The sharing of personal data between Allianz companies is becoming a routine. The term 'personal data' encompasses all information about an individual that any person could use to identify an individual such as employees, intermediaries, clients, potential clients, claimants, shareholders et al. It also includes sound and image data regarding these individuals.

The European Data Protection Directive of 1995 stipulates that transfers of personal data from processors in the European Economic Area (EEA; consists of all countries of the European Union (EU) and those of the European Free Trade Association (EFTA) excluding Switzerland) to recipients situated in countries outside of the EEA (henceforth: third countries) are legal only if both of the two following conditions are met:

1. A legal basis exists for the transfer of the relevant data of each person in question, e.g. a local government regulation about usage or sharing of data. This basis has to be ascertained prior to each transfer or category of transfers, if necessary with the assistance of Corporate Privacy of Allianz Versicherungs-AG, Munich.

2. From an European point of view, the non-EU country ensures an adequate level of protection of personal data.

This circular is published in order to make Allianz a single safe harbor for personal data. The circular will become effect as of January 1, 2004. The Allianz Group internal Transfer of Personal Information Directive (TOPID) outlined in Annex 1, covers the transfer of all personal data from an Allianz OE situated in a member state of the EEA to a recipient outside of EEA no matter whether the Allianz OE or a third party receive or may subsequently process the data. For a listing of countries in the EU and the EFTA please refer to the FAQ in the Annex 2 [not published].

The wording of the TOPID has been developed by the German Insurance Association in co-operation with Allianz and other large insurers and has been approved by the competent council of German data protection supervisory authorities. Via the European Commission it also has been consulted with national supervisory authorities of other EU member states.

In order to guarantee achieving the required data protection standard, implementing the Allianz Group Information Security Program locally as well as promoting the Allianz Group Privacy Network (GPN) are indispensable elements.

Interpretation aspects of the TOPID are spelled out for application development, maintenance and auditing purposes in the applicable version of the TOPID FAQ and has been published on the Corporate Privacy homepage on the Group Intranet (GIN; Services > Security > CP (Corporate Privacy)). The FAQ has been agreed upon by the members of the GPN who actually represent over 100 OEs as well as by Group Auditing. The current version of the FAQ is version 0.

Corporate Privacy will administer a register of every international transfer process of personal data within the scope of this circular. Notify both your local representative of Group Privacy Network and Corporate Privacy of any (a) existing or (b) planned IT application in the scope of this circular.

In order to keep this register up-to-date please notify Corporate Privacy (at least) annually at the end of the year if the process remains unchanged or otherwise about any changes.

Compliance with the TOPID will be audited by the responsible audit departments according to their audit plans.

Please address enquiries about this circular to your local corporate privacy representative or to Corporate Privacy of Allianz Versicherungs-AG, Munich (privacy@allianz.com).

(Dr. G. Rupprecht) (Dr. R. Hagemann)