1. Controller

We, Delvag Versicherungs-AG, Venloer Straße 151-153, 50672 Cologne (hereinafter also referred to as "Delvag", "we", "us"), a Lufthansa Group company, take the protection of your private data seriously and want you to feel comfortable when visiting our website. The protection of your privacy when processing personal data is an important concern for us, which we take into account in our business processes.

We process personal data that is collected when you visit our website strictly in accordance with the provisions of the European General Data Protection Regulation (GDPR) and other relevant data protection regulations. Our data protection policy is also based on the data protection guidelines applicable to the Lufthansa Group.

Below we inform you about the processing of your personal data in the context of the use of our website www.delvag.de („Webseite“).

If you have any further questions about data protection in connection with our website or the services offered on it, you are welcome to contact us by e-mail at datenschutz@delvag.de. You can also contact our Group Data Protection Officer:

Lufthansa Group Privacy - Representative
Deutsche Lufthansa AG
Airportring
60546 Frankfurt/Main  

2. Scope, purpose and legal basis of the processing of personal data

In the following situations, we collect and use personal data directly from our users or from other sources (as shown below):

2.1. Provision of the website and creation of log files

When users visit our website, our system automatically collects data and information from the computer system of the accessing computer each time our website is accessed. The following data ("technical information") is collected:

• Information on the browser type and version used
• the user's operating system
• the user's Internet service provider
• the user's IP address
• Date and time of access
• Websites from which the user's system accesses our website
• Websites accessed by the user's system via our website

The data is also stored in the log files of our system. This data is not stored together with other personal data of the user.

We collect and use this technical information for the purposes of (network) security (e.g. to combat cyber attacks), marketing and to better understand the requirements of our users, as well as to continuously improve our website and enable the respective user to deliver the website to their computer.

Data is stored in log files to ensure the functionality of the website. We also use the data to optimise the website and to ensure the security of our information technology systems. The data is not analysed for marketing purposes in this context.

The legal basis for the temporary storage of data and log files is Art. 6 (1) (f) GDPR.
 

2.2. Use of cookies

In order to make our website as user-friendly as possible, we use so-called cookies.
Cookies are small files. When you visit our website or application (hereinafter "platform"), these files are downloaded to the browser directory or hard drive of your computer, tablet or smartphone (hereinafter "device"). Each time you visit our Platform, cookies and the Platform communicate with each other and recognise your device in this way. This is useful for both you and us. For example, a cookie can be used to save your text entries in form fields on the website so that you do not have to enter the same information again the next time you visit the website. This improves the user-friendliness of our platforms. The cookies are managed by us using a small programme called a tool or tag.

We use first-party and third-party cookies. First-party cookies come from our platform and only send information to us; third-party cookies are placed on our website by third parties and send information about your device to other companies that recognise that cookie. In most cases, the information in a cookie is pseudonymised or anonymised because cookies generally do not identify you as a person, but your device. In a few cases, certain cookies may be linked to personal data. We will only process such information if you have given us your consent or if the processing is necessary for you to be able to use a particular service.
You can find more information about cookies at  
www.youronlinechoices.eu

The legal basis for the processing of personal data using cookies is Art. 6 (1) (f) GDPR. 

2.3. Consent management service

The legal basis for the use of the consent management service of Usercentrics GmbH is the fulfilment of legal obligations in accordance with Art. 6 (1) (c) GDPR.

2.4. Web analysis

Some of the data collected when you visit this website is used for statistical analysis. We analyse visits to our website with the aim of understanding the needs of our customers and continuously improving the online platform on this basis. For this purpose, we store the IP address of your Internet service provider, the website from which you visit us, the websites you visit, your browser type, your operating system and the date and duration of your visit. The IP address is not linked to a specific person. Only anonymous, aggregated data is analysed for statistical purposes as part of the web analysis. We use the Matomo software for the analysis.
Matomo is an open source software used for website optimisation. This software runs exclusively on our own servers.  Users' personal data is only stored there. The data is not passed on to third parties. The data is deleted as soon as it is no longer required for our recording purposes. 

If you do not agree to the completely anonymised storage and analysis of the data measured by Matomo, you can object to the storage and use at any time. In this case, a so-called opt-out cookie is stored in your browser, which means that Matomo no longer collects session data.

2.5. Social media plugins

Plugins from social media are used on our pages:  

• XING  
• LinkedIn  

You can usually recognise the plugins by the respective social media logos. We use the so-called "two-click solution" on our website.
With the "two-click solution", your data will only be transmitted to the corresponding social media network company after initial activation (consent) of the respective plug-in button, Art. 6 (1) (a) GDPR.
The basic provision of the plug-ins on our website is based on our legitimate interest for marketing purposes, Art. 6 (1) (f) GDPR.

