AXA Insurance Data Protection Notice for Laya Healthcare Business

This document is the AXA Insurance Data Protection Notice for AXA’s business with Laya Healthcare. It contains all the information you need to know to understand how we use your data for our business with Laya Healthcare.

Notice: While all of the information in this Data Protection Notice is important, certain details have been placed in boxes to highlight them. These boxes contain information that the data protection legislation (known as the General Data Protection Regulation) specifies as being information that should be brought to your attention.

Contents of this document:

  1. General
  2. Collection of Information
  3. Use of Information
  4. Sharing of Information
  5. Information Collected
  6. Retention of Information
  7. Your Rights
  8. Cookie Policy

1. General

AXA recognises that protecting personal data, including special categories of data (sometimes referred to as sensitive personal data), is very important to you and that you have an interest in how we collect, use and share such information. This Data Protection Notice sets out what we do with your personal data.

It is important that you read this Data Protection Notice and show it to anyone else who is insured under your health insurance policy, as it also applies to them.

We reserve the right to change this Data Protection Notice from time to time at our sole discretion. The most up to date version of this document can be found on axa.ie/data-protection. We encourage you to periodically review this notice to keep informed about how we process your personal data.

Company Information

References to “AXA”, “us”, “our” and “we” mean AXA Insurance dac, and any associated companies from time to time. More information about AXA can be found at www.axa.ie. References to “Laya” mean Laya Healthcare Limited.

For Laya’s health insurance products, Laya and AXA are separate and independent data controllers, each with their own purposes and means of processing personal data. For details of how Laya processes personal data, please see their data protection information.

Legislation

Rest assured that all personal data we gather will be processed in accordance with all applicable data protection laws and principles, in particular the EU General Data Protection Regulation (the “GDPR”) and the Data Protection Acts. Queries and Complaints

Queries and Complaints

If you are unhappy with the way we have handled your personal information and wish to complain or if you simply want further information about the way your personal data will be used, please contact us by any of the following options:

Data Protection Officer,
Compliance Department,
AXA Insurance dac,
Wolfe Tone House,
Wolfe Tone Street,
Dublin 1
Email: compliance@axa.ie
Telephone: +353 (0)1 471 1812

You also have the right to lodge a complaint with our data protection regulator. To contact the Data Protection Commission, please visit their website: dataprotection.ie

Please note that we will take all appropriate steps to keep your personal data safe. In the unlikely event that we have a security breach, we will notify you without undue delay about the circumstances of the incident in accordance with the GDPR.

2. Collection of information

The personal data we gather for the purposes set out in Section 3 below will be obtained from Laya.

The types of personal data that we gather are listed in Section 5 ‘Data Collected’ below.

3. Use of Information

We mainly use your personal information to underwrite your insurance policy and to assist with the management of claims and complaints you might make. However, more specifically, we may use the personal data we gather for any or all of the following purposes:

  1. to manage and investigate any claim made by you or anybody insured under your policy of insurance;

    Legal Basis:

    • the processing is necessary for the performance of a contract to which you, the data subject, are party or in order to take steps at your request prior to entering into a contract;
    • the processing is necessary for compliance with a legal obligation to which the controller is subject.

  2. to manage and investigate any complaints;

    Legal Basis:

    • the processing is necessary for the performance of a contract to which you, the data subject, are party or in order to take steps at your request prior to entering into a contract;
    • the processing is necessary for compliance with a legal obligation to which the controller is subject.

  3. to assess your eligibility and terms of your insurance policy;

    Legal Basis:

    • the processing is necessary for the performance of a contract to which you, the data subject, are party or in order to take steps at your request prior to entering into a contract;
    • o the processing is necessary for compliance with a legal obligation to which the controller is subject.

  4. to carry out statistical analyses to determine the price and features of the products;

    Legal Basis:

    • the processing is necessary for the performance of a contract to which you, the data subject, are party or in order to take steps at your request prior to entering into a contract.

  5. to carry out statistical analyses and market research for the purpose of reviewing, adapting and improving products, services, processes, systems and websites;

    Legal Basis:

    • the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party. AXA’s legitimate interest is to engage in activities to improve and adapt the range of products and services we offer; to help our business grow; and to ensure that our systems are effective and efficient.

