Processing of personal data in Topdanmark

At Topdanmark, we want our customers to always trust us. When you disclose personal data, we know that it is our responsibility to protect it. Therefore, we have IT systems, procedures and controls which ensure that we comply with the General Data Protection Regulation (GDPR) and the Data Protection Act, and that your personal data is processed and stored in a way that respects your privacy.
We do not sell your personal data.

What data is collected?

We only collect personal data, when necessary, and we process the personal data in compliance with current legislation. The types of personal data collected depend on the purpose of the processing. At Topdanmark, we process the following types of personal data:

  • Contact information and identifiers 
  • CPR numbers/Civil Registration Numbers
  • CVR numbers/CBR Central Business Register  
  • Policy and registration information 
  • Product information
  • Claims information 
  • Payment information 
  • Health Information 
  • Financial information
  • Information on relevant social circumstances, including information included in the municipal case work
  • Information on trade union membership 
  • Information on criminal offences
  • Information on political persuasion (e.g relevant for legal aid cover in libel suits)
  • Information on family relationship
  • Information on conditions of employement
  • Information for investigations 
  • Operation data from IOT solutions (Internet of Things) e.g. water damage sensors, fire alarms or slurry sensors


We only register personal data if it is necessary. When managing your insurance, processing your claim or when you buy shares, it can be necessary to collect data on the following categories of persons:

  • Policyholder and insured 
  • Beneficiaries 
  • Next-of-kin 
  • Claimant (i.e. the person affected by the damage/injury)
  • Counterparty 
  • Witnesses
  • Guardians 
  • Employers
  • Mortgagees 
  • Advisers (bank/financial adviser, lawyer, accountant etc.) 
  • Therapists (doctor, psychologist, physiotherapist, etc.) 
  • Shareholders 
  • Board members
  • Real owners
  • Subjects (potential customers)

Where and how do we collect the data?

We collect personal data from you and from third parties such as your former insurance company, your doctor and Topdanmark’s collaboration partners (for example: Coop, Nordea Pension, Dansk Sundhedssikring suppliers of slurry sensors and Leakbot (water sensors), and external social workers etc.) 

We collect data about you e.g. via cookies, telephone calls or chats with you. We receive data if you follow us on Facebook, actively write comments, or in other ways communicate with us. We also collect information from your replies, when you participate in surveys or answer questionnaires. 

Furthermore, we collect data from public and private registers such as the CPR register, the CVR register (the Central Business Register), the Register of Motor Vehicles, BBR (the Danish Building and Housing Register), DFIM (Danish motor insurers' bureau), trade unions, and publicly available information (e.g. 118).

Finally, we collect personal data via member lists from our collaboration partners, thus we can provide the right insurance offers with the correct discounts for the members.

How we collect information via Facebook

When using Facebook, Facebook installs a cookie on your computer, telephone or tablet, and it collects data about you. The data is collected if you share, comment or like a post. Both Facebook and Topdanmark are responsible for this data collection. Facebook is the data controller, when your personal data is used for marketing and advertising on Facebook. Topdanmark is the data controller, when we receive Facebook’s user statistics, which we then apply to target our marketing.  
Facebook’s policy for processing personal data is available at:
https://www.facebook.com/privacy/explanation

As part of our claims handling, we sometimes look through social media e.g. Facebook. However, it is only for publicly available information. 
 

The purpose of processing your data

To be able to contact you by telephone to sell our insurance products, we collect your contact information such as name and telephone number. Naturally, we do not contact you if you are listed on the Robinson list, or if you have opted out of receiving marketing transmissions from Topdanmark. 

We use your data when managing your insurances and handling your claims, when we give you advice and keep you up to date on the products, we and our collaboration partners can offer within insurance and pensions. Furthermore, we use the data when processing complaints and lawsuits, and for making surveys and analyses to continuously improve our advice, service and technical solutions. If you have an IOT solution (Internet of Things) – meaning, items and units that are connected to the internet and can exchange data digitally - we will make use of the data to assess whether it can help to prevent damages. It can be e.g. water damage sensors, fire alarms or slurry sensors. Furthermore, the information collected from IOT solutions can be included in the assessment of your reported claims, and it can be used in statistics. 

Data collected from public and private registers are used for:

  • updating master data including addresses  
  • ensuring your entitlement to any discounts e.g. via your trade union membership 
  • collecting information on your property and motor vehicle 
  • verifying the accuracy of the received information.

If you are a shareholder, the purpose of processing your data is to update the register of shareholders and manage your transactions.

