MENU
BACK
MENÜ
ZURÜCK

Privacy policy

We are really delighted that you have shown interest in our company. Data protection is of a particularly high priority for the management of YOUPLUS Assurance AG (hereinafter also referred to as "YOUPLUS" or the "controller"). YOUPLUS handles personal data carefully and in accordance with the applicable legal provisions. We have taken several technical and organizational measures to ensure protection. We only process data that we absolutely need, we delete personal data after the processing period has expired, we regularly train our employees in the processing of personal data, and we strictly adhere to data protection regulations. When processing personal data, we adhere to the principles of lawfulness, transparency, accountability, security and data minimization. We would like to point out that there are exceptions to the obligation to provide information on the processing of personal data under the Data Protection Act. For example, YOUPLUS is not obliged to inform persons about the processing of personal data who are already in possession of the relevant information, or the processing of personal data is required by law, or they are legally obliged to maintain confidentiality.

With this privacy policy, we would like to inform you about the processing of personal data. It is aimed at our customers, persons whose data we will process as part of the provision of our products and services. At the same time, we would also like to inform visitors to our website and persons who have expressed an interest in working for our company or who have contacted us via our contact form.

Please read the complete privacy policy carefully. You will learn about the type, scope and purpose of the personal data collected, used and processed by us, the rights of the data subjects, transfers abroad, the category of recipients, etc.

1. Legal framework

The information contained in this declaration takes account of the legal provisions applicable in Liechtenstein and the EU:

  • Data Protection Act (hereinafter also referred to as "DPA") and other related data protection laws that apply not only in Liechtenstein but also in other Member States of the European Union, and
  • Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons regarding the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter also referred to as "GDPR").

When processing personal data in Liechtenstein, we comply with the GDPR, as Liechtenstein is a member of the European Economic Area (EEA) and applies the GDPR in full, just like the member states of the European Union. Although it is not an EU member, the same obligations and regulations on the protection of personal data apply there.

2. Definitions

The YOUPLUS privacy policy is based on the terms of the DSG and the GDPR. We endeavor to make our privacy policy easy to read and understand and would therefore like to explain the terms used in advance:

  • Personal data is any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
  • Data subject is any identified or identifiable natural person whose personal data is processed by the controller responsible for the processing;
  • Processing is an operation or set of operations which is performed on personal data or on sets of personal data;
  • Restriction of processing is the marking of stored personal data with the aim of restricting its processing in the future;
  • Profiling is any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, to analyze or predict aspects concerning that natural person's performance at work, financial situation, health, personal preferences, interests, reliability, behavior, location or movements;
  • The recipient is the natural or legal person, public authority, agency or other body to whom the personal data is disclosed, whether or not it is a third party;
  • The controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
  • Processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
  • Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under a direct authority from the controller or processor, are entrusted with the processing of personal data;
  • Consent of the data subject is any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

3. Who is the controller/person responsible for the processing of personal data?

The company that determines the purpose and means of the processing is responsible for the processing of personal data. For data processing in accordance with this privacy policy, this company is the "controller". Under GDPR and DSG the controller is:

  • YOUPLUS Assurance AG
    ID: FL-0002.038.147-0,
    with registered office at Austrasse 14, 9495 Triesen, Liechtenstein

If you have any concerns or questions about data protection, you can contact us at the following address: datenschutz@youplus.li.

4.  Data Protection Officer /DPO/

The Data Protection Officer is the point of contact for data subjects and data protection authorities in Liechtenstein. The controller has appointed a data protection officer, who is responsible for data protection:

  • Tomáš Bielik
    YOUPLUS Assurance AG
    Austrasse 14
    9495 Triesen
    Liechtenstein

Our data protection officer can be contacted in writing at the above address or by e-mail at datenschutz@youplus.li. Please be sure to state at your request that it is an inquiry about YOUPLUS. However, we would like to point out that this person only deals with inquiries about personal data and its processing or inquiries in connection with the GDPR.

