Data protection policy

We are delighted that you have visited our website and would like to thank you for your interest in Erwin Himmelseher Assekuranz-Vermittlung GmbH & Co. KG and our services.

For us, data protection is not only a statutory duty but is also an important part of our information security policy.

In the following we provide detailed information on which personal data (referred to briefly in the following as “data”) are collected and processed when you visit our website. Furthermore, we advise you of which type of data we collect about our clients, process and protect.

When using specific terms such as “controller“ or “processing“ etc., we refer to the definitions in the GDPR (e.g.  Article 4).

Please address any questions or remarks you may have to our external data protection officer:
Oliver Thehos
Tel: +49 (0) 231 53221200
Email: hisv[at]

Responsible body/service provider

The responsible body within the meaning of the Federal Data Protection Act (BDSG) and at the same time service provider within the meaning of the Telemedia Act (TMG) is Erwin Himmelseher Assekuranz-Vermittlung GmbH & Co. KG; see our Legal notice here.

Erwin Himmelseher Assekuranz-Vermittlung GmbH & Co. KG
Theodor-Heuss-Ring 23
D-50668 Cologne
Tel: +49 (0)221 12 50 02 -0
Email: hisv[at]

Updating of the data protection measures 

We would ask you to consult our current data protection policy on a regular basis. We regularly adjust the data protection policy to the legal requirements and our services. The current data protection policy always applies when you visit our website again.

We usually only notify our clients about changes in processing or legislation if this requires you to take action (e.g. consent) or if there is a direct duty to inform.

Collection and use of your data on our website

The scope and type of collection and use of your data is determined by whether you visit our website only to obtain information or to complete the contact questionnaire.

Hosting of the web server

The hosting service used serves the technical provision of infrastructure services, database applications, computing and storage capacity as a basis for our website.

On the basis of our legitimate interest (Article 6 GDPR), we store data and time as well as the IP address of the visitor on this web server. These data are anonymised and kept for access statistics for our website. The logfiles on the access are deleted after 7 days. We keep them this long to protect against manipulation, hacking etc.

Informational use

It is not basically necessary to provide personal data for the only informational use of our website.
We or our hosting partner temporarily store only those data which your internet browser sends us automatically:

  • Date and time of visiting one of our web pages
  • Your IP address

For security reasons, we store the IP address in an anonymised form for a period of 7 days. We do not conduct a person-related analysis.

Use of our contact form 

We view a contact from you as your voluntary consent to the processing of your data to process your questions.

If you wish to use the contact form we offer, it is necessary to provide some data. These are data which are required for the handling of the contact and are marked with an asterisk.

Any other information is optional and primarily serves a courteous and individual address.

The information you provide will be stored for the purpose of processing your inquiry and for any possible follow-up questions. Personal data are deleted automatically after completion of the inquiry you have made.

SSL encryption

We use current state-of-the-art encryption procedures (e.g. SSL) via HTTPS to protect the security of your data during transmission.

Use of cookies

We use cookies on our website. Cookies are small text files which are sent from our web server to your browser and kept by it whenever you visit our website.

We only use session cookies (also referred to as temporary cookies), which are stored exclusively for the duration of their use on one of our web pages. The purpose of these cookies is to continue to identify your computer during your visit to our website when you move from one page to another and to determine the end of the visit.

The cookies are deleted as soon as you end your browser session.

Contact form

Contacting our company

If you contact us with questions of any kind by email or using the contact form, you give us your voluntary consent for the purpose of getting in contact. It is necessary to state a valid email address here. It serves to assign your inquiry and then answer it. Providing further data is optional. The information you provide will be stored to process the inquiry and for possible follow-up questions. Personal data are automatically deleted once your inquiry has been completed.

Further declaration on data protection regarding broker services 

Erwin Himmelseher Assekuranz-Vermittlung GmbH & Co. KG processes the data of clients and potential clients (referred to in the following as “clients“) to provide the desired contractual or pre-contractual service to them (in accordance with Article 6 GDPR).