The plug-in provider stores the data collected about you as usage profiles and uses these for the purposes of advertising, market research and/or customising its website. Such an evaluation is carried out in particular (even for users who are not logged in) to display customised advertising and to inform other users of the social network about your activities on our website. You have the right to object to the creation of these user profiles, whereby you must contact the respective plug-in provider to exercise this right. We offer you the opportunity to interact with the social networks and other users via the plug-ins so that we can improve our offering and make it more interesting for you as a user.
Data is passed on regardless of whether you have an account with the plug-in provider and are logged in there. If you are logged in with the plug-in provider, your data collected by us will be assigned directly to your existing account with the plug-in provider. If you press the activated button and, for example, link the page, the plug-in provider also saves this information in your user account and shares it publicly with your contacts. We recommend that you log out regularly after using a social network, but especially before activating the button, as this way you can avoid being assigned to your profile with the plug-in provider.
Further information on the purpose and scope of data collection and its processing by the plug-in provider can be found in the data protection declarations of these providers provided below. There you will also find further information on your rights in this regard and setting options to protect your privacy.
Addresses of the respective plug-in providers and URL with their data protection notices:
Privacy at XING
LinkedIn Privacy Policy

2.5.1. XING

Xing plugins are operated by New Work SE, Dammtorstraße 30, 20354 Hamburg, Germany ("Xing"). Information on data protection at Xing can be found here: https://privacy.xing.com/de/datenschutzerklaerung.   

If you have not given your consent as part of the Consent Manager, you have the option of giving it later as part of the so-called "2-click procedure". If you call up a page in which Xing is embedded, a connection to the Xing servers will only be established when you click on the "Confirm" button. In this case, Xing will set cookies and use your visit data for its own purposes. If you are logged in to Xing at this time, the information about the videos you have viewed will be assigned to your Xing member account. You can prevent this by logging out of your member account before visiting our website.

2.5.2. LinkedIn

LinkedIn plugins are operated by LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland. Information on data protection at LinkedIn can be found here: 
LinkedIn Privacy Policy

If you have not given your consent as part of the Consent Manager, you have the option of giving it later as part of the so-called "2-click procedure". If you visit a page in which LinkedIn is embedded, a connection to the LinkedIn servers will only be established when you click on the "Confirm" button. In this case, LinkedIn will set cookies and use your visit data for its own purposes. If you are logged in to LinkedIn at this time, the information about the videos you have viewed will be assigned to your LinkedIn member account. You can prevent this by logging out of your member account before visiting our website.
There is a risk that your data will be processed in and transferred to the USA, i.e. a third country outside the European Union (EU) or the European Economic Area (EEA). There is no adequacy decision by the EU Commission for this country, which guarantees that a level of data protection corresponding to the European standard exists there. According to the European Court of Justice (ECJ), there is a particular risk that data may be processed unnoticed by US authorities for surveillance purposes. The legal basis for the processing of your data is your consent in accordance with Article 49 (1) sentence 1 lit. a) GDPR. This can be revoked at any time with effect for the future.

The legal basis for this data processing is your consent in accordance with Art. 6 para. 1 sentence 1 lit. a) GDPR. You can revoke your consent at any time with effect for the future by accessing the cookie settings here and changing your selection there.

2.6. Use of the services offered on our website

We offer a variety of different services on our website. In order to provide these services, we need to collect and process personal data of the user or our customer.

2.7. Contact form

By filling out the contact form on our website, you provide us with your personal data. This information includes, for example, name, contact details such as e-mail address, telephone number and your personal wishes. We use this personal data to process your enquiry and/or to provide the requested services or information. Data processing for the purpose of contacting us is carried out in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR on the basis of your voluntarily given consent.

2.8. Our legitimate interest in processing personal data

In the event that Art. 6 para. 1 lit. f GDPR is the legal basis for the processing, our legitimate interests are in addition to the purposes listed above:

• The protection of the company from material or immaterial damage
• Professionalisation (of our products and services)
• Cost optimisation (control and minimisation)

2.9. Further legal processing obligations

If we are legally obliged to do so, we process personal data, e.g. to comply with retention obligations under commercial or tax law or to fulfil security requirements (e.g. Section 7 of the Aviation Security Act [LuftSiG]). Further information on retention periods can be found under "Duration of data processing". 

2.10. Obligation to provide personal data

For legally prescribed or contractual requirements, we have marked the respective input fields in the input masks on our website, which you must fill in so that we can provide the contract or service you require.

2.11. Statistical analysis

It cannot be ruled out that your data will be analysed in a data warehouse to evaluate the preferences of our members ("statistical analysis") for the purposes of interest-based marketing, individual targeting and the continuous optimisation of our business processes. We carry out this processing in order to gain a better understanding of what our customers expect from us and to be able to offer them personalised communication. In addition, these analyses help us to detect fraud, audit and ensure security, which is why we carry out this processing to protect our legitimate interests, Art. 6 (1) (f) GDPR.

3. Duration of data processing

Your personal data will be deleted as soon as it is no longer required for the purposes mentioned.
We store personal data for as long as we are legally obliged to do so. Corresponding proof and retention obligations arise, among other things, from the German Commercial Code, the German Fiscal Code and the German Money Laundering Act. The storage periods are up to ten years.
In justified individual cases, personal data may be stored for the period in which claims could be asserted against us (statutory limitation period of three to a maximum of thirty years). 