5. Scope of the processing of personal data and categories of data subjects

The controller processes only the personal data necessary to achieve the specific purpose of the processing. YOUPLUS processes the personal data of data subjects as far as possible and in a manner that does not interfere in any way with the rights of the data subjects. To protect personal data, we have taken and implemented several technical and organizational measures, we process personal data only beyond what is necessary, and we ensure the protection and confidentiality of the personal data processed. As part of our activities, we mainly process personal data of the following categories of data subjects:

  • Customers - persons who have concluded an insurance contract with the controller;
  • Representatives of clients - persons who are authorized to represent a client or act on their behalf. These are, for example, cases of legal representation of a minor client, representation under a power of attorney;
  • Other persons who are not directly involved in the conclusion of the contract, but the controller is obliged to process personal data about these persons within the meaning of generally applicable law - for example, the beneficiary of the insurance contract, the end user of the customer's services, politically exposed persons, premium payers, recipients of correspondence, family members, etc;
  • Visitors to the controller's website - persons who have visited the website and, if applicable, have contacted the controller via the contact form and asked questions;
  • Contract intermediaries/brokers - persons through whom the insurance contract was concluded;
  • Suppliers - persons who provide their services/products to the controller or persons acting as a statutory body of the supplier, which is a legal person, or their employees/authorized representatives who provide the service on behalf of the supplier.

6. Categories of personal data processed

We also process different categories of personal data for different purposes. In the case of contractual partners who are companies, we process fewer personal data - here we mainly process the data of the companies' contact persons (e.g. name, e-mail address, position in the company, communication data). Much of the following personal data is provided to us by you. As a rule, however, you are not obliged to do so. If you provide us with data about other persons, we assume that you are authorized to do so and that this data is also correct (this applies, for example, to legal representatives or details of persons to whom the insurance benefit is to be paid). You automatically confirm this if you have provided us with the data of these third parties.

YOUPLUS (The Data Controller) processes data within the scope of its activities:

  • Common personal data the following categories of personal data:

Identifying data - data that identifies the data subject as a specific person, for example: title, first name, surname, date of birth, nationality, ID data (type and number of the ID, issuing authority, date of issue and validity of the ID), residence data, status as a politically exposed person if you are a natural person. Entrepreneurs: We also process the identification number, company name, place of business, tax residence status, tax identification number, if applicable, image data set (photo), customer number, number of the brokered product, including making copies of the identity documents of the data subject, residence documents. We also process data and documents that prove the representation of the data subject (this applies, for example, to legal representatives or details of persons to whom the insurance benefit is to be paid). These personal data are processed in relation to all data subjects and their provision is necessary to a certain extent in order to achieve the purpose of the processing of personal data, e.g. for the conclusion of an insurance contract.

Contact data - the data you provide is used so that we can contact you as the data subject using this data. This includes your residential address, your correspondence address, your telephone number or your e-mail address. This personal data is processed in relation to all data subjects, but it is generally not necessary to provide it.

Data about the products and services you use - we may use data about the products/services you use with us for the purpose of internal analysis and processes (if we have selected you for these activities).  This also includes data that arised in connection with the conclusion of a contract or data arising from a contract. This includes, for example, the number of the insurance contract, the type of insurance, the insurance cover, the description of the risk, the insurance benefit, the term of the contract, etc.

Socio-demographic data - data describing the basic social characteristics of the person concerned, such as age, gender, marital status, level of education, occupation, income data. This data was required for the assessment of insurance risks, especially when concluding or subsequently amending an insurance contract. We would like to point out that YOUPLUS does not currently conclude any new insurance contracts but manages the portfolio of existing insurance contracts.

Payment and transaction data - data about the account from which you pay your premiums and who pays them, whether premiums are paid properly and on time, unpaid premiums, reminders, tax identification number. We process this data about the premium payer, who may be the policyholder or another person. In connection with the insurance claim, we process the payment data of the beneficiaries or the actual beneficiaries of the insurance claim. We cannot do without this data during our activities.

Identification data of the data subject for the purpose of verification within the meaning of the Federal Act on Combating Money Laundering and Terrorist Financing, verification of the data subject on sanctions lists -data on politically exposed persons, data of persons on sanctions lists, etc., including the production of copies of identification documents when processing this personal data.

Data collected via the contact form - the data is processed for the purpose of processing the data subject's inquiries and requests, determining the data subject's satisfaction and preferences within the scope of the data provided by the data subject.

