CIGNA INTERNATIONAL HEALTH SERVICES DATA PROTECTION NOTICE
As a provider of quality healthcare around the world, our customers and clients expect us to carefully handle and protect the Personal Information (as defined below) they share with us.
You are receiving this Data Protection Notice either because your employer has signed an agreement with us, as an insurance intermediary and/or claims administrator, to provide you, directly or through our partners, with international health insurance cover and other additional covers and services as it may apply (referred to in this Data Protection Notice as the “Services”), or you otherwise benefit from our Services (for example, as a dependant).
In order to provide our Services to you, we will collect and use your Personal Information. This Data Protection Notice explains how and why we do this, and outlines your rights in relation to your Personal Information.
Your Personal Information may be collected by the following entity:
- Cigna International Health Services BV, with corporate address in Belgium at Plantin en Moretuslei 299, 2140 Antwerp, with enterprise number 0414.783.183 (Register of Legal Entities Antwerp), and subject to the supervision of the Financial Services and Markets Authority in the field of consumer protection.
This company will be the data controller of the Personal Information collected to provide the Services to you.
“Personal Information” is the information that identifies and relates to you, or to other individuals which also benefit from our Services, such as your dependants. Your Personal Information may be provided to us by yourself or by a third party entitled to provide us with such information (e.g. your health care providers, your employer, etc.).
Due to the nature of the Services you are entitled to, your Personal Information may contain sensitive data including, but not necessarily limited to, your medical condition and health status.
THE TYPES OF PERSONAL INFORMATION WE COLLECT
The Personal Information we collect includes:
- General information such as your name, address, contact details, date of birth, gender, relationship to the policyholder (where you are not the policyholder);
- Identification information such as your national identification number, passport number or driving license number;
- Information linked to the provision of the Services (for example, to review and pay your claims; to issue guarantee of payment/s when applicable);
- Information about your job including job title or any other that may be strictly required to provide the Services to you, provided that there is a connection between the access to the Services and your job or job title;
- Information relating to previous policies or claims;
- Financial information such as your bank or payment details;
- Telephone recordings and other logs of your correspondence with us; and
- Sensitive data including details of your current and past physical and/or mental health.
We collect the Personal Information outlined above from a number of different sources, including from:
- You directly, or from someone else on your behalf (such as a family member that you have formally authorised to do so);
- Healthcare providers and other medical providers, and other third parties that are required to provide the Services to you (for example loss adjusters, claims handlers, experts (including medical experts);
- Other third parties involved in the provision of the Services or linked to that provision such as a broker or another insurer, claimants, defendants;
- Your employer (as it may be applicable);
- Medical reports and counsel opinions;
- Emergency assistance;
- Other companies within the Cigna corporate group as may be appropriate to provide the Services to you; and
- Insurance industry fraud prevention and detection databases and sanctions screening tools.
As we are required to collect your Personal Information as a consequence of a contractual agreement with the employer, failure to provide this information may prevent or delay the fulfilment of these obligations. For example, if you do not provide certain Personal Information, we will not be able to provide you with the Services.
PURPOSE AND USE OF PERSONAL INFORMATION
Your Personal Information is collected in order to provide the Services, administer your plan and, in general, conduct insurance business in line with the Services you are entitled to.
We use your Personal Information to:
- Provide insurance and assistance services including, for example, claim assessment, processing and settlement; and, where applicable, handle claim disputes;
- Communicate with you and others, including the employer, as part of our Services;
- Send you important information regarding changes to our policies, other terms and conditions and other administrative information;
- Make non-automated decisions about whether to provide the Services to you;
- Provide improved quality, training and security (e.g. with respect to recorded or monitored phone calls to our contact numbers);
- Continuously improve and test the quality of our Services (for example, conducting satisfaction surveys, research and analysis related to the Services);
- Protect our business against fraud. This includes searching claims or fraud registers when dealing with insurance requests or claims in order to detect, prevent and investigate fraud;
- Manage our infrastructure and business operations, and comply with internal policies and procedures, including those relating to auditing; finance and accounting; billing and collections; IT systems; business continuity; and records, document and print management;
- Resolve complaints and handle requests;
- Comply with applicable laws and regulatory obligations, including those relating to anti-money laundering and anti-terrorism; and respond to requests from public and governmental authorities and litigation; and
- Establish and defend legal rights; protect our operations or those of any of our group companies or insurance business partners; safeguard our rights, privacy, safety or property, and/or that of our group companies, you or others; and pursue available remedies or limit our damages.
