GDPR (General Data Protection Regulation)

Here are the most frequently asked questions on data protection and privacy aimed at any person within the European Union

Adherence to the Digital Pact

DKV is a member of the Digital Pact promoted by the Agencia Española de Protección de Datos. If you have detected any content that may be offensive or detrimental to minors, underprivileged groups or groups at risk of social exclusion, click on this link , which will take you to the Whistleblower channel. It is free, and you will be helping others and the Company.

Eliminating abuse on the internet is a shared commitment.

Right to privacy

What are my privacy rights?

You have the right to know and to receive an answer from us regarding if we hold any data of yours. If we are holding any, you have the right to know how we obtained them if you are not aware of providing them yourself, for what reason we have them and for how long we will hold them, to which categories of recipients we transfer them too, and if we have carried out any international transfers and to which countries if they are outside the European Union.

You also have the right to know about all your basic data or data arising from your activity with us, except to those inferred in our database; receive a copy of them or to send them to whoever you ask, under your responsibility; to rectify them; limit their use for the purposes you decide; oppose their processing in certain conditions or inform you about the consequences if we fulfil your request; and finally delete them when the time periods have expired.

Lastly, if a very serious security incident were to occur in which there is data of yours that could severely affect your privacy, we will inform you of such incident and about the different measures we have adopted to resolve the incident as quickly as possible.

How do I exercise them?

For your security, DKV will ask you to prove that it is truly you with sufficient guarantees, that is, without your name, surname and National ID No. we will not be able to fulfil your request.

You may exercise all these rights via any of the channels we have listed in the Privacy Policy included at the foot of this website, and we encourage you to use your private customer area, where we have introduced improvements, so you have all the information you would like to know about your rights.

You may contact the Data Protection Officer if you are not satisfied with the answer, and as a last resort the Spanish Data Protection Agency in calle Jorge Juan 6, 28001 Madrid.

Transfer of data

To whom my data will be transferred

Your data will be transferred to other DKV Group or ERGO Insurance Group companies for administrative and management control purposes.  

The DKV Group comprises:  

  • ERGO GENERALES SEGUROS Y REASEGUROS, SAU (hereinafter, ERGO GENERALES) domiciled at Avenida Concha Espina, 63 28016 Madrid, with Tax ID No. A-28072940. While DKV Seguros is the expert in medical insurance, ERGO GENERALES specialises in managing health and death insurance. 

  • ERGO VIDA SEGUROS Y REASEGUROS, SOCIEDAD ANÓNIMA (SOCIEDAD UNIPERSONAL), known as ERGO VIDA, domiciled at Torre DKV, Avenida María Zambrano 31, 50018 Zaragoza, with Tax ID No. A-79420899.

  • UNIÓN MÉDICA LA FUENCISLA, SOCIEDAD ANÓNIMA, COMPAÑÍA DE SEGUROS (SOCIEDAD UNIPERSONAL) (hereinafter, UNIÓN MÉDICA LA FUENCISLA) domiciled at Torre DKV, Avenida María Zambrano 31, 50018 Zaragoza, with Tax ID No. A-0816960.

  • DKV SERVICIOS SA domiciled at Torre DKV, Avenida María Zambrano 31, 50018 Zaragoza, with Tax ID No. A-99007205 is also part of the DKV Seguros Group, but is engaged in a different business to insurance. It established DKV Seguros in 2004, and its purpose worldwide is any type of operation and service related to digital health and well-being, as well as the provision of health and medical care via doctors' offices, health spaces and clinics, attending any type of medical specialities.

  • DKV INTEGRALIA Foundation, with Tax ID number G-62114798 and registered address at Carrer De la Constitució 3-1ª. 08960 Sant Just Desvern Barcelona. The DKV Group would not make full sense without our contact centre foundation. Created by DKV Seguros in 2002 to facilitate social and labour inclusion of people with disabilities, it manages all our telephone calls with DKV customers and offers these services to other companies with other customers. 

As regards the ERGO Group, here is the link to their website, where you can see clearly the companies comprising it www.ergo.com

Other categories of interested parties:  

  • If the policy was taken out via a broker or a company's auxiliary agent, we may transfer the data or provide them access to the information related to the sale so it can collect the appropriate commissions and carry out any other customer portfolio monitoring or retention activities.  

  • All practitioners and hospital groups comprising our medical directory, as well as other people or medical professionals in products where external means can be employed, will be provided access to your data in order to select the medical risk when contracting, to fulfil the provision or to obtain a second medical opinion. 

  • General Providers: If your request is in a language other than Spanish, we may transfer the health information included in your health declaration to translation companies and courier companies to inform you about the increase of the premium or new coverage or send you general information letters. We also use an external provider that manages the physical archive with your contractual documentation. 

  • We have outsourced the recording of hospital billing, and our contact centre through DKV Integralia Foundation and Advance Medical also records your calls.  

  • Specialised Consultancy and Advisory Firms. Our digital health platform, known as "Mi Salud al Día", has been developed by the company Salutic in Malaga and other companies such as Advance Medical or Mediktor. We also use platforms belonging to third-party leading companies in the sector for certain services, such as oncology services via the Bienzobas Group. 