How we use recordings of telephone calls

When you call us, we sometimes ask permission to record the call for us to continuously improve and ensure the highest standards for our service and products, as well as for documentation purposes. We do this, so we can evaluate the calls by listening to them and analysing them based on an automated transcription. 

We record the call and subsequently process it with your consent, which you give in connection with the call cf. Article 6, paragraph 1(a) of the General Data Protection Regulation (consent).
You can always withdraw your consent by writing to us at indsigt@topdanmark.dk. By using the same email address, you can also request erasure of the recording. 

A limited circle of our employees has access to the recordings. We erase or anonymise recordings after six months and save a transcription of the recording for 18 months. 

Furthermore, the recording of your call can also be used as documentation, and you can get access to it. We can store the recording, if your call becomes part of a concrete complaint, dispute or other form of casework within six months. We store the documentation in order to solve the case and in accordance with the rules of statute of limitations. 

In some situations, we may need to call you to get further information on your claim. In these situations, we sometimes record the call for documentation purposes, and then you will be informed in the beginning of the call. 

We save our chat conversations 

If you use our chat service on the website in connection with purchase, claim or policy questions, we process the information that you enter. If you chat with us without being logged in, any personal information in the chat will be anonymised after one hour, so the conversation can no longer be attributed to you. 

The information is not anonymised if manually stored to your customer file. If you chat with us when being logged in to the website, we store the chat to your customer file. If your chat is stored, the information will be deleted in accordance with Topdanmark’s general rules of erasure.

We use the chat conversations to improve the chat experience and to improve the chatbot’s answers. In addition, we save the information for documentation purposes.

We save the data on your use of our website 

When you log on to Mit Topdanmark, we identify you. We process the data on your use of the website confidentially and in the same way as all customer data.  

When you use our website, we use cookies to save data on your use of our site. We use the data to make it easier for you to use our website as well as to improve our website. 

Read more about Cookies

This is the legal basis for our processing of your data 

We act in compliance with the law, when we process your data. The primary legislation in this field is the financial regulations the Danish Insurance Business Act etc.) and other relevant legislation, including:

  • The Danish Insurance Contracts Act
  • The Danish Liability for Damages Act
  • The Danish Workers' Compensation Act 
  • The Danish Anti-Money Laundering Act 
  • The Danish Tax Control Act 
  • The Danish Bookkeeping Act 
  • The Danish Credit Agreements Act 
  • The Danish Payments Act 
  • The Danish Data Protection Act and the General Data Protection Regulation
  • The Danish Administration of Justice Act  
  • The Consumer Contracts Act
  • The Danish Marketing Practices Act
  • The Insurance Mediation Act

When processing personal data, we comply with the rules on personal data. If you have purchased an insurance with us, we process your information when necessary in relation to the insurance contract you have entered or are considering entering with us cf. the General Data Protection Regulation, article 6 (1b). We process your CPR number cf. the Danish Insurance Business Act § 69.

When handling a claim on personal injury, we need to assess whether there is cover. In that connection, we process your personal data to determine whether you can claim cover cf. General Data Protection Regulation, article 9 (f).

In other cases, you have given your consent for us to process your personal data cf. the General Data Protection Regulation, article 6, and article 9 etc.
We only process personal data, which is adequate, relevant and limited to what is necessary in relation to the purpose. 

Moreover, we process your data when necessary to pursue legitimate interests cf. the General Data Protection Regulation, article 6, 1 (f).This could be preventive action against abuse and loss, to strengthen our IT security, and for direct marketing of insurance products. 

Categories of recipients for transmission of data 

As a financial company, we are subject to enhanced duty of confidentiality under the Danish Insurance Business Act. Therefore, we process your data as confidential, and we only disclose data to others if legal.  This could e.g. be based on consent or in accordance with legislation. Data is only disclosed when necessary in relation to the purpose.

We disclose data to the following recipients:

  • Persons related to an insurance or pension scheme e.g. policyholder, next-of-kin, claimant, beneficiaries and counterparties 
  • Other insurance companies 
  • Mortgagees 
  • Public authorities (police, tax authorities, municipal authorities etc.) 
  • Repairers e.g. skilled workers 
  • Lawyers and agents (i.e. holder of a power of attorney)
  • Banks 
  • Doctors and other therapists 
  • Collaboration partners (eg. Dansk Sundhedssikring - our intra-group company)
  • Data processors 
  • Labour Market Insurance (AES) and The National Social Appeals Board
  • Danish Patient Compensation
  • The Insurance Complaints Board
  • Courts

 

When Topdanmark promotes insurances for collaborative partners

When Topdanmark promotes insurances on behalf of our collaborative partners (e.g. Nordea Pension and Dansk Sundhedssikring), we pass on the personal data about you when necessary for the administration of the agreement.

