1 ASR Levensverzekering N.V., ASR Basis Ziektekostenverzekeringen N.V., ASR Aanvullende Ziektekosten verzekeringen N.V., ASR Schadeverzekering N.V., ASR Vermogensbeheer N.V., ASR Vitaliteit en Preventieve Diensten B.V., ASR Vooruit B.V., ASR Premiepensioeninstelling N.V., ASR Reïntegratie B.V., Advies van a.s.r.
But also: Aegon Hypotheken B.V., Aegon Levensverzekering N.V., Aegon Cappital B.V., Aegon Bemiddeling B.V., Aegon Administratie B.V., Aegon Administratieve Dienstverlening B.V., Aegon Spaarkas N.V. and Loyalis.
The privacy statement also applies to the labels no longer operated by a.s.r., to the extent that a.s.r. still processes personal data in that context, including: Ardanta, Europeesche Verzekeringen, ZZP Pensioen, Axent, De Eendragt and Generali Nederland.
A controller determines how and why personal data are processed. The controller determines the purposes and means of processing personal data and is the point of contact for you as a data subject.
ASR Nederland N.V., with a number of its business units, is jointly responsible for processing your personal data. Mutual agreements have been reached on the division of our responsibilities. These are the following parties:
ASR Schadeverzekering N.V., ASR Levensverzekering N.V., Aegon Levensverzekering N.V., Aegon Spaarkas N.V., ASR Basis Ziektekostenverzekeringen N.V., ASR Aanvullende Ziektekostenverzekeringen N.V., ASR Vermogensbeheer N.V., ASR Real Estate B.V., ASR Wlz Uitvoerder B.V., ASR Premiepensioeninstelling N.V., Cappital, ASR Vooruit B.V., Aegon Hypotheken B.V., Loyalis and a.s.r. Vitality.
a.s.r. has an internal Data Protection Officer (email address: anl.compliance.fg@asr.nl ) This officer ensures that the processing of personal data within a.s.r. complies with the General Data Protection Regulation (AVG).
We use your bank account number to make payments and collect amounts due (premium, fee, periodic deposit or interest). In addition, we may have your income details if this is necessary for one or more of our financial products.
To accept or perform our insurance and other (financial) services, we need information about your health in certain cases. Sometimes we need information from your physician. If we need data from your physician, we will always ask for your prior consent. Health data are shared only with the medical service.
Health insurance
To apply for your basic insurance, we do not need any health data from you to take out this insurance. We do not use risk selection for acceptance, as basic insurance is subject to a statutory duty to accept. We use your personal data to check whether you are required to be insured for basic insurance. The government determines which cover is included in the basic insurance. If you apply for supplementary insurance with us, however, we may request health data from you to assess your application. For supplementary insurance, we are free to accept or not accept your application based on risk selection.
When taking out non-life or individual income insurance, we may ask you about your criminal record, or that of your co-insured person(s). We will then assess whether this criminal record will affect your application. Only your criminal record in the eight years preceding the application for insurance is relevant in this context. We do this to assess how high the risk is if we accept you as a customer.
We may receive personal your data you in various ways.
Data we receive from you
In most cases, we get the data directly from you. When you:
Data we receive from a third party
We may also receive your data through a third party. For example, when:
Data we obtain from external sources
To assess your application or (claim) report, we collect and process personal data from external sources. The external sources can be public sources such as the vehicle registration register, Trade Register, Land Registry, Bureau Kredietregistratie (BKR) and credit reference agencies. Among other things, we do this to:
In addition, as administrator of pensions and health insurance, a.s.r. has access to the Basic Registration of Persons (BRP). And we receive monthly disability data from pension members via the UWV’s Disability Benefit Status (SUAG) product.
Purposes for the processing of personal data are:
To prevent money laundering and terrorist financing, we are required by law to know our customers and not to enter into relationships with individuals who could damage trust in the financial sector. Therefore, before entering into a customer relationship with you, we need to see if we can accept you as a customer. That means we can ask you to identify yourself and investigate if you have any assets, make an unusual repayment on your mortgage or if there is an unusual transaction on your account. In addition, we must report unusual transactions to the competent investigating authorities and regulators, such as FIU-the Netherlands. We also have to check whether you appear on national and international risk and sanctions lists. And during our customer relationship, we need to keep examining whether we can keep you as a customer.
We do this to:
Do you prefer not to receive personalised offers? Let us know (see also 11f and 16).
We also use your personal data to improve our products and services and tailor our product range to your your needs and wishes.