  6. to investigate the possibility of new products or services and to buy or sell any business or assets;

    Legal Basis:

    • the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party. AXA’s legitimate interest is to engage in activities to improve and adapt the range of products and services we offer and to help our business grow.

  7. for staff training, performance reviews and discipline;

    Legal Basis:

    • the processing is necessary for compliance with a legal obligation to which the controller is subject;
    • the processing is necessary for the performance of a contract to which you, the data subject, are party or in order to take steps at your request prior to entering into a contract.

  8. for the detection and prevention of fraud, money laundering and other offences and to assist the police or any other authorised investigatory body or authority with any inquiries or investigations;

    Legal Basis:

    • the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party. AXA’s legitimate interest is to investigate and prevent potential fraudulent and other unlawful activity;
    • the processing is necessary for compliance with a legal obligation to which the controller is subject;
    • o the processing is necessary for the performance of a task carried out in the public interest.

  9. AXA Group reporting purposes (where necessary);

    Legal Basis:

    • the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party. AXA’s legitimate interest is the proper running of its business;

  10. for compliance with all relevant laws and regulations; and/or

    Legal Basis:

    • the processing is necessary for compliance with a legal obligation to which the controller is subject.

  11. as otherwise set out in this Data Protection Notice or any other data protection notice, policy booklet, website or other documentation provided to you by AXA or Laya.

      Sensitive Categories of Data

    • Where we process special categories of data (also known as sensitive personal data) for any of the above purposes, we will only do so by way of explicit consent, for the purpose of a policy of health insurance or health-related insurance, where it is necessary for the purposes of providing or obtaining legal advice, for the establishment, exercise or defence of legal rights, for the purposes of, or in connection with, legal claims, prospective legal claims, legal proceedings or prospective legal proceedings or where the processing is necessary to protect the vital interests of the data subject or another person where the data subject is physically or legally incapable of giving consent.
    • Where we process personal data relating to criminal convictions and offences or related security measures, we will only do so where it is necessary to prevent, detect and investigate crime, including fraud, or for the purpose of providing or obtaining legal advice or for the purposes of, or in connection with, legal claims, prospective legal claims, legal proceedings or prospective legal proceedings, or it is otherwise necessary for the purposes of establishing, exercising or defending legal rights.

4. Sharing of Information

There are various circumstances where we may share personal data with other parties. Generally this includes your representatives, our representatives and, if a claim is made, various claims related parties.

AXA will use every effort to protect your personal data and we will not sell it to any third-party companies. Where we choose to have certain services provided by carefully selected third parties, we take precautions regarding the practices employed by the service provider to ensure your personal data is stored and processed legally and securely.

While the exact list of third parties changes from time to time, we feel that it is important that you have an idea of the types of third party that we share data with. The category headings and types of third party set out below are a non-exhaustive list and are only indicative of the companies, agencies and individuals with whom we share data where we need to do so.While the exact list of third parties changes from time to time, we feel that it is important that you have an idea of the types of third party that we share data with. The category headings and types of third party set out below are a non-exhaustive list and are only indicative of the companies, agencies and individuals with whom we share data where we need to do so.

---------

  1. Your representatives:

    any party you have given us permission to speak to (such as a relative or friend), in certain circumstances other people insured under your policy of insurance and other people or companies associated with you (for example your lawyer);

  2. Our representatives:

    our employees, agents and contractors, including companies that provide services in relation to telecommunications, data storage, document production and destruction, IT and IT security, making and receiving payments, data analysis and management information, complaints handling and fraud detection;

  3. Other third parties:

    1. medical professionals, hospitals and other treatment centres, Laya and other AXA Group companies, external advisors (such as solicitors, accountants and auditors), third parties with which we may choose to improve our processes, products or services or to investigate the possibility of new processes, products or services and prospective sellers or buyers in the event that we decide to buy or sell any business or assets; and

  4. State or government departments, bodies or agencies and industry bodies:

    regulatory bodies and law enforcement agencies.

Please feel free to contact us (details in Section 1 'General' above) if you would like more details about the parties with whom we share your information.

Sharing Between AXA Departments

During any of the activities set out above, a department of AXA may become aware of information which should have been disclosed at an earlier time which relates to you and/or anybody else insured under your policy of insurance. Where this occurs, the department in question shall be entitled to share such information with:

  1. the Underwriting Department for the purpose of providing your next quotation and/or deciding whether or not to cancel your policy/policies; and/or
  2. the Claims Department (and any other relevant department) for the purposes of deciding how to deal with a claim; and/or
  3. any other department in AXA for the purpose of handling a complaint.