As outlined above, we may use your Personal Information for a number of different purposes that are always connected with the Services we provide. Consequently, we will rely on the following legal grounds to use your Personal Information:
- The use of your Personal Information is necessary for the performance of a contract to which you are a party;
- We have a legal or regulatory obligation to use your Personal Information. For example, we will rely on this ground to comply with anti-money laundering and anti-terrorism obligations; and
- We have a legitimate interest in using your Personal Information. We may rely on this legal ground for the purpose of providing improved quality, training and managing our infrastructure and operations. When collecting and processing your Personal Information under this ground we put in place robust safeguards to ensure that your privacy is protected and that our legitimate interests are not overridden by your interests or fundamental rights and freedoms.
Due to the nature of the Services you are entitled to, we may process sensitive data connected with the provision of such Services. In general, your consent is not required since we are permitted by applicable law to process such information as a healthcare insurance company. However we may collect your consent in specific situations where either the nature of the data to be disclosed and/or the requirements on the jurisdiction where you are on assignment or other applicable laws and regulations may require that consent.
DISCLOSURE OF YOUR PERSONAL INFORMATION
If necessary for providing you with the Services you are entitled to, or for any of the purposes described in this Data Protection Notice, we may disclose your Personal Information with other parties. Disclosing your Personal Information means that we will provide your Personal Information to and/or that your Personal Information will be accessed by:
- Cigna group companies. Access to Personal Information within Cigna is restricted to those individuals and entities who have a requirement to access the information for the purposes described in this Data Protection Notice;
- Other insurance and distribution parties, such as other insurers; reinsurers; brokers and other intermediaries and agents and appointed representatives;
- Healthcare providers and travel and medical assistance providers;
- External third-party service providers, such as IT systems, support and hosting service providers; document and records management providers; translators; and similar third-party vendors and outsourced service providers that assist us in carrying out business activities;
- External professional advisors and partners such as medical professionals, accountants, actuaries, auditors, experts, consultants, lawyers; banks and financial institutions that service our accounts; claim investigators, adjusters and others;
- Investigative firms we brief to look into claims on our behalf in relation to suspected fraud;
- Our regulators and other governmental or public authorities where necessary to comply with a legal or regulatory obligation;
- The police and other third parties or law enforcement agencies, court, regulator, government authority or other similar third parties where necessary for the prevention or detection of crime or to comply with a legal or regulatory obligation; or otherwise to protect our rights or the rights of a third party;
- Debt collection & Subrogation agencies;
- Selected third parties in connection with any sale, transfer or disposal of our business;
- Other third parties, such as emergency providers (fire, police and medical emergency services) and travel carriers;
- Your employer or a company acting on your employer’s behalf to monitor, audit or otherwise administer the Services and fulfil contractual obligations in relation to the Services. Consequently, the Personal Information that may be shared will be the minimum necessary to perform the Services you are entitled to. Under no circumstances will Cigna provide any sensitive information (i.e. medical information related to you) to the employer without asking for previous express consent from you;
- In addition to the above, we may need to share limited Personal Information with the employer in case of an emergency medical evacuation or repatriation (“Emergency”) to ensure that your health and safety and the best outcome for you, in case of an Emergency when outside your home country, is achieved. Please be aware that during an Emergency we will try to prevent the immediate and significant effects of illness, injury or conditions which if left untreated would result in a significant deterioration of health and represent a threat to your life. During the complexity of those situations the interaction with your employer may be required to provide additional assistance to try to ensure the best possible outcome during an evacuation and/or assess whether to provide other assistance to you out-with the Cigna plan. The Personal Information that may be shared will be the minimum necessary to conduct the evacuation or repatriation in line with the Services you are entitled to. The information that will be shared may be: date of evacuation or repatriation; location where the patient will be evacuated or repatriated from or to; medical conditions which has resulted in the need for the evacuation or repatriation and the medical necessities of the patient during the Emergency. Once you are safely medically repatriated or evacuated that sharing of information will cease immediately; and
- Registers of claims which are shared with other insurers in order to check information to detect and prevent fraudulent claims. The Personal Information put on these registers may include details of injuries.
For any of the categories of the recipients listed above, it should be noted that some of them may be located in the European Economic Area, while others can process and access your Personal Information from outside the European Economic Area, as described in the following section of the Data Protection Notice.
