiling as strictly necessary for the purpose discussed herein. Based on your included personal data, the system would evaluate risks related to insuring you under the insurance cover of your choice and respectively calculate the insurance premium, as well as determine special terms and conditions to be applicable in respect of you. When evaluating risks related to insuring you, all kinds of risks (financial and medical) would be taken into account. For instance, should you be a smoker, then the risks of certain diseases in your case (and respectively possible medical expenses) are higher than in case of a non-smoking person; should you reside in a country with an expensive medical system, then expected medical expenses in respect of you would be higher; and etc.).
Please note that we use your sensitive personal data for automated decision-making (including profiling) only in case if you explicitly agree to this. However, should you not agree to this, we may be unable to process your application for insurance. It could be a case, that we could propose you an alternative insurance cover, where we would not have to automatically process your sensitive personal data at this stage.

profiling for fraud analysis
We may use automated anti-fraud solutions (filters or other software) checking against list of persons known to have undertaken fraudulent actions and will reject such respective applications for insurance.

You have the right to object to any decision producing legal effects concerning you or similarly significantly affecting you, if this is based solely on automated decision-making (automated processing of your personal data). Please find detailed description of this right in the part VII of this Policy.

IX. Do we collect personal data from children?
Our websites and services provided through them are not aimed at and designated for children. We do not knowingly collect personal data from children through our websites.

X. Recipients / categories of recipients of your personal data
We share your personal data solely for the purposes of processing as described in this Policy. We may share your personal data with the following categories of recipients:

Entities within Daily Health International Group (including our subsidiaries, affiliates and other entities related to us) – we may share your personal data with other Daily Health International Group entities in order to provided our services. This may be done for our general business administration, efficiency and accuracy purposes.
Third parties:
your family members or other representatives (on behalf of you, where you are incapacitated or unable)
your named representatives / contact persons (e.g. your lawyer, your insurance broker or other intermediary)
insurance policyholder – when you are insured under a group insurance cover (for instance, by your employer or organization you are member of)
our business partners – insurers, reinsurers, underwriters, medical consultants, other insurance intermediaries, TPA (third party administrators – i.e. entities engaged in handling insurance claims, provision of services covered by insurance contracts), providers of medical and other service (included under your insurance cover), translators, fraud detection agencies, lawyers and accountants, as well as other persons involved in claims handling process
other service providers – we could also share your personal data with service providers we have retained to perform services on our behalf or to otherwise support our activities related to processing of your personal data (e.g. IT services providers)
state and other authorities, to which we are obliged to disclose your personal data by applicable laws.
In general, third parties as mentioned above may be:

controllers / join-controllers of your personal data – they will have an independent relationship with you (their own lawful basis and purposes for processing your personal data) – e.g. your insurer would eventually process your personal data based on the insurance contract concluded with you
processors /sub-processors of your personal data – i.e. persons engaged by us in processing of your personal data on our behalf or on behalf of the controller of your personal data (e.g. company hosting our server, or a person engaged by us to do underwriting, or a person engaged by us to handle your insurance claims). Whenever we engage a processor / sub-processor, we shall:
share with it/him/her your personal data only to the extent that it is necessary for execution of tasks, for which this processor / sub-processor has been engaged, and only within the purposes for which we process your personal data,
enter into a data processing agreement (following the requirements as set by the General Data Processing Regulation),
or when this recipient is under an appropriate statutory obligation of confidentiality.
Whenever we act as a processor of your personal data (i.e. whenever we process your personal data on behalf of your insurer or other controller of your personal data), we act under the authority of the controller of your personal data and therefore are allowed to share them with third parties, subject to terms and conditions as set by this controller.

XI. Transfer of personal data outside EEA
We keep and process your personal data in servers in the European Union. However, due to:

specific features of our provided services (e.g. for the purpose of arranging 24 hours a day, 7 days a week response for insurance claims in different parts of the world)
your requested insurance (e.g. when your travel insurance is to be valid outside EEA, or when you are to be insured by an international medical insurance, to be valid outside EEA, or when (based on your insurance cover) you are to receive medical or other services outside EEA)
our group structure (our related entity being established outside EEA)
other objective reasons,
we may share your personal data with persons outside EEA.