We do this by combining and analysing personal data (or having it analysed) and using it for innovations. This is how we come up with new ideas in the context of innovations for the benefit of yourself, your contact with us and your products or our services and thus to better solutions. This way, we can:
When we perform analyses, we use your data anonymised or pseudonymised as much as possible. This means the data is no longer directly traceable to you. And we take appropriate measures to secure your personal data. We also ensure that only a small group has access to the analyses.
We obtain the personal data we process in the context of detecting and combating fraud, abuse and improper use from you and from various (public) sources (see below under 4). We may also receive information from tip-offs or witnesses in this context. We may additionally gather information by, for example, carrying out or commissioning technical, tactical and personal investigations. In conducting these surveys, we may use research agencies.
Central Events Administration (Centrale Gebeurtenissenadministratie)
To monitor the security and integrity of a.s.r., we use a Central Events Administration. This database stores (personal) data in respect of certain events, which require our special attention. Data from the Central Events Administration can only be accessed by employees authorised to do so.
IVR
To monitor the safety and integrity of a.s.r., we use our own incident register (IVR). This database stores (personal) data in respect of certain incidents that require our special attention. Data from this incident register can only be accessed by employees authorised to do so.
If we process your personal data based on your consent, you can withdraw your consent at any time. The withdrawal of consent does not affect the lawfulness of the processing prior to its withdrawal.
the processing is necessary for the performance of the agreement.
We need your data to enter into an insurance contract, but also if you are a beneficiary or the insured. We also need your personal data to pay compensation.
the processing is necessary to comply with a legal obligation. Financial companies are subject to various legal obligations. For example, we are required to carry out a customer due diligence pursuant to the Sanctions Act or the Prevention of Money Laundering and Financing of Terrorism Act. To do this, we need certain personal data.
the processing is necessary to pursue a legitimate interest.
We process your personal data, for example, to ensure the security and reliability of our business and the financial sector. We therefore want to prevent, investigate and combat (attempted) criminal or impermissible behaviour directed against the financial sector, our clients and a.s.r. itself and its employees. There is a legitimate interest for a.s.r. to take on only trustworthy customers. This legitimate interest also exists for processing your personal data in marketing activities.
In doing so, a.s.r. always carefully weighs up all interests to assess whether there is a legitimate interest: of your interest, that of others and that of a.s.r. When assessing, we weigh whether there are other ways to achieve the same objective or whether we need less data.
We handle your personal data with care. We have taken technical and organisational measures to ensure an adequate level of protection and secure your personal data against loss or unlawful processing. We take great care to ensure optimal security of our systems in which personal data are processed. Consider, for example, measures to keep our websites and IT systems secure and prevent misuse. But also protection of physical spaces where personal data are stored. We monitor the security of our data traffic 24/7. We have an Information Security Policy and provide training for our employees on personal data protection.
We do not keep your personal data for longer than necessary. In some cases, the law prescribes how long we may or must keep data. In other cases, we determine how long we need your data based on legislation and regulations. We have drafted a comprehensive Data Retention Policy for this purpose.
Policy/customer files for example are stored for at least 7 years after the relationship with a.s.r. has ended. For more information on specific retention periods, please contact us.
We only provide personal data to third parties if this is permitted by law and necessary for the business operations of a.s.r.
Are you a customer of a.s.r.? If so, we may exchange your personal data with one of the other business units. We only exchange personal data within a.s.r. if we have a legitimate purpose for doing so. Such as:
Sometimes we are statutorily required to pass on certain personal data to the authorities. These include the Tax and Customs Administration, the Employee Insurance Agency (UWV), Sociale Verzekeringsbank (SVB), CAK, Ministry of Health, Welfare and Sport (Centrum Indicatiestelling Zorg (CIZ), Zorginstituut), Board of B&W, Police/Judicial authorities, the Chamber of Commerce for the purposes of the UBO register or supervisors such as De Nederlandsche Bank (DNB), the Netherlands Authority for the Financial Markets (AFM), the Personal Data Authority (AP), Dutch Healthcare Authority (NZa) and the Consumer Authority & Markt (ACM).
When an advisor/intermediary or an authorised underwriting agent takes out a product with us for you or reports a claim to us, we exchange personal data with your intermediary. We will do this for as long as you have an agreement with us. Sometimes we need your permission to do so. Your intermediary is solely responsible for processing your personal data. If your employer has used an intermediary or advisor, we will also exchange personal data with them. For the purpose of activating your a.s.r. account, we may receive your email address from your advisor/intermediary.
As a (health) insurer, we sometimes exchange data to recover damage or costs that we have reimbursed, for example from your travel insurer if it also provides cover in addition to your basic or supplementary insurance, or from the liability insurer of another person, who caused the damage or costs. As a pension administrator, we also exchange data to perform a value transfer. Some major risks we do not want to or are unable to bear ourselves, these are therefore placed with reinsurers. This reinsurer requires data for its insurance.
