Get a quote
Contact us

Data processing / privacy notice​

CannGen Insurance Europe S.R.L. (“CGEU”) is part of the CannGen Insurance Services Group (“CannGen Group”) and aims to ensure the confidentiality and secrecy of personal data processed by the company in connection with the services provided to its clients. CGEU operates as a Managing General Underwriter (MGU). CGEU’s services primarily include underwriting and insurance brokerage services that facilitate the consideration of, access to, administration of and claiming of insurance
benefits.

1. The name and contact details of the controller and the data protection officer of the company.

This privacy notice applies to data processing by the data controller:

CannGen Insurance Europe S.R.L.
Aramis Building,
Leonardo Da Vincilaan 1
1930 Zaventem
Belgium
E-mail it@canngenins.com

The company data protection officer is Mr. Nick Morris, who can be contacted at the above address, or at nmorris@canngenins.com.
The person responsible is also referred to below as “CGEU”.

2. Collection and storage of personal data as well as the type and purpose of such data and their use.

When you request our services, we ask you for accurate and necessary information that will enable us to respond to your request. If you provide us with personal data, we will use that data for the purposes for which it was provided to us, as stated at the time of collection or obvious from the context of collection, for example to provide an insurance quote.

When we provide the above services to our customers, we may collect personal data such as:

  • Personal master data and communication data
    Name, address, proof of address, contact details (including emails and telephone numbers),
    gender, marital status, date and place of birth, nationality, employer, job title, employment
    history and family details (including their relationship to you), relationship to policyholder,
    insured, beneficiary or claimant.
  • Identification data
    Identification numbers issued by authorities or government agencies (e.g. national insurance
    number, passport number, tax identification number, driving licence number – depending on
    your country of residence).
  • Financial data
    Card number (debit card, credit card, etc.) and bank details, income and other financial data or
    transaction histories.
  • Insured risk
    Information on the insured risk which may contain personal data, provided that this is relevant
    to the risk to be insured
  • Policy data
    Information about the insurance offers and policies that are created.
  • Technical information,
    including the IP address of your computer.
  • Credit and anti-fraud data
    including credit history, credit score, sanctions and offences, as well as information from various anti-fraud databases relating to you.
  • Special categories of personal data,
    which enjoy additional protection under the European General Data Protection Regulation, including health data, criminal convictions, origin, political opinions, religious or similar beliefs, trade union membership, genetic data, biometric data or data concerning sex life or sexual orientation.
  • Previous insurance cases/claims
    (only with your express consent) Information about previous insured events/claims, which may include health data and other special categories of personal data (as described above under the definition for “Insured Risk”)
  • Current insurance cases/claims
    Information on current insurance cases/claims, which may include health data and data on criminal records (as described above).
  • Marketing data
    Information on whether you have consented to receive marketing communications from CGEU and/or selected third parties.

In the event that you (also) provide us with personal data of third parties (for example, employees or family members), please note that you must obtain the consent of these persons beforehand.

We receive personal data from various sources and third parties. For example, we receive data from employees of our business customers to the extent necessary to provide them with the protection of an insurance policy arranged by us.

Other sources of personal data may include:

  • You yourself
  • Your family members, your employer or your agent/representative (including your broker)
  • Our representatives,
  • Insurer, insurance broker or reinsurer
  • Credit institutions
  • Websites or software applications for use on computers or mobile devices and/or social media content, tools and applications
  • Anti-fraud databases, sanctions lists, court judgments and other databases
  • Authorities
  • Any open electoral roll

The collection of this data takes place,

  • to be able to identify you as our customer or as an intermediary;
  • to perform underwriting and insurance mediation services. This also includes carrying out activities as an agency under powers of attorney granted, such as underwriting, quoting and underwriting. This may affect you even if you are neither a client nor a customer of our client.
  • to manage the relationship with our clients and business partners: we process the personal data of our clients/business partners to carry out “Know Your Client” checks and screenings prior to the start of a new business or client relationship, to obtain other necessary information, to communicate with our clients/business partners, to provide services, including (premium) billing and administration, and to handle client complaints, including assistance in the enforcement of insurance claims..;
  • to enable physical mailing via a digital interface, allowing automated scanning of incoming mail and printing of outgoing mail…;
  • for direct advertising, sending publications or press releases;
  • for other contact and customer care
  • for internal budget planning and reporting;
  • to comply with our legal obligations of any kind, including compliance;
  • for data protection and security purposes.

We may also use your personal data for other purposes if you have consented or the processing is compatible with the previous purpose.
The data processing is necessary according to Art. 6 para. 1 p. 1 lit. b GDPR for the aforementioned purposes for the appropriate mutual fulfilment of contractual obligations, according to Art. 6 para. 1 p. 1 lit. c GDPR for the fulfilment of a legal obligation to which the controller is subject and/or according to Art. 6 para. 1 p. 1 lit. f GDPR for the protection of the legitimate interests of the controller or a third party.

In order to facilitate the provision of insurance cover and the processing of insurance claims, CGEU relies on the data subject’s consent to the processing of special categories of personal data as set out in the enumeration above, pursuant to Art. 6 para 1 p. 1 lit. a GDPR.

