Data protection

CareMed International Insurance

Protection of privacy and safety of personal data

The protection and safety of your personal data is our particular concern as well as our obligation. As a company and insurance agent we always take care of carefully handling personal data that complies with data protection regulations.

Our applications are in line with the European General Data Protection Regulation GDPR as well as further specific regulations for data protection on the internet.

All our employees are obliged to adhere to the Data Protection Act.

 

Scope of application

This privacy policy is designed to inform users about the type, scope and purpose of the collection and use of general and specific personal data on this website by the responsible insurance broker, CareMed GmbH, Budapester Str. 4, 53111 Bonn, Germany, hereinafter referred to as ‘Provider’.

The legal basis for data protection is the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG) as revised in 2018.

Access data/server log files

The Provider collects data subject to the consent of the website visitor.

Access data include:
Name of the website accessed, file, date and time of access, volume of data transferred, notification of successful access, browser type including version, user operating system, referrer URL, IP address and requesting provider.

The Provider uses the recorded data only for statistical evaluations for the purposes of the operation, security and optimisation of the website. These data are collected anonymously and cannot therefore be linked to a specific person. However, the Provider reserves the right to retrospectively review recorded data if it has concrete evidence to justify a suspicion of unlawful use. The server log files are deleted after 10 days at the latest.

Handling personal data

Personal data are information that can be used to identify a person, i.e. information that can be traced back to a person. These include names, e-mail addresses, telephone numbers and postal addresses.

Personal data are collected, stored and used by CareMed and shared with insurers, reinsurers, claims offices and assistance only if to do so is legally permissible and required to process a claim, or if the user has consented to the collection of the data.

Collection of general/specific personal data in the context of an online enquiry

CareMed allows interested parties to enquire directly about insurance policies offered by CareMed via CareMed’s website and to take out insurance in exchange for a fee. Personal information about the interested party and, where applicable, their parents/guardians, is required and collected in the course of the online enquiry so that CareMed may prepare a suitable quote. In particular, contact details (name, address, e-mail address, date of birth, home country, travel destination) are collected. After the insurance expires, a customer’s contact details can still be used for e-mails. If the interested party does not wish to be contacted and withdraws their consent to the further use of their data, these contact details will be deleted at the request of the interested party.

CareMed also requires specific personal data within the meaning of Article 9 (1) GDPR to broker insurance if follow-up insurance is taken out or an insurance application made after 31 days of leaving the home country. In particular, CareMed collects information about the health of the interested party (pre-existing medical conditions). These data are required only to review a potential insurance policy in accordance with the policy conditions. The collection of data thus also serves to protect the applicant by guaranteeing any special arrangements that may be required in the event that the insurer needs to process a claim.

In the written insurance application, CareMed additionally obtains express consent in accordance with Article 9(2) (a) GDPR to allow it to process these data. This declaration of consent must be signed by the applicant and the parents/guardians. Specific personal data are deleted by CareMed after a retention period of 10 years in accordance with Section 257 of the German Commercial Code (Handelsgesetzbuch, HGB), Section 147 of the German Tax Code (Abgabenordnung, AO) and Note 5.2 of the Income Tax Notes (Einkommensteuerhinweise, EstH).

The data collected through the application form are stored in CareMed’s internal customer database. The data are shared with insurers, reinsurers, claims offices and assistance only to the extent that to do so serves the purpose of brokering insurance.

When sharing data with third parties, CareMed makes every effort to ensure that the data transmission is secure.

The following applies in addition to collaborations with insurers:

To guarantee the quality of our brokerage services, regular audits are carried out internally and by external data protection officers and actuaries engaged by our insurance partners.

Collection of personal data outside online enquiries

Establishing contact

If a user establishes contact with the Provider (for example, through the contact form, by e-mail or in person in the context of events such as trade fairs, workshops and conferences), the user’s information will be stored for the purpose of processing the request and in the event of any follow-up questions. This information is not shared with third parties.

Sending e-mails

E-mails sent by CareMed are secured using TSL encryption. Please note that encryption works only if both parties use an encryption method. Only then will it be possible to completely secure data against third party access.