The data processed here as well as the scope, type and purpose of processing depend on the services to be provided and may vary.

This usually includes so-called master data (or inventory data) of clients, contact data, contractual data and payment data.

In some cases, information on circumstances or properties of individuals or objects belonging to them are processed if they are part of the contract. This may include details on circumstances of life, movable or immovable goods.

In the event of processing data which are particularly worthy of protection, such as health data, the explicit consent from the data subject will be obtained. (Article 6, Article 7, Article 9 GDPR).

Where necessary to perform a contract or to satisfy statutory requirements, we transmit data regarding cover issues and contract handling to the providers of brokered services, usually insurance companies.

To satisfy our obligation towards our clients we transparently exchange data with the following institutions depending on contract and after obtaining the consent of the data subject, legal foundation or regulation:

  • Insurer or reinsurer
  • Underwriting agencies and underwriting establishments
  • Other insurance brokers
  • Technical service providers
  • Credit institutions
  • Investment companies
  • Social insurance institutions
  • Health insurance companies
  • Tax advisors and accountants
  • Tax authorities
  • Legal advisors
  • Insurance ombudsmen
  • Federal Financial Supervisory Authority

Subcontractors may also be engaged (e.g. sub-intermediaries).

We obtain consent from our clients if this is necessary for disclosure/transmission. This may be the case, for example, for special categories of data under Art. 9 GDPR. At all events, notification is given on the passing-on of data and the associated purpose.

Data are deleted after expiry of statutory guarantee and comparable duties, whereby the necessity to store data is checked every three years. The statutory storage duties otherwise apply.

We also store data on suppliers and other business partners, e.g. for later contacting, on the basis of our commercial interests. We store these mainly business-related data permanently.

In contacts with us (e.g. by contact form, email, telephone) the information of the user is processed to handle the contact inquiry. The details of the user can be stored in a customer relationship management system (“CRM system”) or comparable information system.

We delete inquiries when they are no longer necessary. We regularly check the necessity of storage and deletion of personal data. The statutory archiving duties furthermore apply.

Examples of categories of processed data of end clients 

  • Inventory data (e.g. name, address, date of birth)
  • Contact data (e.g. email address, telephone numbers)
  • Content data (e.g. text entries, emails)
  • Use data (e.g. access times)
  • Meta/communication data (e.g. IP addresses)
  • Financial data: (e.g. bank details)
  • Health data (e.g. appraisals, medical reports, self-information)
  • Contract data (e.g. subject matter of contract, term, client category)

Purpose of processing 

We process your data only for the purposes set out in the data protection policy and only if:

  • You have given your explicit consent;
  • The processing is necessary to handle a contract with you;
  • The processing is necessary to satisfy a legal duty.

Here are a few examples of processing personal data:

  • Security measures (e.g. IP address, access time on web server, back-ups)
  • To answer inquiries and communication with our clients (e.g. address)
  • Statutory provisions (e.g. archiving of business matters, emails)
  • Provision of our contractual services as part of our core activities as insurance broker (risk identification and assessment, monitoring of insurance contracts, claims management etc.)

Prime legal foundations for processing 

The following applies where no specific legal foundations are specified:

  • Article 6 (1) and Article 7 GDPR (conditions for consent)
  • Article 6 (1) GDPR (lawfulness of processing / safeguarding of legitimate interest)

If processing or passing-on is necessary to protect life and limb of a data subject, we refer here also to the legal foundation of the GDPR, Article 6 (1).

Exchange of data with third parties and contract processors 

Where we transmit or grant access to personal data to selected partners and contract processors as part of our activities this is based on statutory provisions or on the permission obtained.

Information is only exchanged with partners (e.g. insurance companies) to satisfy our obligations to our clients (e.g. contractual drafting, claims management) after consent has been obtained.

The engagement of contract processors is based on Article 28 GDPR.

Our selected partners, contract processors and service providers are regularly informed about our data protection and information security policy. Furthermore, we check the level of data protection and information security of our partners, contract processors and service providers. Collaboration is ended if we determine non-compliance.