 

Pricing and use of data in Topdanmark

How we set the price on your insurances.

In general, the price on your insurances is based on the risk that we as a company take on to pay for any potential claims. When we address the risk, we assess both the likelihood of a claim and the size of the claim if it occurs. 

For example, if you live in a neighbourhood with a small risk of burglary, we offer you a lower insurance premium than if you live in a neighbourhood with many burglaries. However, if you have a lot of items of value, you price will increase accordingly as the burglars will steal more in case of a burglary. Similarly, customers living in big houses will pay more for a fire insurance compared with customers living in small houses. This is because, if a fire should occur and the house burns down, it costs more to rebuild a big house than a small house. 

Before you purchase an insurance with us, we will ask you a number of questions to identify your insurance needs, and to assess the risk in the best possible way. That way you do not pay too much or too little for your insurance. 

When we assess the risk, we draw on several years of statistics from our many customers. We are interested to know what you want to insure (is it your car, or a special bicycle?), where and how you live (in a flat, or in a house?), as well as some information on your household (do you live alone, or with others?).

The information we need to calculate your price could be e.g.:

  • Your address
  • Your type of residence
  • The age of the persons in your household
  • The type of vehicle (i.a. make, model and age)
  • The value of your jewelleries (or items made of gold)
  • The number of claims with us, or other companies
  • If you are registered with RKI (Ribers Kredit Information)

Why your price changes on a continuing basis

Normally, the price of your insurance will be regulated annually based on the index stated in your insurance contract. This reflects e.g. that the costs of repairers increase every year, and that most people acquire more things over time. 

But the world is ever-changing, so we update our risk assessment on a regular basis. At the same time, we compete with other companies on offering good insurances at competitive prices. Therefore, we assess – on an ongoing basis – whether you pay the right price for your insurances. The price of your insurance can both increase and decrease. If we increase the price more than the index, we will inform you with 30 days’ notice, thus you can decide whether you want to keep or cancel your insurance with us.

In addition, the price will typically change when your insurance needs change. For example, if you get a new car or move to another residence. 

If you have more claims than considered normal for your segment, we will consider you a higher risk than normal, and that could lead to e.g. a higher excess or a higher insurance premium.

About the price calculator on the website

If you are not already a customer with Topdanmark, we will ask for your CPR number when you use the price calculator on our website. However, if you do not want to disclose your information online, you can get a quote by calling us.

We ask for your CPR number to be able to quote you the right price, and for that we need to know all the circumstances relevant to calculation of the price. We use the CPR number to look up information in our database e.g. whether you are a customer with us and thus should get a discount, or whether there are any claims or payment record that can affect the price. 

If you choose not the become a customer with us, we store your information in our systems for six months to ensure that you get the same quote if you contact us again. We do not share your information with others. 

For how long is the data stored?

Topdanmark is obliged to erase personal data when no longer relevant. This means that we - on an on-going basis - erase data for which we no longer have a reasoned purpose, a legal obligation to store, or can be met by a claim.

Our rules of erasure is based on the Danish limitation act and the storage requirements in the bookkeeping act.  

The standard rules of erasure for Topdanmark are as follows:

Personal data processed for statistical purposes is stored for the period necessary for fulfilment of the purpose for which is has been collected.

How our data security is built 

Your security is important to us. Therefore, we have both technical and organisational measures in place to protect the data we receive. This means that we have:

  • Work-induced access at all locations – i.e. only access for employees and others performing a job on site/in the building, physical access control, and everybody should wear an admission card
  • Physical perimeter security and shell security with access security, surveillance and alarms – that is, physical admission cards, CCTV, and burglar alarms
  • Encryption of data during transmissions and storage 
  • Virus scanners on servers and pc’s
  • Restore and back-up of data on all servers and pc’s
  • IT systems with access control based on user ID, and personal and complex passwords 
  • VDI, VPN with two-factor authentication and encryption for remote workstations and other mobile units
  • Procedures and policies for processing and communicating personal data 
  • E-learning on data security and processing of personal data for all employees 
  • Training of all employees in cyber security
  • Employees certified in data protection
  • Control of data processors. 

How we use profiling and automated rulings

At Topdanmark, we use profiling and data modelling to provide you the right insurances, set prices, reveal fraud and risk of fraud/money laundering, assess the probability of breaches, assess assets, and for marketing purposes.  