Newsletters

We use newsletters to inform you about us and our offers. If you want to receive our newsletters, we need a valid e-mail address and information that allows us to verify that you are the owner of the e-mail address given, or that the owner consents to receiving the newsletter. No other data are collected. These data are used only for the sending of newsletters and are not shared with third parties. If you subscribe to the newsletter, we will store the data entered by you and the date of subscription. These data are stored only as evidence in the event that a third party should misuse an e-mail address and subscribe to the newsletter without the knowledge of the entitled party.

You can withdraw your consent at any time to the storage of the data and your e-mail address and their use by us to send newsletters. You can do so by clicking on the link in the newsletter itself or by sending a message to the e-mail address below.

Webinars/tutorials

If you want to take part in our webinars/tutorials, we need your title, first name, surname, a valid e-mail address, the required programme and planned destination country as well as information that allows us to verify that you are the owner of the e-mail address given, or that the owner consents to being invited to register and take part in the webinar. No other data are collected. These data are used only to send an invitation to the webinar/tutorial and are not shared with third parties. If you subscribe to a webinar, we will store the data entered by you and the date of subscription. These data are stored only as evidence in the event that a third party should misuse an e-mail address and register for the webinar/tutorial without the knowledge of the party entitled to receive the invitation.

You can withdraw your consent at any time to the storage of the data, your e-mail address, the programme and their use by us to send an invitation to participate in the webinar/tutorial. You can do so by clicking on the deregister link or by sending a message to the e-mail address below.

Feedback function

If you want to leave feedback on the CareMed website, we need a valid e-mail address, name and information that allows us to verify that you are the owner of the e-mail address given and confirm your submission of the feedback.

Your feedback will be anonymised and published online using your initials and home country only if consent has been given.

Cookies

Cookies are small files that allow specific, device-related information to be stored on the user’s accessing device (PC, smartphone or similar). They are used to make the website easy to use and therefore to benefit the user (e.g. by saving log-in details). They are also used to collect statistical data about website use and to analyse this for the purpose of improving the website. The user can influence the use of cookies. Most browsers have an option to restrict or completely block the storage of cookies. However, please note that your use and, especially, ease of use of the website will be limited without cookies. You can manage a range of company online advertising cookies via the US site http://www.aboutads.info/choices/ or the EU site http://www.youronlinechoices.com/uk/your-ad-choices/.

Data protection statement for the use of social media

Facebook

Our website uses social plugins from Facebook, such as the ‘Like’ button or the ‘Like’ box. When you access a CareMed page, your browser creates a direct link to Facebook servers. Plugin content is sent directly to your browser by Facebook and integrated in the website by Facebook. Integrated plugins notify Facebook that you have accessed the corresponding page on our website. If you are signed into Facebook, it can connect your visit with your Facebook account. If you interact with plugins, e.g. by clicking on the ‘Like’ button, the corresponding information is sent directly to Facebook by your browser and stored there. For the purpose and scope of data collection and further processing and use of the data by Facebook as well as your rights and settings options for the protection of your privacy, please refer to Facebook’s data privacy policy: https://www.facebook.com/policy.php.  If you don’t want Facebook to collect data about you through our website, you must sign out of Facebook before you visit our site.

Google +

Our site uses Google+ functions. The provider is Google Inc., 1600 Amphitheatre Parkway Mountain View, CA 94043, USA.

Collecting and sharing information: You can publish information around the world by using the Google+ button. The Google+ button provides you and other users with personalised content from Google and our partners. Google saves both the +1 content information and information about the page viewed when you click on +1.  Please note that your uses of +1 can be shown with your profile name and photo in Google services, such as search results or in your Google profile, or in other places on the website and in adverts on the Internet.

Google records information about your +1 activities to improve its services for you and others. To be able to use the Google+ button, you first need a public Google profile that is visible worldwide and must at least contain the selected profile name. This name is used for all Google services. In some cases, this name can also replace a different name that you have previously used when sharing content through your Google account. The identity of your Google profile can be shown to users who know your e-mail address or have access to other information that can be used to identify you.