  • Public authorities, such as the Directorate-General for Insurance and Pension Funds, regularly ask us for information, always with a justified cause. Your information is also sent to the Ministry of Justice if you have taken out a life insurance policy with the purpose of safeguarding your rights and, if you die and we cannot locate your family members, in order to notify them of the existence of an insurance policy with us so they can use its guarantees. 

My data: where they are and how long they will be stored

Where they are held? 

Your data are held in our servers at Torre DKV in Zaragoza, in a data centre (DPC) that has been designed complying with the strictest security measures included in the TIA-942 Standard and in a building with renowned certifications, such as the LEED for sustainability, accessibility and energy efficiency guarantees.

Our DPC features RiMatrix technology by Rittal and has achieved power savings of approximately 30%, compared to a traditional DPC solution, with a PUE value oscillating between 1.20 and 1.35; this means that our DPC, in addition to being secure, is environmentally friendly.  

We have replicated your data to guarantee their availability in another contingency centre located at a sufficient distance so it is not exposed to the same business continuity risk as the primary centre, and we have also replicated certain services in our IPS supplier, called Arsys. We also hold certain data of yours at the private cloud Microsoft Azure, located in the Western European region, which has been certified by the Spanish Data Protection Agency as a secure cloud in terms of privacy and security. In certain projects, we store your data in other cloud models, always certified as GDPR Compliant, through partners with extensive experience. 

Besides our infrastructure, we apply data access controls, have implemented security policies and passwords that comply with maximum complexity criteria, conduct cybersecurity audits, have perimeter protection systems, correlate events to detect threats and prevent infections, have incident management procedures in place, have technical staff certified in ethical hacking that check the strength of our security systems, etc. 

How long they are stored?

The DKV Group has a general rule of keeping personal data for seven years from the cancellation of a policy and ten years for Life Insurance. After this period we have a purging programme for the data in electronic and paper format held in the Physical archive, which eliminates any data that is no longer relevant. 

Who is the data controller?

The data controller is DKV Seguros y Reaseguros SAE, which is domiciled at Torre DKV, Avenida María Zambrano 31, 50018 Zaragoza, with Tax ID No. A-50004209. It markets health insurance to individuals and companies. 

The DKV Seguros Group is made up of a leading company called DKV Seguros y Reaseguros SAE and four subsidiaries: Ergo Generales, Ergo Vida, Unión Médica la Fuencisla and DKV Servicios. In addition, there is the DKV Integralia Foundation.  

Data Protection Officer

At DKV we have a Data Protection Officer because we have more than 250 employees and, in addition, we process especially protected data. To fulfil this role, we have chosen a member of staff with over 10 years of experience that has been involved in different departments, such as quality management and IT systems. This person was also a security auditor for one the big four.

This person acts as an advocate and adviser for our customers in privacy matters. If you have any queries, you can contact the DPO by postal mail at Torre DKV Avda María Zambrano 31, 50018 Zaragoza or by email at privacidad@dkvseguros.es

Purpose of the data

The DKV Group will process your data for different purposes based on your relationship with the company:

If we would need your basic personally identifiable data to simulate the price you would pay for any of our products, the legitimate interest and contractual relationship will legitimise its collection.  

If you were interested, the next step would be to provide you a policy application, where we will request your economic-financial information. If the product includes medical coverage, we will also ask you to fill in the Health Declaration, on the basis of which we will prepare your insurance policy and particular and special conditions and offer you the lowest possible premium. We will need this information, which will include especially protected data (health) to process the offer, and we would have to collect it due to legal obligation (Insurance Contract Act) and because there will be a signed contract between the parties.  

If for any reason you were finally not interested in the offer or the DKV Group considers that it cannot insure you and your request is rejected, we will study if we can offer you an alternative that reasonably fulfils your expectations through other compatible services. If we cannot offer an alternative, we will hold your cancelled data for management and fraud prevention purposes as a result of a legitimate interest. 

If you become a customer, we will process all your personal data throughout the lifetime of your insurance policy for the purpose of managing the guarantees covered in your policy. In all these cases we shall be authorised by the contractual relationship.  

While you are our customer, we will send you information about improvements to the currently contracted products and about other products or services with similar purposes to the initial product or service. This will be done as personalised as possible and based on a legitimate interest, and you will be able to oppose this at no cost.  

If we want to send you any information about a completely different product to the one contracted, we must ask for your express consent beforehand. As a legitimate interest, considering it is of your benefit, we will hold your data to ensure IT security and conduct satisfaction surveys post-accident or at a neutral time (when you are not using the insurance, so you have the most objective values possible). We may record the call made to conduct these surveys or your calls regarding your policy made through the call centre, and we will use them to improve the quality of the service, in the same way as we do through our websites when registering the browsing and security cookies for the purpose of making the webpage clearer and easier to use. In fact, you will see that, as a result, we update it frequently. 