Data required for the risk assessment of the insurance premium -e.g. data describing the sporting activity, the profession of the person concerned, the activities and hobbies of the person concerned. This information relates to the insured persons and is necessary for the assessment of the insurance risks. Please note that YOUPLUS does not currently conclude any new insurance contracts but manages the portfolio of existing insurance contracts.


Technical data - this includes, for example, cookies, metadata, logs that record the use of our systems and other technical data. When we communicate with each other, we store the content of this communication, e.g. records of e-mail communication or records of telephone conversations.

Other data about the data subject - As part of our business activities, we also process other data that is not listed in the above categories. This includes, for example, information about the amount of the insured person's income or the source and origin of their income and assets, their requirements and needs in relation to the insurance taken out or their tolerance to investment risks. They may also contain information provided by the insured person in the context of claims settlement, the specific content of which is not fully known to us in advance. This information relates to the policyholder and the insured persons and is particularly important for the verification of the customer in accordance with the law or the fulfillment of the concluded insurance contract.

  • A special category of personal data within which the controller processes the following categories of personal data in particular:

Health-related data - Health-related data is sensitive personal data about you and describes your state of health, physical and mental health. It includes information about the causes, injuries and illnesses you have suffered from or been treated for before or during the insurance period, as well as information about the healthcare services you have received. The medical records may also contain information about predispositions to certain illnesses or family history. We required this information before the insurance contract is concluded and also when the insurance contract is amended or during the term of the insurance. We collect and process this data from the insured persons, exceptionally from the policyholder (if the policyholder is deceased), only on the basis of consent or if it is necessary for proof, exercise or defense of legal claims.

7. Legal basis for the processing of personal data

The legal basis for the processing of personal data may be:

Consent of the data subject (or, where applicable, of an authorized/delegated person) to the processing of personal data for one or more specific purposes (Article 6(1)(a) of the GDPR).

The controller uses this legal basis if it cannot use any other legal basis for the processing of personal data or if consent is directly required by law (e.g. when processing sensitive personal data). Based on the consent given, the controller processes the following data in particular:

  • personal data to the extent specified directly in the consent and which is necessary to achieve the purpose for which the consent was given,
  • sensitive personal data (health data),
  • personal data for the purpose of contacting the controller via contact forms,
  • personal data when visiting the controller's website (cookies) (provided that our website processes cookies and you have been informed about this processing by a so-called cookie bar).

Processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering a contract (Article 6(1)(b) GDPR).

The processing of personal data on this legal basis is based on the fact that without the processing of the data subject's personal data, the controller will not be able to conclude the requested insurance contract and ensure the performance of the contract. Currently, the controller does not conclude new insurance contracts but only manages existing contracts. If you wanted to conclude a contract with YOUPLUS (or with a company whose client base YOUPLUS has acquired in the past) and use its services, you had to provide YOUPLUS with all the data necessary not only for the conclusion and subsequent performance of the requested contract (e.g., payment of insurance benefits, performance, etc.). The processing of personal data is also necessary to assess your requirements and needs, to correctly determine the sum insured and the insurance risk and the associated amount of the insurance premium and to assess your knowledge and experience in relation to the services offered. On this legal basis, the controller processes in particular

  • the personal data required to identify the data subject as one of the contracting parties and their contact details,
  • personal data directly related to the performance of a contract or in order to take steps at the request of the data subject prior to entering a contract to which the data subject is party and where the relevant legislation provides for mandatory elements of the contract, such as economic and socio-demographic data,
  • personal data insofar as this is necessary for the fulfillment of its contractual obligations.

If the insurance contract was concluded by a representative/authorized representative (e.g., parents, authorized representative) on behalf of and for another person, or if the personal data of another person (authorized representative) was provided for the purpose of concluding the contract, it is necessary to ensure that the persons concerned were duly informed about the processing of personal data in accordance with this statement. At the same time, it is important that we are provided with only accurate and up-to-date personal data about these persons. We recommend that representatives of data subjects always ensure that they have been authorized by the data subjects to provide us with this personal data. Otherwise, the controller must delete the personal data and terminate the concluded contracts.

Processing is necessary for compliance with a legal obligation to which the controller is subject (Article 6(1)(c) of the GDPR).