The use of the information collected: In addition to the intended uses outlined above, information provided by you in accordance with the applicable Google privacy policy is also used. Google may publish summarised statistics about users’ +1 activity or share this with users and partners, such as publishers, advertisers or affiliated websites.
https://developers.google.com/+/web/buttons-policy

Instagram

Plugins for the social network Instagram are used on our website. The Instagram plugin can be recognised by the Instagram button on our homepage. If you click on the Instagram button while logged into your Instagram account, content from our pages can be linked to your Instagram profile. This means that Instagram can link your visit to your website with your user account. If you don’t want Instagram to collect data about you through our website, you must log out of this network before you visit our site. We would expressly draw your attention to the fact that, as the operator of this website, we don’t know which data are sent or how they are used by Instagram. You can find more information about Instagram’s privacy policy here: http://instagram.com/about/legal/privacy/.

Twitter

Functions of the Twitter service are integrated into our site. These functions are provided by Twitter Inc., Twitter, Inc. 1355 Market St, Suite 900, San Francisco, CA 94103, USA. When you use Twitter and the retweet function, the website visited by you is linked to your Twitter account and shown to other users. Data are also sent to Twitter when you do so.

Please note that, as the operator of this website, we don’t know which data are sent or how they are used by Twitter. You can find more information about this in Twitter’s privacy policy at http://twitter.com/privacy.

You can change your Twitter privacy settings in the account settings at http://twitter.com/account/settings.

YouTube

This website uses plugins from Youtube.de/Youtube.com, which is operated by Google Inc. via Youtube, LLC, Cherry Ave., USA. If you access pages on our website that contain plugins, a connection is made with the YouTube servers and the plugin will be displayed on the website via a message sent to your browser. Information is sent to the YouTube servers detailing which of our web pages you have visited. If you are logged in as a member at YouTube, YouTube will link this information to the relevant personal user accounts on this platform. When using this plugin, e.g. by clicking on/starting a video or by posting a comment, this information will be linked, for instance, to your YouTube user account, and you can prevent this from happening only by logging out before you use the plugin. You can find information about the collection and use of data by the platform or the plugin in the privacy guidelines: www.youtube.com<, privacy guidelines for YouTube, a Google company, via the menu on the left hand side.

The use of Matomo

We collect and store data on this website using the Matomo web analysis service software (www.matomo.org), a service provided by InnoCraft Ltd., 150 Willis St, 6011 Wellington, New Zealand, (‘Matomo’), based on our legitimate interests in the statistical analysis of user behaviour for optimisation and marketing purposes in accordance with Article 6 (1) (f) GDPR. These data can be used to create and evaluate pseudonymised user profiles for the same purposes. Cookies can be used for this purpose.
The information generated by the cookie in the pseudonymised user profile will not be used to personally identify users of this website or combined with personal data concerning the owner of this pseudonym.
If you are not happy with the storage and evaluation by us of these data from your visit, you can object to this storage and use at any time with just a click of the mouse. In this case, an opt-out cookie will be stored in your browser, preventing the collection by Matomo of any session data. Please note that deleting all cookies will also result in the deletion of the opt-out cookie, which will then have to be re-activated if required.

Matomo:https://matomo.org/privacy-policy/

Payment methods for online payments

CareMed is PCI-DSS-compliant and certified; PCI conformity is regularly audited.

Payments via PayPal:

https://www.paypal.com/uk/webapps/mpp/ua/privacy-prev

All other payments are made via PayOne. Please read PayOne’s privacy policy as well as the privacy policies of the credit card providers accepted by CareMed:

PayOne:https://www.payone.com/en/privacy/

American Express:https://www.americanexpress.com/mn/en/network/content/privacy-policy.html

Mastercard:https://www.mastercard.co.uk/en-gb/about-mastercard/what-we-do/privacy.html

Visa:https://www.visaeurope.com/privacy/

SSL encryption

This website uses SSL encryption for security reasons and to protect confidential content, such as data relating to enquiries sent by you to us as the site operator. You can tell that the connection is encrypted if the browser address changes from ‘http://’ to ‘https://’ and a padlock symbol is shown in the browser’s address bar.

If SSL encryption is activated, the data sent to us cannot be read by third parties.

Withdrawal and deletion

The user has the right to withdraw consent at any time with future effect.

Stored personal data will be deleted if the user withdraws its consent to the storage thereof, if knowledge of the data is no longer required to fulfil the purpose for which they have been stored, if the contractual relationship comes to an end or if storage is not permitted for other legal reasons. Data stored for billing and accounting purposes will not be affected by a request for deletion.