We are also working on automating some of the decision rulings we make. This means that a robot will make the decision on whether a claim is covered by the insurance, or if we can make an insurance quote. If a decision-making process is automated, you will be informed hereof in the specific ruling.  

At Topdanmark, we have adopted ethical principles for our use of artificial intelligence. You can read the principles here: 

> Read more about Topdanmark's principles on the use of artificial intelligence

How we use encryption to send secure emails

Nearly all emails to and from Topdanmark are encrypted by TLS (Transport Layer Security), thus the email is protected during transport. We also encrypt emails, thus we can send and receive emails containing sensitive personal information.

If you want to send emails encrypted with certificate to Topdanmark, please send your emails to sikkermail@topdanmark.dk after downloading the certificate at https://service.nemid.nu/dk-da/support/soeg_certifikat/

Topdanmark is part of the Danish Tunnelmail system for companies. The system applies strong encryption.

Read more about secure e-mail (in Danish only)

 

Write to us via e-Boks

You can also write to us via your e-Boks. All you need to do is log on to your e-Boks, choose “Skriv ny post” and choose “Topdanmark” as the recipient.

Read more about how e-Boks handles secure communication (in Danish only)

How we secure your information with data processors

Topdanmark may choose to use data processors, such as suppliers of software, hosting, security and storage. Therefore, your data can be disclosed to data processors.  

All data processors are subject to written authorisation and control to ensure that your personal data is solely used for the specific purpose for which the data was collected.  

We have written agreements with all data processors, and we check their compliance to our instructions on an ongoing basis. As part of the instructions, we require that the data processors process your data confidentially and take sufficient technical and organisational measures to prevent that your data is accidently or illegally deleted, lost, impaired, or disclosed to unauthorised persons, abused, or in any other way processed against the General Data Protection Regulation.

Topdanmark has chosen to outsource some services to countries outside the EU/EEA; this includes IT technical development and support. When doing so, we ensure your rights by using the EU Commission’s standard contract, binding corporate rules, or the so-called “Privacy Shield” approved by the EU Commission.   We are obliged to secure that the necessary organisational and technical measures are in place to secure the protection of your personal data outsourced to our data processors in third countries. For further information, contact us at databeskyttelsesraadgiver@topdanmark.dk.  

Your rights

At any time, you can exercise your rights – however, with certain statutory exemptions 

  • You have the right to obtain confirmation as to whether Topdanmark is processing your personal data, and when that is the case, you have the right to access the personal data and information regarding our processing. 
  • Under special circumstances, you have the right to object to Topdanmark’s processing of personal data. But you can always object to your personal data being processed for direct marketing purposes (meaning opt-out of direct marketing). If you raise an objection, we do not contact you e.g. by telephone to sell insurances. 
  • You can require that we correct or erase data. However, we only erase your data, when you are no longer a customer – and only when no claim can be made against us for any previous claims and insurances. 
  • Under certain circumstances, you have the right to limit the processing of your personal data. When this is the case, we can store your information and only process the information with your consent, or for a legal claim to be determined, submitted, defended, or to protect a person or important public interests
  • You have the right to receive your personal data in a machine-readable format as well as have the personal data transmitted to another data controller (data portability) 
  • When you have given your consent, you can always contact us to learn to what extent. And at any time, you can revoke your consent by contacting us a indsigt@topdanmark.dk. Subsequently, we will cease to process your data. However, in rare cases, we can continue the processing on a different legal basis. 

Related to automated decisions:

  • You can get insight into how an automated decision is made and the logic involved and you have the right to a manual processing of any automated assessment (meaning a claims handler will process your case).
  • You have the right to object to the collection and processing of your data, including for automated individual rulings.


If you want to make a complaint 

If you are dissatisfied with how Topdanmark is processing your data, you can send your complaint to us at databeskyttelsesraadgiver@topdanmark.dk. You can also send a complaint to Datatilsynet (The Danish Data Protection Agency), Carl Jacobsens Vej 35, 2500 Valby, Tlf. 33 19 32 00, mail dt@datatilsynet.dk, website: www.datatilsynet.dk.


Contact Topdanmark

Topdanmark A/S and Topdanmark Forsikring A/S, Borupvang 4, 2750 Ballerup are data controllers.

If you have any questions regarding the processing of personal data please contact our Data Protection Advisor at databeskyttelsesraadgiver@topdanmark.dk. If you want to exercise your rights to request insight, erasure, restrict processing etc., please contact us about this at indsigt@topdanmark.dk.