4. Data security

4.1. SSL - Secure Socket Layer Method

We use Secure Socket Layer (SSL) encryption technology to ensure that your data is transmitted as securely as possible between your web browser and our Internet system. SSL enables encrypted communication or document transmission over the Internet between web browsers and web servers. The URL of a website with an SSL connection to your browser begins with https://.
If your current browser is not SSL-capable, you can download the latest version of the two most popular web browsers.

4.2. Use of Google reCAPTCHA

To protect your orders via the contact form, we use the reCAPTCHA service provided by Google Inc (Google). The query serves to differentiate whether the input is made by a human or abusively by automated, machine processing. The query includes sending the IP address and any other data required by Google for the reCAPTCHA service to Google. For this purpose, your input is transmitted to Google and used there. By using reCAPTCHA, you consent to the recognition you have provided being included in the digitisation of old works. However, if IP anonymisation is activated on this website, your IP address will be shortened by Google within member states of the European Union or in other signatory states to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and truncated there. Google will use this information on behalf of the operator of this website to analyse your use of this service. The IP address transmitted by your browser as part of reCAPTCHA will not be merged with other Google data. The deviating data protection provisions of Google apply to this data.
Further information on Google's privacy policy can be found at:  
Privacy Policy – Google

5. Right to object pursuant to Art. 21 GDPR

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6(1) GDPR, including profiling based on those provisions.
We will then no longer process the personal data concerning you unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defence of legal claims.
If your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing.  

If you object to processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes.
You have the option of exercising your right to object in connection with the use of information society services - notwithstanding Directive 2002/58/EC - by means of automated procedures using technical specifications.

6. Disclosure of personal date to third parties

In order to provide you with our products and services, based on our contractual obligations or in accordance with our legitimate interests, we may need to share your personal data with third parties within or outside the Delvag Group. These recipients can be categorised as follows:

• Reinsurers
• Intermediaries
• External service providers
• External processors (service providers according to Art. 28 GDPR)
• Cooperating insurers
• Government bodies and authorities (including the Federal Financial Supervisory Authority).

Personal data may be transferred to third countries or international organisations. For your protection and the protection of your personal data, suitable guarantees are provided for such data transfers in accordance with and in compliance with the legal requirements (in particular the application of EU standard contractual clauses) or there is an adequacy decision issued by the EU Commission (Art. 45 GDPR).

Information on EU standard contractual clauses can be found here.

The EU Commission provides the relevant information on its adequacy decisions under this link.

You can also request a copy of the security measures used at datenschutz@delvag.de.

Furthermore, we are legally obliged to make personal data available to German and international authorities. The legal basis for processing in this case is Art. 6 para. 1 lit. c GDPR in conjunction with local and international regulations and agreements. 

7. Rights of the data subject

It is important to Delvag that our processing procedures are fair and transparent. It is therefore important to us that data subjects can exercise the following rights in addition to the right to object if the respective legal requirements are met:

• Right of access, Art. 15 GDPR
• Right to rectification, Art. 16 GDPR
• Right to erasure ("right to be forgotten"), Art. 17 GDPR
• Right to restriction of processing, Art. 18 GDPR
• Right to data portability, Art. 20 GDPR
• Right to withdraw your consent, Art. 13 (2) (c) GDPR

To exercise your rights, you can contact us by email at datenschutz@delvag.de In order to be able to process your enquiry and for identification purposes, we would like to point out that we will process your personal data in accordance with Art. 6 (1) (c) GDPR.

You have the option of lodging a complaint with us, datenschutz@delvag.de, the aforementioned Group Data Protection Officer or a data protection supervisory authority. You are free to choose a supervisory authority and are not bound by any criteria. The supervisory authority responsible for us is:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen
Postfach 20 04 44, 40102 Düsseldorf
Telefon: +49 (0)211/38424-0
E-Mail: poststelle@ldi.nrw.de

8. Consent

If you have given us your consent to process your personal data, we hereby inform you that you can revoke this consent informally at any time.

If you wish to exercise your right of cancellation, simply send an email to: datenschutz@delvag.de

Please note that the consent you have withdrawn will only have effect for the future and will not affect the lawfulness of processing in the past. In some cases, despite your revocation, we are entitled to continue processing your personal data on another legal basis, e.g. for the fulfilment of a contract.

9. Disclaimer and limitations of these data protection notice

This data protection notice only covers processing on the website www.delvag.de.

Our website contains so-called hyperlinks to websites of other providers or co-operation partners. When you activate these hyperlinks, you will be redirected from our website directly to the website of the other provider. When the links were first created, we checked the third-party content to determine whether it might give rise to civil or criminal liability. However, we do not constantly check the content in question for changes that could give rise to new liability. If we determine or are informed by third parties that third-party content to which we link on our website triggers civil or criminal liability, we will immediately remove the reference or link to it. Accordingly, other websites are not covered by this data protection notice. Their own specific data protection notices apply here.

10. Data protection information - Information on the use of your data

You can find our data protection information here.

11. Actuality

We regularly update this data protection notice as required.