GDPR – UNIQA Data Privacy Policy

GDPR – UNIQA Data Privacy Policy

Our approach to personal information

It is of great concern for us, UNIQA, to inform you, our customers, how your personal data is used and processed. Please take some time to read to following important points. In order to provide our health insurance related services, a company such as ours needs to receive the necessary data, store it, and undertake checks on it.

For example, we need to collect the financial data of our customers in order to make the transactions related to reimbursement.

We receive the data that we use either directly from our customers or from intermediaries such as their employers. Our customers are the main members or lead insured as well as his spouse/her husband and the other members of his/her family (the children) who are included in the insurance contract.

If you have questions concerning personal data protection, please contact our data protection office at any time.

Contact détails concerning your personal data:

UNIQA Globalcare SA

Avenue de la Praille 26

CH – 1227 Carouge 

Tel:: +41.22.718.63.00

E-mail: contact@uniqa.ch          

UNIQA Austria remains our GDPR representative within the EU:

UNIQA Insurance Group AG

Untere Donaustraße 21

1029 Vienna, Austria

Tel: +43.50.677

E-mail: info@uniqa.at

Your personal data

Personal data is information which relates to an identified person or allows identifying (directly or indirectly) a natural person. This includes, in our case as a health insurance company:

  • Identification information (first name, last name, nationality…)
  • Directory information (telephone number, addresses, email…)
  • Financial information (IBAN, bank information)
  • Professional information (position, address, matricule number…)
  • Health information (medical certificate, medical form, medical invoices…)

We put a specific emphasis on the security and the appropriateness of the way we stored and process your personal data taking the European Union’s General Data Protection Regulation as our standard. Our IT environment is regularly audited with regard to the access authorizations, the security measures, the continuity and change management.

The reason why we use personal data

We provision and process your personal data in order to either affiliate you and provide you with our health insurance services or perform business analysis necessary to run or company and improve our services to our customers.

More specifically, we:

  • Set up insurance contracts with our customers
  • Refund our customers for the treatments that are included in their contracts
  • Refund the healthcare providers for the treatments that are included in the contract
  • Perform actuarial and statistical analyses necessary for the managing of the business.

For instance, we are provided with the details of a hospitalisation or illness of our customers in order to:

  • check whether the case relates to the health insurance we provide
  • and if this is true, pay the corresponding bill to the person involved.

The legal ground under which we process personal data

Our personal data processing operations are lawful and fair.

In compliance with article 6 [1.a] of the General Data Protection Regulation, the processing of our customer’s personal data is necessary either to perform our contractual obligations with them or to take steps, at their request, to enter into a health insurance contract. We process some personal data other than health data, in a pseudonymized, way in order to produce statistics necessary for the management of our activities. Such statistical processing are compatible with the performance of our contractual services to our customers and are based on our legitimate interest in compliance with article 6[1.f] and recital 50.

With regard to personal health information, we only process this category of information in the context of employment and social security (e.g. reimbursement of healthcare) as allowed by article 9 [1.b].

Who we can transfer personal data to

We pay a great attention to the choice of our business partners and we transfer personal data to them when this is indispensable.

Our business partners are not permitted to share or use personal information we make available to them for any other purpose than to provide services to us. They are required to follow the General Data Protection Regulation as much as we are.

For instance, we provide financial information to our bank partners to reimburse our customers. We provide directory information to our mail delivery partners in order to provide our customers with the contractually agreed information. We cautiously and rigorously exchange health data with both our own medical advisors so as with the organisms providing healthcare services to our customers.

All our third parties are contractually bound to confidentiality. In particular, our medical advisors are bound to medical secrecy. Moreover, we only transfer the type of data that is necessary for the specific third party. We do not transfer data to business partners who don’t need it for their services.

In this context, data may be transferred as electronic file, by email by fax or on paper.

Where we store personal data

We take steps to ensure that the information we collect is processed according to this Privacy Statement and the requirements of applicable laws wherever the data is located.

UNIQA has networks, databases, servers, systems, support, and help desks hosted in Switzerland and in Austria. We collaborate with third parties such as cloud hosting services, suppliers, and technology support located in those two countries to serve the needs of our business, workforce, and customers. Through contractual agreements and audits, we take appropriate steps to ensure that personal information is processed, secured, and transferred according to applicable law.

Furthermore, we do not transfer information to countries in which applicable laws do not offer an adequate level of data privacy protection as stipulated by the European Commission. If you would like to know more about our data transfer practices, please contact our Data Protection Officer.

How long we store personal information

We store our customers’ personal data for the longest of the periods necessary:

  • To comply with the applicable regulatory and legal obligations and
  • To manage our operational constraints such as an adequate customer account management, an adequate support to our customer requests or answering to legal claims

Therefore, we keep the vast majority of our customers’ information at least 10 years after the end of our contractual agreement with them. As a matter of fact, we only delete those data when absolutely required and mandatory to do so.

