Data protection guidelines according to the EU General Data Protection Regulation for affected persons regarding the notification obligation according to the Common Reporting Standard and the Foreign Account Tax Compliance Act

Status: August 2018

With the following information, we are providing you with an overview according to Article 13 Par. 1 of the EU General Data Protection Regulation (GDPR) of the processing of your personal data as part of the notification obligation according to the Common Reporting Standard (CRS), the Foreign Tax Compliance Act (FATCA), as well as your data protection rights in relation to this.

Who is responsible for the data processing and who can I contact

The responsible authority according to Article 4 No. 7 GDPR is:

Skandia Lebensversicherung AG (a company of the Viridium Group)
Dornhofstraße 36
63263 Neu-Isenburg

You can contact our data protection officer at:

Skandia Lebensversicherung AG
Data Protection Officer
Dornhofstraße 36
63263 Neu-Isenburg

E-mail address: datenschutz@viridium-gruppe.com

Why we process your data (processing purpose) and on what legal basis

We process the aforementioned personal data in accordance with the specifications of the EU General Data Protection Regulation (GDPR) and Federal Data Protection Law (BDSG) on the basis of legal directives (Article 6 Par. 1 Clause c GDPR).

The transmission of your personal data to the Federal Central Tax Office (BZSt) is on the legal basis of § 3 Par. 2 Finance Account Information Exchange Law (FKAustG) and § 117c Revenue Code (AO) in connection with Article 6 Par. 1 Clause c GDPR.

What data do we process

We process personal data that we receive from our customers as part of our contractual relationship.

Due to legal regulations, we are obliged to transmit the following personal data to the Federal Central Tax Office:

• personal details (name, address, date and place of birth)
• Contract number(s)
• Proceeds and/or contract values
• Established tax residence
• foreign tax identification number if applicable

The data to be transmitted by us to the Federal Central Tax Office are partially already stored in our systems.  If we do not yet have certain information subject to a notification obligation, e.g. your foreign tax number (if applicable also a US tax number according to FATCA), we will request this from you.

Do I have an obligation to provide data

As part of our contractual relationship, you must provide the personal data that is necessary for carrying out a contractual relationship and fulfilling the associated legal obligations.

Who receives my data

Owing to the legal notification obligation, we transmit your aforementioned information to the BZSt (Federal Central Tax Office).

Is data transmitted to a third country or to an international organisation

As part of the notification obligation according to CRS and FATCA, there is no data transmission by Skandia Lebensversicherung AG to countries outside of the European Union or the European Economic Area (so-called third countries).  The Federal Central Tax Office (BZSt) forwards the aforementioned data to the respective tax authority of the countries that have joined the CRS or FATCA convention as part of international data exchange on tax matters.  This may also be a third country in given conditions.

How long is my data stored for

We process and store your personal data for as long as is required for the fulfilment of our contractual and legal duties.

If the data is no longer required for the fulfilment of contractual or legal obligations, it is regularly deleted, unless their - temporary - further processing is required to fulfil commercial or tax law storage periods: these include the Commercial Code, Revenue Code, Insurance Supervision Law, Public Companies Act and the law about tracing gains from severe offences (money laundering law). The periods specified there regarding storage and documentation range from two to ten years.

What data protection rights do I have

Each affected person has the right to information according to Article 15 GDPR, the right to correction according to Article 16 GDPR, the right to deletion according to Article 17 GDPR, the right to restriction of the processing according to Article 18 GDPR, the right to objection according to Article 21 GDPR, as well as the right to data portability according to Article 20 GDPR.  The restrictions according to §§ 34 and 35 BDSG (Federal Data Protection Law) apply to the right to information and the right to deletion.

Right to complain

You have the right to complain to the aforementioned data protection officer or a data protection supervisory authority.

The responsible data protection authority in our case is:

Der Hessische Beauftragte für Datenschutz und Informationsfreiheit
Gustav-Stresemann-Ring 1 
65189 Wiesbaden 

Telefon: +49 611 1408 0
E-Mail: poststelle@datenschutz.hessen.de 
Internet: www.datenschutz.hessen.de  

To what extent is there automated decision-making (including profiling)

For notification according to CRS and FATCA to BZSt, no fully automated decision-making is required in accordance with Article 22 GDPR.  We do not carry out profiling.