In addition to the right to the processing of personal data, general legislation obliges data subjects to provide their personal data and at the same time obliges the controller to process personal data (e.g. in the event of a control, audit, etc.). For example, if the data subject refuses to provide his/her identity document, the controller cannot provide the data subject with the requested services or facilitate the conclusion of the requested contract with the data subject, as this would constitute a breach of the law. In particular, the controller processes on this legal basis:

  • personal data insofar as this is prescribed by generally binding legal provisions, particularly the Insurance Contract Act, the General Civil Code, the Money Laundering Act, tax regulations and other legal provisions to which the controller is bound in the performance of its activities.

Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party (Article 6(1)(f) of the GDPR)

The controller may process your personal data for as long as there is a legitimate interest of the controller or a third party that does not outweigh the interests and fundamental rights and freedoms of the data subject. Such processing operations are permitted because they are explicitly mentioned in the GDPR. According to recital 47 of the GDPR, a legitimate interest may be assumed if, for example, the data subject is a customer of the controller. On this legal basis, we process personal data for the following purposes:

  • to protect our rights and interests, our employees, our IT operations, our customers themselves or the rights and interests entrusted to us by another person,
  • Prevention of insurance fraud, crime and money laundering
  • Enforcement, prosecution and defense of legal claims in court,
  • Operational risk management - improvement of existing products and services and their development
  • the functioning of effective customer service,
  • effective management and development of controllers.

YOUPLUS always processes personal data on one of the above legal bases. For some processing purposes, YOUPLUS may use a combination of several legal bases, e.g. the consent of the data subject when providing sensitive data and then a legal basis in connection with the performance of a contract.

8. Purposes of the processing of personal data

The controller processes personal data for a predetermined purpose; without the processing of personal data, it would not be possible to achieve the purpose. For individual purposes, the controller always assesses the necessary scope of the personal data processed and observes the principle of data minimization, whereby this processing does not interfere with the rights of the data subjects beyond what is necessary.  YOUPLUS processes personal data mainly for the following purposes:

  • Conclusion of an insurance contract, submission of offers (modeling of an insurance contract), advice on the conclusion of a contract - you have provided the data for this purpose to our predecessor with whom you concluded the insurance contract and from whom YOUPLUS subsequently took over the insurance portfolio. In this case, however, the personal data was processed by our predecessor for this purpose as part of the preparation of a suitable offer, pre-contractual measures, advice and the actual conclusion of the contract, including the administration, provision of services and termination of the contract. Based on the data provided, the risk to be covered by the insurance contract was also assessed and the amount of the insurance premium was calculated at the same time. This may be an automated decision/calculation that helps the insurance company to determine the insurance risk more accurately. At the same time, if you have provided sensitive data - data about your health or genetic data - your consent was obtained before the contract was concluded.

YOUPLUS no longer processes personal data for this purpose, as no new insurance contracts are concluded