How we secure personal information

UNIQA takes data security seriously, and we use appropriate technologies and procedures to protect personal information. Our information security policies and procedures are closely aligned with widely accepted international standards and are reviewed regularly and updated as necessary to meet our business needs, changes in technology, and regulatory requirements.

The following list of technical and organizational measures describes the measures we applied within UNIQA’s environment:

Confidentiality

  • Physical Access Control
    No unauthorised access to Data Processing Facilities, e.g.: magnetic or chip cards, keys, electronic door openers, facility security services and/or entrance security staff, alarm systems, video/CCTV Systems
     
  • Electronic Access Control
    No unauthorised use of the Data Processing and Data Storage Systems, e.g.: (secure) passwords, automatic blocking/locking mechanisms, two-factor authentication, encryption of data carriers/storage media
     
  • Internal Access Control (permissions for user rights of access to and amendment of data)
    No unauthorised Reading, Copying, Changes or Deletions of Data within the system, e.g. rights authorisation concept, need-based rights of access, logging of system access events
     
  • Pseudonymisation
    The processing of personal data in such a method/way, that the data cannot be associated with a specific Data Subject without the assistance of additional Information, provided that this additional information is stored separately, and is subject to appropriate technical and organisational measures.

Integrity

  • Data Transfer Control 
    No unauthorised Reading, Copying, Changes or Deletions of Data with electronic transfer or transport, e.g.: Encryption, Virtual Private Networks (VPN), electronic signature;
  • Data Entry Control
    Verification, whether and by whom personal data is entered into a Data Processing System, is changed or deleted, e.g.: Logging, Document Management

Availability and Resilience

  • Availability Control
    Prevention of accidental or wilful destruction or loss, e.g.: Backup Strategy (online/offline; on-site/off-site), Uninterruptible Power Supply (UPS), virus protection, firewall, reporting procedures and contingency planning
  • Rapid Recovery

Procedures for regular testing, assessment and evaluation

  • Data Protection Management;
  • Incident Response Management;
  • Data Protection by Design and Default
  • Order or Contract Control
    No third party data processing as per Article 28 GDPR without corresponding instructions from the Client, e.g.: clear and unambiguous contractual arrangements, formalised Order Management, strict controls on the selection of the Service Provider, duty of pre-evaluation, supervisory follow-up checks.

Cookies and automated decision-making programs

We do not use cookies or any automated decision-making program. If, however, such statement changes in the future, we will comply with industry guidelines and applicable laws.

Links and connections to third-party services

Our Services may contain links to and may be used by you in conjunction with third-party apps, services, tools, and websites that are not affiliated with, controlled, or managed by us. Examples include Facebook, LinkedIn, Twitter® and, third-party apps like voice software and readers. The privacy practices of these third parties will be governed by the parties’ own Privacy Statements. We are not responsible for the security or privacy of any information collected by these third parties. You should review the privacy statements or policies applicable to these third-party services.

International Transfer

UNIQA is a European organization. Therefore, your personal information may be stored and processed outside of your home country, namely in the country of residence of our headquarters which is Austria or in the country hosting our operations which is Switzerland. This means that our customers’ personal data are only transferred to the European Union and to a country (Switzerland) which is assessed as adequate by the European Commission with regard to personal data protection. We do not transfer personal information to countries in which applicable laws do not offer the same level of data protection.

Your rights as data subjects

We respect the General Data Protection Regulation.

Therefore, we only use data that has been provided upon request from you and process it under contractual agreement with you and we will gladly comply to any legitimate request you may have:

  • Access: You have the right to access and rectify your personal information at any time.
  • Erasure and restriction: under legitimate conditions, you may also have the right to request erasure of your personal data or a restriction on a given processing. For instance, the processing might be restricted in order to correction on specific personal data. 
  • Objection: under specific regulatory criteria, and with regard to the terms and conditions of our contractual agreement, you may have the right to object to the processing of your personal data (e.g. processing related to direct marketing, processing based on your consent or processing based on our legitimate interest if you actively intent to contest its lawfulness)
  • Portability: for personal data you directly provided to us and which we process with automated means, you have the right to obtain your personal data in a structured, commonly used machine-readable format and transfer it to another organisation of your choice. You may also request us to transfer those data directly to another organisation: we will be glad to comply in the limit of our technical means.

In addition, you have the right to lodge a complaint with a public supervisory authority in the European Union.

In any case, please contact our Data Protection Officer.

Errors and Omission

If you believe that there may be an error in any of the information that you have submitted to UNIQA, or in any personal information that we have displayed, please email:

contact@uniqa.ch

We will review your records as soon as possible

Additional information

We will amend this privacy statement from time to time and for this reason, it is valid for a period of 1 day from the date you have viewed it. We recommend that you read this statement regularly.