Right to information

You have the right at any time and free of charge to request information about the personal data stored on your person, their origin and recipient and the purpose of the data processing. You can contact us at any time at the address below if you have questions about this or any other questions about personal data. For security reasons, this request must be made in writing.

CareMed GmbH
International Insurance for Educational Travel
Budapester Str.4
53111 Bonn, Germany
DataProtection@caremed-travel.com

CareMed is registered as an insurance broker with a permit pursuant to Section 34d (1) of the German Industrial Code (Gewerbeordnung - GewO) with the Bonn/Rhein-Sieg Chamber of Industry and Commerce (Industrie- und Handelskammer Bonn/Rhein-Sieg) and has been registered with the Register of Insurance Brokers (Versicherungsvermittlerregister) by the registration authorities under registration number D-EW68-5PU30-88 pursuant to Section 34d (7) GewO.

The registration authorities make use of the services of the joint body Deutscher Industrie- und Handelskammertag (DIHK) e.V., Breite Straße 29, 10178 Berlin, phone: +49 (0) 30 2 03 08 0, fax: +49 (0) 30 2 03 08-10 00, website: http://www.dihk.de to manage the register pursuant to Section 11a (1) GewO.

The above-mentioned body will provide information on the registration of CareMed in the Register of Insurance Brokers. The registration of CareMed can be reviewed on the Internet at the website http://www.vermittlerregister.info.

Arbitration body

‘Versicherungsombudsmann e.V.’ is engaged as the arbitration body and ‘Private Kranken- und Pflegeversicherung’ as the ombudsman.

The ombudsmen are independent in respect of their answers and decisions and are not subject to any instructions.

In order to fulfil their duties as a dispute resolution and arbitration body, the ombudsmen use a code of procedure and a schedule of fees. They are entitled based on the schedule of fees to charge the insurance broker or the insurance company a fee proportionate to the expenses incurred. In the event of obviously improper complaints, the complainant may also be charged a fee.

The ombudsmen are under obligation to respond to any complaints concerning insurance brokers.

Currently known arbitration bodies are as follows
for private insurance, excluding private health insurance, credit insurance, reinsurance:
Versicherungsombudsmann e.V., Postfach 080 632, 10006 Berlin, Germany

for private health insurance:
Ombudsmann Private Kranken- und Pflegeversicherung, Kronenstraße 13, 10117 Berlin, Germany

Art. 4 GDPR Definitions

For the purposes of this Regulation:

Personal data

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing

‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Restriction of processing

‘restriction of processing’ means the marking of stored personal data with the aim of limiting their processing in the future;

Pseudonymisation

‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;

Filling system

‘filing system’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;

Controller

‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

Processor

‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

Recipient

‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. 2However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;

Third party

‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

Consent

‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

Personal data breach

‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

Genetic data

‘genetic data’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;

Biometric data

‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;

Data concerning health

‘data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;

Main establishement

Representative

‘representative’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation;

Enterprise

‘enterprise’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;

Binding corporate rules

‘binding corporate rules’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity;

Supervisory authority

‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51;

Supervisory authority concerned

‘supervisory authority concerned’ means a supervisory authority which is concerned by the processing of personal data because:

  1. the controller or processor is established on the territory of the Member State of that supervisory authority;
  2. data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or
  3. a complaint has been lodged with that supervisory authority;

Cross-border processing

‘cross-border processing’ means either:  processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.

Relevant and reasoned objection

  1. ‘relevant and reasoned objection’ means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union;

Information society service

‘information society service’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council (¹);

International organisation

‘international organisation’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.