Whenever you cancel your policy, for the following three months, we will try to retain you or learn about the reasons behind you leaving us. After this period, we will cancel your data, that is, we will limit the processing of your data to the minimum essential needs. You will not receive any commercial communications from us, and we will hold them only to attend any possible claims and complaints or for purposes of detecting fraud up to the established limitation periods plus two additional precautionary years, that is, for seven years; in Life insurance we will hold them for up to ten years on legal grounds for the prevention of money laundering. At that point in time, the data will be deleted or anonymised in such a way that they cannot make you identifiable, being held only for statistical reports and market or scientific research, as well as to generate advanced predictive models.

Basic concepts

What is the GDPR?

GDPR stands for General Data Protection Regulation, that is, the new European Regulation on Data Protection, and it replaces the previous European Directive of 1995. The GDPR differs in that it is a directly applicable Regulation, i.e. it does not require a local implementing regulation. The GDPR is the privacy law that governs us and any other European company or any other company in the rest of the world that processes data in Europe.

Privacy is a fundamental right of citizens, and the GDPR's purpose is to provide citizens further control over their data in such a hyper-connected and distributed society and enable them to decide what can be carried out with their data. It also levels the playing field in Europe, favouring a secure exchange of information, as up to this point each country drafted their own regulations from the Directive of 1995. As a result, the GDPR affects everyone equally.

 

What rights does it grants me as a citizen?

The GDPR grants you 10 fundamental rights:

  1. Right of information. Companies must identify themselves; inform you about what they will do with your data and why, to which categories of recipients they will transfer them and for how long they will hold them; and notify you about the rights presented below

  2. Access to the data (what data of mine you have)

  3. Rectification of data (correct your database and warn those you have transferred the data too)

  4. Deletion of data (delete me)

  5. Portability of basic data (send me my data or to whomever I say)

  6. Limitation of the processing (keep them blocked)

  7. Opposition to the processing (especially telephone calls or emails)

  8. Not to be subject to only automatic decisions that discriminate us (I want people)

  9. To submit a claim before the Data Protection Agency if you have already submitted one before the company without receiving a reply or because you are not satisfied with the reply.

  10. To be notified if the company is subject to a breach of security where there are sensitive data about you that can seriously compromise your privacy.

Philosophy and basic principles

The GDPR has 5 principles that are essential to understanding its privacy and security approach:

  1. Transparency: Any company that manages personal data must inform users about how their information will be processed in compliance with the regulation.

  2. Limited use: Data can only be used for the purposes notified to clients, employees, suppliers, etc.

  3. Minimum Data. The minimum data required will be requested with the aim of processing your data appropriately (e.g. it would not be appropriate if a company asks about your hobbies or profession when buying a household appliance)

  4. Data's Quality. The few data on the system must be accurate and up to date. The company must ensure the data's quality, because if it is not, the company may make wrong decisions that can have a negative impact on you.

  5. Information Security. Companies that manage data must guarantee a suitable level of security that includes protection against their illegal or unauthorised processing, as well as against their loss, destruction or accidental damage.

What is personal data?

Personal data is everything that makes you identifiable, it can be a name, a photo, your date of birth, email, IP, etc.

Biometric data are also personal data; therefore, they are especially protected. The GDPR focuses on risk, and therefore it takes into consideration what can be done with these data using advanced technical means if they fall in the wrong hands. 

Biometric data allow identifying an individual and/or confirming who the individual is by applying technical processing methods that collect data related to your body or physical appearance or behavioural aspects, such as a facial image, video surveillance, a digital fingerprint, an electronic signature or similar.  

If we hold any biometric data, such as fingerprints to access a building, we must conduct a Privacy Impact Assessment to see if using this access system is really necessary or if there are any other alternatives and to check the security measures of the application processing these data. We have to inform our employees or any third party for which purpose we take fingerprints or an image of your iris or record your voice, conservation periods, third parties with access to these fingerprints, etc.  

Custody and Security

 

Where are data stored?

Your data are held in our servers at Torre DKV in Zaragoza, in a data centre (DPC) that has been designed complying with the strictest security measures included in the TIA-942 Standard and in a building with renowned certifications, such as the LEED for sustainability, accessibility and energy efficiency guarantees. Our DPC features RiMatrix technology by Rittal and has achieved power savings of approximately 30%, compared to a traditional DPC solution, with a PUE value oscillating between 1.20 and 1.35; this means that our DPC, in addition to being secure, is environmentally friendly.  

We have replicated your data to guarantee their availability in another contingency centre located at a sufficient distance so it is not exposed to the same business continuity risk as the primary centre, and we have also replicated certain services in our IPS supplier, called Arsys. We also hold certain data of yours at the private cloud Microsoft Azure, located in the Western European region, which has been certified by the Spanish Data Protection Agency as a secure cloud in terms of privacy and security. In certain projects, we store your data in other cloud models, always certified as GDPR Compliant, through partners with extensive experience. 

Besides our infrastructure, we apply data access controls, have implemented security policies and passwords that comply with maximum complexity criteria, conduct cybersecurity audits, have perimeter protection systems, correlate events to detect threats and prevent infections, have incident management procedures in place, have technical staff certified in ethical hacking that check the strength of our security systems, etc.