  • Reinsurance of the insurance risk - serves to cover the insurance claim by the reinsurer. In the event of an insured event, the reinsurer bears part of our claim’s costs. To be reinsured, we must provide our reinsurer with information on insurance policies and claims.
  • Protection against money laundering - the processing of personal data serves to prevent money laundering and terrorist financing and our obligation to comply with the relevant legal provisions. For this purpose, personal data is checked against a few sanctions lists which we are required to review regularly. In the event of a match, we are obliged to refuse to provide our services and, if necessary, report the match to the supervisory authorities.
  • Maintaining the agenda for processing requests from data subjects in connection with the exercise of their rights (GDPR agenda) - all requests in connection with the exercise of your rights under the GDPR and the DPA are carefully kept by the controller so that it can respond to the request within the statutory period and at the same time demonstrate how it has dealt with the request within a reasonable period of time.
  • Prevention of insurance fraud - Personal data is processed to prevent possible insurance fraud and to protect the interests of the controller. In this case, we use personal data relating to contracts already concluded, services provided, etc. If we come across a suspicious case or determine that there is a risk of insurance fraud, we may contact other insurers or our partners to review the case.
  • Provision of digital services - to provide our services, we communicate with the data subject mainly by electronic means, which entails the processing of personal data so that we can send our customers all documents relating to the service provided by electronic means and subsequently communicate with these persons by electronic means.
  • Termination of the employment relationship - further details are described in point 9.
  • Customer service - to improve the efficiency of our services, the data subject can contact the controller at any time with their questions/requests.
  • Operational risk management - We process personal data for statistical purposes, risk management. We use the processed data for the purpose of developing and improving our services.
  • Maintaining IT security - e.g. to monitor the performance of our website.
  • Internal reports - e.g. in the context of accounting or data archiving.
  • Identification of the customer - it is always necessary to properly and correctly identify the person concerned before the contract is signed or the service is provided (which, however, has already been achieved by our predecessors with whom you have concluded insurance contracts).
  • The administration of insurance contracts and the provision of benefits under the insurance contract - for this purpose, personal data is processed during the term of the contract, to monitor the payment of premiums and consequently the conditions for the provision of benefits under the insurance contract (assessment, verification and settlement of your claim).
  • Protection and assertion of the rights of the controller - We may also need your personal data to prove, exercise or defend against judicial, extrajudicial and official claims in Germany and abroad or to defend against legal claims.
  • Documentation of the controller's activities - as an insurance company, we are obliged to report to various authorities and provide information about our activities, whether for the prevention, detection and investigation of criminal offenses or for the provision of information around taxation, insurance control, etc.
  • To fulfill the obligations and tasks of the controller as an insurance company in accordance with the relevant legislation - we process personal data to fulfill our legal obligations, various regulatory obligations, for example in the context of handling complaints, preventing and investigating criminal offenses or other administrative offenses.
  • Verification of insurance claims - in the event of an insurance claim or insurance compensation, we require personal data to verify the claim, e.g. with other insurance companies or cooperating persons (doctors), so that the insurance compensation is properly paid.

9. Processing of personal data for job applications

YOUPLUS collects and processes the personal data of job applicants.  Personal data may be processed both in written and electronic form in accordance with the information provided by the controller when a position is advertised. In the case of a job application, it is necessary for you to provide personal data to the controller so that we can identify you and assess your professional experience. The provision of personal data takes place exclusively based on your consent. Personal data relating to (i) your CV/cover letter, (ii) your work and degree certificates, (iii) information about your current job, (iv) your expectations will be processed for this purpose. If YOUPLUS concludes an employment contract with you, the data transmitted will be stored for the purpose of processing the employment relationship in accordance with the statutory provisions. If the data controller does not conclude an employment contract with the applicant, the application documents will be automatically deleted one year after notification of the rejection, provided that the deletion of the personal data does not conflict with the legitimate interests of the data controller.

10. Recipients / categories of recipients to whom personal data is disclosed

As part of our business activities and due to the complexity of some procedures, we use various service providers and commission them to process personal data on our behalf or to grant them access to your data.  This applies to IT service providers, but may also apply to analytics service providers, debt collection service providers, etc. Some of these service providers may be based outside Liechtenstein. When selecting providers, however, we always ensure that our providers comply with the relevant data protection laws and guarantee us data protection at least to the extent that we guarantee it. If these service providers process personal data as intermediaries, they are obliged to process it exclusively in accordance with our instructions and to take data security measures. The data may then also be passed on to other recipients, e.g. courts and authorities in the context of legal proceedings. In individual cases, we may also pass on personal data to other third parties for their own purposes, e.g. if you have given us your consent to do so or if we are legally obliged or authorized to pass it on. The recipients of personal data include in particular

  • Intermediary/broker of insurance contracts,
  • supervisory authorities and persons to whom the disclosure/disclosure of personal data is directly authorized by law or where the disclosure of personal data is necessary for the purposes of the legitimate interests pursued by the controller (e.g. bankruptcy trustees and executors, supervisory authorities, courts, law enforcement authorities or other persons who are parties to potential or actual legal proceedings, etc.),
  • Reinsurance companies that assume part of the insurance risk when it comes to covering liabilities from insurance contracts,
  • Insurance companies for the prevention and detection of insurance fraud and other illegal activities,
  • Companies that we have entrusted with the processing of personal data as our processors exclusively for our purposes and on our instructions (e.g. contractors for services related to our activities (lawyers, IT service providers, auditors, postal service providers, marketing agencies, etc.),
  • Persons with whom we cooperate in examining your application for fulfillment of the contract (e.g. contract doctors, other specialists, lawyers),
  • Company within the YOUPLUS Group. YOUPLUS is part of a group of other YOUPLUS companies that are active in other countries. For this purpose, personal data may also be stored in a company based in Switzerland and other EU Member States in which the U+ Group has branches, resp. to other countries where the YOUPLUS group has branches (Germany, Slovakia, Czech Republic, Norway).