INTERNATIONAL TRANSFER OF PERSONAL INFORMATION OUTSIDE THE EUROPEAN ECONOMIC AREA
Due to the global nature of the Services you are entitled to and the need to provide the employer with compliance solutions to meet its needs and ensure that you have access to the Services in the location of your assignment, your Personal Information can be shared with and/or accessed by parties located in other countries outside the European Economic Area that have a different data protection regime than the one found in the country where the employer, signing the contract with us, is located. The countries to which we may transfer your Personal Information may not be regarded by the European Commission as ensuring an adequate level of protection for Personal Information (for instance, the United States).
In any case, where we transfer your Personal Information to any of these countries, we will conduct the transfer in accordance with applicable data protection law. This may include ensuring that appropriate safeguards, such as contractual obligations, are put in place with respect to the protection of your Personal Information and your fundamental rights and freedoms, and your rights in relation to your Personal Information.
If you would like further information regarding the steps we take to safeguard your Personal Information, or to obtain a copy of the safeguards we put in place to protect it when it is transferred, please contact us using the details in the “Contact Us” section below.
Depending on the country of your assignment or location and the compliance requirements that may apply there you may receive additional privacy notices from us or from our partners.
RETAINING YOUR PERSONAL INFORMATION
We ensure that proper procedures are in place to manage your Personal Information and to remove and/or archive it when necessary.
In general terms, we only retain your Personal Information for as long as is necessary to:
- Provide you with the Services;
- Fulfil the purposes outlined in this Data Protection Notice; and
- Comply with our legal obligations and/or protect our rights.
When your employer instructs us to terminate your access to the Services, we will protect your Personal information and will delete it once our retention period to comply with our legal or regulatory obligations and/or protects our rights has lapsed. Our default retention period is 10 years. However, depending on the jurisdiction that governs our contract and the type of information involved, our retention period may vary.
If you would like further information regarding the periods for which your Personal Information will be stored, please contact us using the details in the “Contact Us” section below.
Under data protection law you have certain rights in relation to the Personal Information that we hold about you. You may exercise, as may be applicable, these rights at any time by contacting us using the details set out in the “Contact Us” section below.
Your rights include:
- The right to access your Personal Information
You are entitled to a copy of the Personal Information we hold about you and certain details about how we use it. There will not usually be a charge for dealing with these requests.
Your information will usually be provided to you in writing, unless otherwise requested, or where you have made the request by electronic means, in which case the information will be provided to you by electronic means where possible.
- The right to rectification
We take reasonable steps to ensure that the Personal Information we hold about you is accurate and complete. However, if you do not believe this is the case, you can ask us to update or amend it.
- The right to erasure
In certain circumstances, you have the right to ask us to erase your Personal Information. Please note that in some circumstances exercise of this right will mean we are unable to continue providing you with the Services as outlined above.
- The right to object to, and/or to request restriction of processing
In certain circumstances, you are entitled to object to our processing of your Personal Information, or ask us to stop using your Personal Information. Please note that in some circumstances exercise of these rights will mean we are unable to continue providing you with the Services.
- The right to data portability
In certain circumstances, you have the right to ask that we provide your Personal Information to you in a commonly used electronic format, and to transfer any Personal Information that you have provided to us to another third party of your choice.
- The right to object to marketing
However, we don’t use your data for marketing purposes.
- The right not to be subject to automated decision-making (including profiling)
You have a right in some circumstances to not be subject to a decision based solely on automated means, but we do not base our decisions only on automated means.
- The right to withdraw consent
As explained previously, we collect and process your Personal Information (including sensitive data) to provide the Services under different grounds, so that is why we do not ask for your consent.
- The right to lodge a complaint with a data protection authority
You have a right to complain to your local data protection authority if you believe that any use of your Personal Information by us is in breach of applicable data protection laws and regulations.
Making a complaint will not affect any other legal rights or remedies that you have.
GOOGLE MAPS/GOOGLE EARTH
We will take appropriate technical, physical, legal and organizational measures, which are consistent with applicable data protection laws to protect your Personal Information.
CHANGES TO THIS DATA PROTECTION NOTICE
We may update this Data Protection Notice from time to time to ensure that it remains accurate. Please check back each time that you provide additional Personal Information to us. Where changes to the Notice will have a fundamental impact on the nature of our processing of your Personal Information, or otherwise have a substantial impact on you, we will give you sufficient advance notice so that you have the opportunity to exercise your rights in relation to your Personal Information.
This Data Protection Notice was last updated May 2018 to comply with the European General Data Protection Regulation effective as of May 25th 2018.
Data Protection Officer / Cigna International Health Services
Plantin en Moretuslei 299