The data subject’s consent to the processing of special categories of personal data is a necessary condition for CGEU to provide the services requested by the customer.
If data about another person is provided to CGEU, you agree to inform that third party about our use of their personal data and to obtain their consent for us.

You can withdraw your consent to this processing at any time. However, as a result, CGEU will no longer be able to provide the services to you. In addition, if you withdraw your consent to the processing of special categories of personal data by an insurer or reinsurer, the continuation of
insurance cover may no longer be possible.

3. Disclosure of data to third parties.

We will only share your personal data with service providers, business partners and other third parties in accordance with applicable data protection laws.

We do not rent, sell or otherwise disclose personal information to unaffiliated third parties for their own marketing purposes. We do not share personal data with third parties except as described below.

Within the CannGen group
We may share personal data with other affiliates and business units of the CannGen Group in order to provide services to you, including the processing described in the section above entitled “Collection and storage of personal data and the nature, purpose and use thereof”.

Business partner
We disclose personal data to business partners who provide us with certain specific services or work with us on a project. These business partners operate as separate data controllers and are independently responsible for compliance with data protection laws. For more information about their practices, please see the privacy statements of these business partners.

Examples of this are:

Insurers, reinsurers and other insurance intermediaries, insurance reference bureaus, service providers for conducting sanction and compliance checks as well as underwriting.

Authorised service providers
We may share your information with service providers that we contract (as processors) to provide services. These service providers are subject to contractual restrictions, i.e. the data may only be used and disclosed for the performance of the services we have contracted them to perform or to comply with legal requirements. These activities may include processing activities carried out by us as described in the above section “Collection and storage of personal data and the nature, purpose and use thereof”. In doing so, we observe the strict German and European data protection regulations.

If we transfer personal data to service providers outside the European Economic Area (EEA), the transfer will only take place if the third country has been confirmed by the EU Commission as having an adequate level of data protection or if other adequate data protection guarantees (e.g. binding internal company data protection regulations or EU standard contractual clauses) are in place. Detailed information on this and on the level of data protection at our service providers in third countries can be obtained directly from us, if required. You can also request the information using the contact information above.

Our IT service providers are based in the following countries: Germany, USA, Philippines. These service providers are subject to strict contractual restrictions with regard to the processing of personal data. Accordingly, processing is only permitted to the extent necessary to perform the services on our behalf or to comply with legal requirements.

The aforementioned service providers ensure adequate protection of your data, and their activities are limited to the purposes for which your data was made available to them.

Legal obligations and business transfers
We may disclose personal data to a third party,

  • if this is required by law, in the course of legal proceedings, by a legal norm, professional. standards or a subpoena, search warrant or other legal request;
  • on the instructions of a prison authority or other governmental authority;
  • if we believe that disclosure is necessary and appropriate to prevent physical harm or financial loss;
  • in connection with the investigation of suspected or actual illegal activities;
  • if you have consented; or
  • in the event of a merger or acquisition vis-à-vis the new owner of the company.

Disclosure may also be required in the case of audits or to investigate a complaint or security threat.

4. Duration of the data storage

We will delete your personal data as soon as it is no longer required for the above purposes. In the process, personal data may be retained for the time during which claims are asserted against our company. In addition, we store your personal data insofar as we are legally obliged to do so.

5. Data subject rights

You have the right:

  • to revoke your consent at any time in accordance with Art. 7 (3) GDPR. This has the consequence that we may no longer continue the data processing based on this consent for the future;
  • to request information about your personal data processed by us in accordance with Art. 15 GDPR. In particular, you can request information about the processing purposes, the category of personal data, the categories of recipients to whom your data has been or will be disclosed,
    the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right of complaint, the origin of your data if it has not been collected by us, as well as the existence of automated decision-making including profiling and, if applicable, meaningful information about its details;
  • to demand the correction of incorrect or incomplete personal data stored by us without delay in accordance with Art. 16 GDPR;
  • pursuant to Art. 17 GDPR to request the erasure of your personal data stored by us, unless the processing is necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the assertion, exercise
    or defence of legal claims;
  • to request the restriction of the processing of your personal data in accordance with Art. 18 GDPR, insofar as the accuracy of the data is disputed by you, the processing is unlawful, but you object to its erasure and we no longer require the data, but you need it for the assertion, exercise or defence of legal claims or you have objected to the processing in accordance with Art. 21 GDPR;
  • in accordance with Art. 20 GDPR, to receive your personal data that you have provided to us in a structured, common and machine-readable format or to request the transfer to another controller; and
  • to complain to a supervisory authority in accordance with Art. 77 GDPR. As a rule, you can contact the supervisory authority of your usual place of residence or workplace or our registered office.

6. Right of objection

Insofar as your personal data is processed on the basis of legitimate interests pursuant to Art. 6 (1) p. 1 lit. f GDPR, you have the right to object to the processing of your personal data pursuant to Art. 21 GDPR, insofar as there are grounds for doing so that arise from your particular situation.

If you wish to exercise your right of objection, simply send an e-mail to nmorris@canngenins.com

7. Amendments to this declaration
We may update this Privacy Policy from time to time. We will also notify you separately on our website or our contractors, as necessary, of any changes that materially affect it. We also encourage you to periodically review this Privacy Policy so that you are aware of our privacy practices.

This Privacy Policy was last updated on 4 August 2025.