We engage other companies to perform services for us that are related to our services. These include, for example, a debt collection agency, a firm of loss adjusters, a notary, a recovery agency, a reintegration agency an occupational health and safety service or an on-call service for death notifications. We may also share your personal data with your lawyer or fiduciary, accountant, curator and administrator. We also share your data with the Emergency Centre as the executor of (breakdown) assistance. If you have taken out legal aid insurance with a.s.r., we share your details with DAS as the executor of legal aid.
a.s.r. also provides personal data to the Dutch Association of Insurers. The Dutch Association of Insurers supports a.s.r. and the industry for the purpose of statistical research in risk and claims management. Survey results are always aggregated and not targeted at you.
Outsourcing
We may outsource the processing of personal data to third parties for maintenance and support functions, e.g. (IT) service providers. These (IT) service providers are in most cases considered processors, because they do not have independent control over the personal data, which a.s.r. makes available to the IT provider in the context of the provision of services. a.s.r. remains responsible for the careful processing of your personal data in these situations.
In connection with a.s.r.’s business operations, as explained under 5.e., we may share personal data with third parties. These may include parties that are themselves involved in the operations, such as (potential) buyers of assets, a counterparty in legal proceedings or financiers in a business transaction. But it may also include professional advisors to those parties or, for example, a bailiff, if it is necessary for the business transaction or business operations.
For a responsible underwriting and risk policy and to detect or prevent fraud, we record your personal data in and consult the Central Information System of the Foundation Central Information System (Stichting CIS). In this register, we record, for example, your claims. In doing so, we adhere to the rules of the CIS User Protocol and the Insurers and Crime Protocol and the Protocol on the Warning System for Financial Institutions (PIFI). With insurers affiliated to the Foundation Central Information System, we can, under strict conditions, exchange information. We consult this register in the acceptance process and in the event of a claim notification. You can find more information on this and on the Foundation Central Information System privacy regulations on the Foundation Central Information System website.
Your data are mostly processed within the European Economic Area (EEA). If we share data with parties based in a country outside the EEA or if personal data are processed outside the EEA, we will ensure that the protection of your personal data remains sufficiently safeguarded. We then use, for example, the Standard Contractual Clauses (European model contract provisions). We make clear agreements with parties so that processing takes place in accordance with European legislation.
Special personal data
When you participate in the a.s.r. Vitality programme, we process your data. We do this to help you get a healthier lifestyle. For this, we also use health data. Among other things, we process these data when paying out rewards, when you link a tracker to our app, when you have an a.s.r. Vitality Health Check and when you complete one of the questionnaires. This includes the following data: (sports) activities, lifestyle habits, eating habits, blood pressure, heart rate, cholesterol, BMI & waist circumference, your Vitality status and whether or not you smoke and/or used to smoke.
Sharing personal data within a.s.r.
Vitality may exchange your personal data with one of the other entities of a.s.r. to establish whether you have insurance. This is a condition for being a member of a.s.r. Vitality. Your Vitality status is shared with other entities only when necessary for the payment of the insurance cashback. The special personal data which a.s.r. Vitality possesses are not shared with other entities. These data are thus never used for the acceptance of an insurance application, the determination of the amount of the insurance premium or access to care or the assessment of a claim.
Sharing data with third parties
When you link an app (such as Apple Health or Samsung Health) or an activity tracker (such as an Apple Watch or a Fitbit) to the a.s.r. Vitality app we receive information about your (sports) activities. We use these data to award points for your performance.
Using an app or activity tracker is your own responsibility. This privacy statement does not apply to how these apps or activity trackers handle the data provided by you. Please note that many suppliers of these apps or activity trackers are based outside the European Union and store data outside the European Union. As a result, other privacy legislation than the GDPR may apply. We encourage you to consult the privacy statement of these suppliers for more information on how they process your data and the rights you have.
Profiling
Based on your app usage, registered activities, rewards claimed, status, age, gender and public or purchased data, we create a user profile. This includes whether you have completed a questionnaire or a health check. In doing so, we only look at whether you filled it out and therefore not at the answers or the outcome. We use your user profile to better help you take more exercise, or continue to exercise, offering a personalised experience. For example, based on your profile, you can get different notifications, rewards in a different order or see these specially highlighted, or get specific events highlighted. The user profile does not affect which rewards you are entitled to, or how many points you get for activities or questionnaires. Your profile will not be shared with others, neither with the other entities within a.s.r., nor with external parties. Your rights as mentioned in section 11 also apply to the user profile at Vitality.
You have a number of rights related to your personal data. You can request to exercise these rights at privacy@asr.nl. We will respond to your request within one month. If we need more time to process your request, we will let you know within one month and tell you why we need more time. To process a request, we ask verification questions to identify you. We do this to prevent your data from ending up with someone else.