Transmission of personal data 

Subject to statutory or contractual permission, we only have personal data processed in a third country if the special conditions pursuant to Art. 44 GDPR are satisfied. An exception would only be made for processing or disclosure of personal data in a third country in the event of satisfying contractual (or pre-contractual) duties based on your consent.

Data subject rights 

You may exercise your rights as follows to our data protection officer:

  • Information on your data stored by us and their processing (Article 15 GDPR)
  • Rectification of inaccurate personal data or completion of the same (Article 16 GDPR)
  • Erasure of data stored by us (Article 17 GDPR)
  • Restriction of data processing where we may not yet erase your data by virtue of the law (Article 17 GDPR)
  • Objection to the processing of your data by us
  • Portability of your data where they have not already been erased by law (Article 20 GDPR)

You may lodge a complaint at any time with the supervisory authority responsible for you (Article 77 GDPR).

The domicile of the supervisory authority is determined by the federal state of your residence, your work or the alleged infringement of your rights as data subject.

A list of the supervisory authorities for the non-public area with address is available at:

The supervisory authority in Nordrhein-Westfalen:

Landesbeauftragte für Datenschutz und Informationsfreiheit
Postfach 20 04 44
40102 Düsseldorf

Tel.: 0211/38424-0
Fax: 0211/38424-10

Right to withdraw

Any consent granted to us on the processing of your data may be withdrawn in whole or in part for the future (Article 7 GDPR).

Right to object

You have the right to object to the future processing of your personal data (Article 21 GDPR).

Erasure of data 

We are guided by the principles of data avoidance and data economy. We store and process your personal data only for as long as this is necessary to achieve the stated purposes or if storage periods are required by law.

After expiry of the statutory periods for the storage, the elimination of the processing purpose or your withdrawal of consent to use, personal data are usually blocked or deleted in accordance with the statutory requirements (Article 17 & 18 GDPR).

Data security

We use different technical and organisational security measures to protect any personal data which has arisen or has been collected, particularly against incidental or deliberate manipulation, loss, destruction or against the attack of unauthorised persons. Our security measures are constantly improved in accordance with technological development. Further information may be obtained from our Information Security Guideline.

Data protection during an application procedure 

We process an applicant’s data only in compliance with the statutory requirements. An applicant’s data are processed to satisfy our (pre-) contractual obligations within the application procedure within the meaning of Article 6 GDPR where data processing becomes necessary for us (in Germany, Section 26 BDSG also applies).

The application procedure is conducted on the condition of us receiving an applicant’s data. The requisite applicant’s data otherwise arise from the job descriptions. In principle, they include details on person, postal and contact addresses and the application documents such as cover letter, curriculum vitae and references. Applicants may also send us additional information voluntarily.

On sending the application to us, the applicants declare their agreement to the processing of their data for the purposes of the application procedure in accordance with the type and extent set out in this data protection policy.

Where categories of personal data which are particularly worthy of protection are communicated in the application procedure, they are processed additionally in accordance with Art. 9 (2) GDPR (e.g. health data, such as any serious disability or ethnic origin).

Where special categories of personal data of applicants are requested in the application procedure within the meaning of Art. 9 (1) GDPR, they are processed additionally in accordance with Art. 9 (2) GDPR (e.g. health data, if they are necessary for work).

Where applications are sent to us by email, we would like to point out that emails are usually sent without encryption and the applicants themselves are responsible for encryption. We therefore recommend that any such applications are sent by post.

The data provided by the applicants can be further processed by us for the purpose of an employment relationship in the case of a successful application. Otherwise, if the application for a job vacancy is not successful, the applicant’s data are deleted. The applicant’s data are similarly deleted if an application is withdrawn, which the applicant are entitled to do at any time.

The data are deleted after expiry of a period of six months so that any follow-up questions on the application can be answered and our duties to provide evidence based on the Equal Treatment Act satisfied.