Directive (EU) 2015/1535

Directive (EU) 2015/1535 of the European Parliament and of the Council of 9 September 2015 laying down a procedure for the provision of information in the field of technical regulations and of rules on Information Society services (OJ L 241, 17.9.2015, p. 1).

https://gdpr-info.eu/art-4-gdpr/

Processing directory for the automated processing of personal data according to Art. 30 GDPR

I Information on the responsible body (Article 30 (1) (a) GDPR)

1 Responsible for data collection, use or processing
Name or company name CareMed GmbH
Area Mediation of insurance for exchange participants
Street Budapester Str. 4
Zip, place 53111 Bonn
Phone +49 (0)228 55 54 900
Fax +49 (0)228 55 54 975
E-mail address info@caremed-travel.com
2 Responsible employee
Management of the responsible body, representative Annabelle Franco, Thomas Kiechle
3 Contact details of the Data Protection Officer
Company  CareMed GmbH
   Data Protection Officer
Address  Budapester Str. 4
   53111 Bonn
   Deutschland
Phone number  00 49(0)228 55 54 90-0
Fax number  00 49 (0)228 55 54 90-75
E-mail  DataProtection@caremed-travel.com

II Information on the procedure acc. Art. 30 para. 1 b) -f) GDPR

1 Purpose of data collection, processing or use
The purpose of the data collection, processing, storage or use is to carry out insurance mediation, administration and settlement of claims abroad related to the travel insurance sold, especially in the field of educational travel such as exchange programs.
2 Description of the groups of persons concerned and the related data / data categories
Group of persons Data / data category
Interested parties/prospects, clients Name, address, e-mail address, date of birth, home country/country of usual residence, travel destination, contracted insurance option/cover
Business partners Company name, postal address of the company, e-mail address, phone number, first name, last name, position, area
3 Recipients or categories of recipients to whom data can be communicated
Insurer, claims office
4 Rule deadlines for the deletion of data
For customers: Legally stipulated 10-year retention period
For interested parties/prospects: 1-30 working day after examination of the legitimated written request by the interested party
5 Planned data transfer to third countries or to an international organization
Plan x yes no
If so: Claims in in the USA, in accordance with the insurer
Purpose Data / Data category Country  / Category of country / international Organization
Cover check and claims processing A, B USA
Details of the documented guarantees according to § 49 Abs. 1 GDPR:
The transfer of the subjected data is necessary in order to conclude or fulfill a contract in the interest of the concerned person or the person in charge of another natural or legal person.

III Information pursuant to Art. 30 (1) (g) GDPR

General description of the technical and organizational measures for safety during processing according to Art. 32 para. 1 GDPR
The processes and their compliance are checked both in accordance with the required technical specifications and the data protection requirements at CareMed and at the service providers of the CareMed GmbH and documented on the basis of checklists. Access control, control of disks and USBs e.g., storage control, user control, access control, transmission control, control of data entry, transport control, recoverability, reliability, data integrity, order control, availability control and separability are among the main safety measures.
Date  
Data Protection Officer or Supervisor 04-May-2018 ppa. Annabelle Franco

Service providers and partners of CareMed GmbH:

Chubb Group
CISI
Empaction
HanseMerkur
LogMeIn
Syniq

You have the right at any time and free of charge to request information about the personal data stored on your person, their origin and recipient and the purpose of the data processing. You can contact us at any time at the address below if you have questions about this or any other questions about personal data. For security reasons, this request must be made in writing.

CareMed GmbH
International Insurance for Educational Travel

Budapester Str.4
53111 Bonn, Germany

CareMed is registered as an insurance broker with a permit pursuant to Section 34d (1) of the German Industrial Code (Gewerbeordnung - GewO) with the Bonn/Rhein-Sieg Chamber of Industry and Commerce (Industrie- und Handelskammer Bonn/Rhein-Sieg) and has been registered with the Register of Insurance Brokers (Versicherungsvermittlerregister) by the registration authorities under registration number D-EW68-5PU30-88 pursuant to Section 34d (7) GewO.

The registration authorities make use of the services of the joint body Deutscher Industrie- und Handelskammertag (DIHK) e.V., Breite Straße 29, 10178 Berlin, phone: +49 (0) 30 2 03 08 0, fax: +49 (0) 30 2 03 08-10 00, website: http://www.dihk.de to manage the register pursuant to Section 11a (1) GewO.

The above-mentioned body will provide information on the registration of CareMed in the Register of Insurance Brokers. The registration of CareMed can be reviewed on the Internet at the website http://www.vermittlerregister.info.

 

Back to previous page

Certified Payment

PCI Compliance

Memberships

WYSE travel
OITS
IAPA

Awards

CareMed Star Award