You have the right to ask us what personal data we process about you and to have incorrect data changed. Also check your a.s.r. account, where you can see most of your data directly.
In some cases and under certain conditions, you have the right to have the personal data we hold about you deleted. This may be the case if:
The right to be forgotten is not an absolute right. We may decide not to comply with your request and not remove your data if your request is not based on one of the above grounds, or (i) in order to exercise the right to freedom of speech and information; (ii) to satisfy a statutory obligation; or (iii) to institute, exercise or substantiate a claim.
If we do not honour your request to have your personal data deleted, we will inform you about the reasons why we are unable to comply with your request.
If you believe we are processing your personal data unlawfully, you can request a restriction of the processing. This means that the data will not be processed by us for a certain period of time.
You have the right to obtain a copy of the personal data you have provided to us for the performance of a contract you have concluded with us or based on your consent. This concerns only personal data we have received from you and not data received from third parties. The purpose of this right is to allow you to easily transfer these data to another party.
You may at any time object against the processing of your personal data that takes place on the basis of our justified interest or the justified interest of a third party. In this case, we will no longer process your data, unless there are compelling legitimate grounds for the processing which outweigh your interest or relate to the instituting, exercising or substantiating of a legal claim.
You have the right to unsubscribe from newsletters or personalised offers through various channels (e.g. email, telephone and post) about our insurances and other (financial) services. In commercial offers we always point to the possibility to unsubscribe. Our staff may call you for commercial purposes. If we call you, you can indicate during the call that you do not want to be called again. You can also contact us yourself and let us know you don’t want to be called anymore. When we create profiles (see above under 13) to make personalised offers for products and services that match your personal preferences and interests, you can object to the use of your data for this purpose at any time.
This privacy statement applies to the data we receive from you via these platforms. The use of social media is your own responsibility. This privacy statement does not apply to the way in which social media platforms deal with the personal data provided by you. Please note that many social media platforms are established outside the European Union and store data outside the European Union. The European Union’s privacy legislation usually doesn’t apply in that case. We advise you to consult the privacy statement of these social media channels for more information about the way in which they process your personal data.
Profiling
We create profiles of our customers based on the data we have obtained from you and sometimes supplemented by information collected from public sources. We use such profiles to analyse data in order to manage risks, make connections and obtain insight into (future) actions and preferences, among other things. We create these profiles to improve and further tailor our services and the range of products and services we offer to you. For example, by using these data to estimate the premium or to send customers targeted advertisements/information. But also to combat fraud and prevent money laundering and terrorist financing.
We use AI to (develop and improve) our processes and services. When developing or deploying AI, we may use personal data. Consider, for example:
This means, among other things, that processing of personal data must comply with the requirements of the GDPR. When using personal data in AI, we work in compliance with the General Data Protection Regulation (GDPR), the GDPR Implementation Act (UAVG), the AI Regulation and the Dutch Code of Conduct for the Processing of Personal Data by Insurers (Gedragscode Verwerking Persoonsgegevens Verzekeraars). To this end, we conduct a data protection impact assessment (a DPIA) prior to the procurement, development and/or commissioning of an AI system where necessary. We opt for an AI system that processes as little potentially sensitive data or personal data as possible (data minimisation) and/or where there is the possibility to increase privacy through, for example, encryption, pseudonymisation/anonymisation or aggregation. We ensure the thorough protection of (training) data against corruption, contamination or hacking.
Privacy legislation is not static. We may therefore update this privacy statement to remain up to date. We may also amend our privacy statement if there are changes in the way we handle your data. We therefore recommend you to regularly check this privacy statement when visiting any of our websites. If there is a material change to this privacy statement, we will provide you with a clear notification (e.g. on our website).
Do you have a question about this Privacy Statement? If so, please send an email to privacy.office@asr.nl
You can contact the Data Protection Officer by sending an email to anl.compliance.fg@asr.nl. Or a letter to:
a.s.r.
T.a.v. de Functionaris Gegegensbescherming
Postbus 2072
3500 HB Utrecht
If you have a complaint about the use of your personal data, you can report this to us via the complaint form on our website https://www.asr.nl/over-asr/klacht. Or contact us at https://www.asr.nl/contact.
If you have an Aegon product, you can use the complaint form on the Aegon website.
You can also file a complaint with the Dutch Data Protection Authority. In the Netherlands, this is the independent authority set up to monitor compliance with the General Data Protection Regulation. Website: https://www.autoriteitpersoonsgegevens. Phone: +31 (0) 70 888 85 00
The privacy statement was last updated on 2 January 2025.