11. Retention period for personal data / criteria for determining it

YOUPLUS processes and stores the personal data of the data subject only for as long as is necessary to achieve the purpose of storage or if this has been provided for by the European legislator or another legislator in laws or regulations to which the controller is subject (e.g. limitation periods, accounting, tax and social security laws). The retention period also depends on the possibility of asserting claims, whether against us or against you.

If the purpose for which the personal data is stored no longer applies or if the retention period expires, the personal data is generally blocked or deleted. The criterion for the duration of the storage of personal data is therefore primarily the respective statutory retention period.

If an insurance contract has been concluded, we process your personal data for the duration of the insurance contract. After its termination, we process your personal data for as long as at least one of the following reasons applies:

  • for the duration of the limitation periods under the relevant legislation (usually 10 years) and for a reasonable period thereafter to ensure that no legal proceedings have been initiated, such periods always depending on the nature of the obligation or right to which the limitation period relates;
  • as long as we provide the insurance benefits under the insurance contract;
  • during the pendency of legal or other proceedings for the purpose of defending our legal claims;
  • as long as our obligation to archive documents due to legal regulations (e.g. to protect against money laundering and terrorist financing, tax or accounting regulations, etc.) continues;
  • for as long as necessary to defend your legal claims if you ask us to do so.

In the case of the processing of personal data based on laws, we process personal data within statutory periods.

If we process personal data based on your consent, we will process this personal data for the period for which the consent was given or until you withdraw your consent. We will then process your data for as long as we can prove that we have obtained your consent properly and lawfully.

If personal data is processed based on a legitimate interest, we process this personal data for as long as is necessary to safeguard our legitimate interest, including the expiry of the relevant limitation periods.

However, if some of your data is required for several purposes, the retention period will always apply to the purpose that ceases to apply last.

12. Origin of the personal data

Sources from which personal data may originate:

  • Personal data provided to us directly by the data subject

We mainly collect personal data directly from the data subjects, i.e. from you, before concluding the insurance contract or during its term, e.g. when settling an insurance claim or when visiting the website or submitting a contact form or application. We usually receive your personal data via our forms or from your personal documents or other documents that you provide to us or you have already provided us with. If you communicate with us for any reason and contact us with your requests, questions, complaints or claims, we may also receive your personal data from these communications.

  • Personal data provided by another data subject (e.g. the representative of a customer)

The controller may also receive personal data from another data subject, e.g. if the data subject is a minor and the personal data is provided by his/her legal representative (parent) or represented by another person, etc. If personal data is provided by another person, it is necessary and essential that this person ensures that the data subjects have been informed of the controller's statement on the processing of personal data, that only correct and up-to-date personal data has been provided to us and, above all, that this person is authorized to provide the personal data.

  • Personal data obtained from publicly accessible sources

Where permitted, we may obtain some data from public sources. If you disclose data about yourself, we may obtain your personal data from the public source through which the data was disclosed (e.g. foreclosure register, business register, media, internet, social media).

  • Personal data received from third parties or authorities

In certain cases, we also collect personal data of data subjects from third parties or state authorities, offices and other institutions, insofar as this is permitted by law. We may receive personal data from other entities, e.g. from other insurance companies in the context of the prevention and detection of unlawful acts or from healthcare providers who have been authorized by you to provide us with data about your health status, in some cases directly from the insurer if you are the insured person. We may also have received your personal data through the conclusion of an insurance contract that includes the insurance contract to which your personal data relates.