We will transfer your personal data outside EEA only if (subject to the other provisions of the General Data Protection Regulation) one of the following conditions is met:

your personal data is transferred to a country or the international organization where the European Commission has decided that this country (a territory or one or more specified sectors within that country) or the international organization in question ensures an adequate level of protection; or
we transfer your personal data on the basis of appropriate and suitable safeguards as requested by the General Data Protection Regulation (such as, e.g. signing standard data protection clauses adopted by the EU Commission). Please note, that you have the right to obtain a copy of these safeguards or to be referred to where they are available.
If you would like further information about whether we transfer your personal data outside EEA, and (should that be the case) to which countries and under what specific safeguards, please contact us under the contact details indicated in the part XIV of this Policy.

XII. How long we retain your personal data
How long we retain your personal data depends on the purpose it was collected for and its nature, as well as on further development of our mutual relationship.

When we are a controller of your personal data (please see explanation in the part II of this Policy), we process your personal data for as long as:

it is necessary for the purpose it is processed for, and
we are legally obliged to retain personal data, and
data is necessary for the establishment, exercise or defense of legal claims.
Please note that:

in case when you send us a request (e.g. a request for a quote or a question) and do not afterwards wish to further interact with us (i.e. you do not wish to further apply for an insurance that we distribute), we shall stop processing your personal data, unless we reasonably believe there is a prospect of litigation relating to your personal data or dealings;
after the expiry of the term of retention of your personal data, we shall delete it and / or anonymize it (i.e. we shall remove personal identifiers, both direct and indirect, that may lead to you being identified).
When we are a processor of your personal data (i.e. whenever we process your personal data on behalf of your insurer or other controller of your personal data) we shall process your personal data only as long as we are authorized to do so by the controller of your data. After expiry of such authorizations, we shall, at the choice of the controller, delete or return all your personal data to the controller and delete existing copies unless European Union or applicable Member State law requires storage of your personal data.

XIII. Data Protection Officer
You can contact our data protection officer as follows via e-mail: dpo@dhig.net or via post as the address: dhig GmbH c/o DPO, Am Heumarkt 10/1, 1030 Vienna, Republic of Austria.

XIV. Dhig GmbH Company Details
dhig GmbH is the limited liability legal entity registered in the registry of legal entities of the Republic of Austria (Firmenbuch) under the number FN 515759 w, registration address Am Heumarkt 10/1, 1030 Vienna, Republic of Austria.

The company dhig GmbH possesses insurance intermediary license in the form of “insurance makler and advice in insurance matters” (Versicherungsmakler und Beratung in Versicherungsangelegenheiten) issued by the Magistrat of the city of Vienna under the number (GISA-Zahl): 31857536

Our website: https://dhig.net

Our contact details:

e-mail: contact@dhig.net

Telephone: +43 1 300 81 81

XV. Key Terms
Please find below description of terms, which will be used in this Policy (additionally to the terms described earlier in this Policy):

Term Description
biometric data means personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopy data.
Data concerning health means personal data related to your physical or mental health, including the provision of health care services, which reveal information about your health status.
data controller or controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes (“why?”) and means (“How?”) of the processing of personal data. Where two or more controllers jointly determine the purpose and means of processing of personal data, such controllers shall be regarded as “joint-controllers” in respect of such personal data.
data processor or processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
EEA means the European Economic Area consisting of all the European Union countries, as well as Iceland, Liechtenstein and Norway.
genetic data means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.
personal data means any information relating to an identified or identifiable natural person.
personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, your personal data transmitted, stored or otherwise processed.
processing means any operation or set of operations which is performed on your personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
profiling means any form of automated processing of your personal data consisting of the use of your personal data to evaluate certain personal aspects relating to you, in particular to analyses or predict aspects concerning your performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
pseudonymization means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific natural person without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
restriction of processing means the marking of stored personal data with the aim of limiting their processing in the future;
sensitive personal data means personal data that can reveal your racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership. It also refers to the processing of your genetic and biometric data, as well as data concerning your health, sexual orientation or your sex life.
underwriting means the process of evaluating medical and financial risk related to providing insurance in respect of specific persons applying for insurance (person to be insured), deciding on the acceptance or refusal to accept these risks, deciding on specific coverage to be provided to persons to be insured, deciding on insurance premium due and on other insurance conditions.