13. Transfer abroad/third countries

The recipients of the data (e.g. other companies or authorities) are not only located in Liechtenstein. This applies to some service providers. They may also be located outside the European Economic Area (EEA) and Liechtenstein, in the USA, i.e. also in other countries around the world. For example, we may transfer data to authorities abroad if we are legally obliged to do so. Not all countries outside Liechtenstein and the EEA have the same level of data protection as Liechtenstein. We therefore compensate for a lower level of protection through appropriate contracts, through so-called standard contractual clauses issued by the European Commission. In certain cases, we can also pass on data without these contracts in compliance with data protection regulations, e.g. if you have consented to certain transfers or if the transfer is necessary for the fulfillment of a contract or to enforce legal claims or overriding public interests. YOUPLUS currently transfers personal data abroad:

  • Switzerland for the transfer of personal data between companies within YOUPLUS Group (the transfer of this data is permitted as Switzerland is a country classified by the European Commission as providing adequate safeguards /2000/518/ES/)
  • the United States of America for the transfer of personal data for the purpose of fulfilling FATCA obligations (Agreement between Liechtenstein and the United States of America on cooperation to facilitate the implementation of FATCA, FATCA Act).Within the YOUPLUS group, personal data may be transferred between individual YOUPLUS branches in the Slovak Republic, the Czech Republic, Germany, and Norway (the transfer of such data within the YOUPLUS group is permissible because all of the countries mentioned have been classified by the EU Commission as countries with adequate safeguards).

YOUPLUS does not currently intend to transfer the data subject's personal data to a third country (outside the EU, EEA) or to an international organization (or to countries that have been classified by the European Commission as not ensuring such a level of protection). If the controller transfers personal data to third countries that do not ensure an adequate level of protection in the future, the controller undertakes to comply with the GDPR and the DPA and to implement appropriate safeguards (such as standard contractual clauses or similar approved mechanisms) that legitimize the transfer of data to third countries outside the EU and the EEA.

14. Profiling / automated individual decision-making

Profiling

YOUPLUS does not currently carry out profiling of its customers, as it only manages insurance contracts and pays out insurance benefits as part of its activities. YOUPLUS carries out profiling rather for statistical analysis and operational planning and uses these procedures to combat money laundering and terrorist financing, to prevent insurance fraud, etc.

Automated decision making

In order to make the controller's services modern, efficient and fast, in some cases the controller uses computer systems instead of its own employees to evaluate some of the data collected from the data subject without human intervention. For example, certain information about the age, occupation, economic activity or state of health of the insured person is automatically evaluated when an insurance policy is taken out. The controller processes this data to assess the insurance risks associated with the concluded contract, to correctly calculate the corresponding premium amount and, if necessary, to propose exclusions from the insurance, without which we cannot assume the insurance risk in the insurance policy (however, YOUPLUS no longer performs activities related to the conclusion of contracts). During the term of the insurance contract, we automatically monitor and assess the information on the premium payment and the amount of arrears or transactions that take place under the insurance contract regarding the risk of money laundering or terrorist financing. Automated processing may also take place as part of internal processes for the prevention and detection of insurance fraud. Automated processing is only carried out if it is necessary for our activities. As we are aware that the results of automated processing may affect your rights and obligations, you have the right to challenge them. In all cases of automated processing, you can express your opinion and ask us to review the automated decision, which will be done manually by a designated employee.

15. Rights of the data subject

Any data subject may at any time assert the rights listed below against the controller in accordance with the GDPR and the DPA. These rights may be exercised:

In writing (letter) or electronically (e-mail), either directly to YOUPLUS or via our data protection officer, as defined in section 4 of this statement. For reasons of prudent processing of personal data, protection of personal data and prevention of misuse of personal data, the data subject is required, when exercising their right, to clearly identify themselves or provide clear proof of their identity (e.g. by a copy of an identity card or passport), unless the data subject can be identified by the controller in another way. Thecontroller has the right to require the data subject to provide proof of identity. Without proper identification, the controller cannot comply with the data subject's request without the risk of misuse of the personal data.

The person concerned has the right

  • to information - to request confirmation of the processing of their personal data and access to the personal data concerning them - to request information on whether personal data concerning them is being processed, for what purpose it is being processed, what personal data concerning them is being processed, information on the recipients and the controller of the personal data, the retention period or the criteria for determining it, information on their rights as a data subject under the DPA and the GDPR;
  • to rectify their personal data or to complete incomplete personal data. The data subject may exercise this right if the controller processes inaccurate and outdated data. The controller is not always able to keep the data up to date (e.g. change of address, change of surname, etc.), but the controller is always prepared to rectify inaccurate data, as this is also in its interest. We are only unable to comply with this right if a legal provision would prohibit the amendment or addition;
  • to the erasure of their personal data or to the restriction of the processing of their personal data. If the accuracy of the processed data is disputed, but the data subject claims that the processing of personal data is unlawful, the processing of personal data may be restricted in certain cases. The right to erase personal data means the erasure of personal data if you believe that personal data is being processed that is not strictly necessary or is not being processed on a legal basis. Even in the case of erasure, there are exceptions on which the controller does not have to comply with this right, e.g. if the erasure of the data proves to be technically impossible or would require a disproportionate effort;
  • The data subject has the right to object to the processing of their personal data for the purposes of the legitimate interests pursued by the controller, including profiling. YOUPLUS shall no longer process the personal data in the event of the objection, unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defense of legal claims. However, we would like to point out that we will continue to process and store your data if we are obliged to do so.

If YOUPLUS processes personal data for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which is not based on the data subject's consent. This also applies to profiling insofar as it is associated with such direct advertising. If the data subject objects to the YOUPLUS to the processing for direct marketing purposes, YOUPLUS will no longer process the personal data for these purposes, unless the data subject has given his or her prior consent.

  • the right to the portability of personal data. This right can be exercised by the data subject if they request the release of certain personal data or the transfer of this data to another recipient, provided this is technically possible;
  • to withdraw consent given to the processing of personal data, whereby the withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. This right can only be exercised if the processing of personal data is based on the data subject's prior consent;
  • that the data subject shall not be subject to a decision based solely on automated processing, including profiling. This right may be exercised by the data subject in cases where the decision of the controller is based solely on automated processing of personal data (processing without human intervention). This right does not automatically imply a change to such a decision. The essence of this right is that the data subject has the possibility to express his or her point of view and to request a review by the controller through human intervention. Following such a review, the decision may remain identical to the one taken by automated processing. However, where such a decision is necessary for entering, or the performance of, a contract between the data subject and a data controller, or is based on the data subject's explicit consent, the right to express his or her point of view and the right to obtain human intervention shall not apply;
  • the right to lodge a complaint with the competent data protection authority - Datenschutzstelle, Kirchstrasse 8, 9490 Vaduz (https://www.datenschutzstelle.li).

16. Use of the controller's website

The website of YOUPLUS collects a series of general data and information when a data subject or automated system calls up the website. This general data and information is stored in the server log files. The following data may be collected: (i) the type and version of browser used, (ii) the operating system used by the accessing system, (iii) the website from which the accessing system accesses our website (the "accessing system"), (iv) the operating system used by the accessing system, (v) the date and time of access to the website, (vi) where applicable, the Internet Protocol address (IP address), (vii) the Internet service provider of the accessing system and (viii) other similar data and information used for security purposes in the event of attacks on our information technology systems.

When using this general data and information, YOUPLUS does not draw any conclusions about the data subject. Rather, this information is needed to (1) deliver the content of our website correctly, (2) optimize the content of our website as well as its advertisement, (3) ensure the long-term viability of our information technology systems and website technology, and (4) provide law enforcement authorities with the information necessary for criminal prosecution in case of a cyber-attack. This anonymously collected data is therefore evaluated anonymously by YOUPLUS. The anonymous server log file data is stored separately from all personal data provided by a data subject.

17. Contacting the controller

The controller can be contacted directly or via the Data Protection Officer (points 3 and 4) in relation to the processing of personal data. Your request will usually be processed free of charge and within 30 days. If we are unable to provide the requested information within 30 days, we will inform you of this and at the same time indicate the period within which the information should be provided. Please note that we may refuse, restrict or delay the provision of the requested information if your request is manifestly unfounded or manifestly obstructive, if the interests of third parties override the request or if the provision of the information could jeopardize the controller's investigation or legal proceedings.

18. Final declarations

YOUPLUS' business activities are subject to constant change, which is why this Privacy Policy will be adapted from time to time to comply with legal requirements and the possible specific processing of personal data. In this case, YOUPLUS may amend and update the content of this Privacy Policy and the information on the processing of personal data as required. In this case, YOUPLUS will always publish an updated privacy policy.

At the end of this statement, we would like to draw your attention to the fact that in the event of discrepancies in the translation, the German-language version of the statement, which you will find on our website translated into German, shall always be authoritative.

© YOUPLUS Assurance AG All rights reserved.