International Transfers

On occasion we or a service provider may transmit certain aspects of your personal data outside the European Economic Area (the “EEA”) to other members of the AXA Group or to other recipients. In such circumstances, we will ensure that such transmissions are carried out securely and in accordance with data protection law.

AXA complies with the law regarding international transfers of data by various means, including by relying on adequacy decisions of the European Commission, which state that certain countries ensure adequate levels of data protection in their law, the European Commission’s standard data protection contract clauses or Binding Corporate Rules.

If you would like more information about the relevant safeguards involved in the transfer of personal data to countries or companies outside the European Economic Area, please visit the European Commission’s website on data transfers outside the EU or contact us using the details in Section 1 'General' above.

If this happens, the third party is entitled to receive certain information from us, including (a) confirmation of your identity, (b) details of your insurance policy, including its terms and conditions and whether or not it was in effect on the date the alleged injury or damage was caused, (c) whether or not we have received a notification of the incident in question from you and, if we have, how far our investigation has progressed, (d) information about the events that resulted in the third party making a claim, (e) whether we have informed you that we intend to accept or refuse the claim against your insurance policy, and (f) any other information that becomes relevant in the handling of the claim.

5. Information Collected

As the underwriter for the Laya Healthcare product, we need to collect many categories of personal data for the purposes set out in this Data Protection Notice.

The exact categories may change from time to time. Therefore, the types of data we collect, as set out below, are non-exhaustive and only indicative of the data we may hold about you.

Categories of Information Collected

Name, address, date of birth, policy and claim related identification numbers (policy number, claim number, etc), relationship to policyholder, insured, claimant or other relevant individual, gender, policy information, claims information, complaint information, medical condition and health status, other special category data (e.g. religious beliefs or ethnicity) where it relates to a policy, claim or complaint, claims history and criminal convictions data to prevent, detect and investigate potential fraud or other criminal activities.

Please feel free to contact us (details in Section 1 'General' above) if you would like more information about the precise information we gather and use.

All of the above information is required for the purposes specified in Section 3 ‘Use of Information’.

6. Retention of Information

We keep personal data only for as long as required to fulfil the purposes for which it was collected. We retain your personal data for a period of time corresponding to a statute of limitation setting out the period during which legal claims may be filed in court. In some circumstances, we may retain personal data for other periods of time, for instance where we are required to do so in accordance with legal, tax and accounting requirements, or if required to do so by a legal process, legal authority or other governmental entity having authority to make the request.

7. Your Rights

As a ‘data subject’, you have the rights set out in this section. For more information on each of these rights, please contact us using the details in Section 1 'General' above.

Please send all requests to us (details in Section 1 ‘General’ above) in writing by post or email, together with enough information to allow us to deal with your request. It may take up to one month to process your request, with the possibility of an extension of another two months.

We need to be certain who you are when you make a request. As a result, we may require you to provide identification in order to deal with your request, for verification purposes.

If we do not have enough information to process your request, we may need to contact you for clarification.

If we refuse your request you are entitled to make a complaint to the Data Protection Commission (details in Section 1 ‘General’ above).

  • A. Right to Withdraw Consent

    If we are processing your information on the legal basis of consent, you are entitled to withdraw your consent at any time.

    We do not generally rely on consent for processing personal data in relation to insurance contracts; we generally rely on other legal bases, such as the basis that the processing is required for the purpose of entering into and performing a contract with you. More details on the legal bases on which we rely are set out in Section 3 ‘Use of Information’.

  • B. Right of Access

    You have the right to be given details about the personal data concerning you that we hold and why and how we process that data. You also have the right to obtain a copy of the personal data we hold about you; this is known as a data subject access request. When you make this type of request, we would ask that you provide us with as much information as possible to assist us in identifying the personal data you want access to.

  • C. Right of Rectification

    You have the right to require AXA to correct any inaccuracies (including missing details) in the information we hold about you.

  • D. Right of Erasure/Right to be Forgotten

    In certain circumstances you have a right to have the personal data concerning you erased. However, you may only request the deletion of your data where one of the following situations applies: the personal data are no longer needed for the purposes for which they were collected; the data are processed on the legal basis of consent and you withdraw consent (see Section 3 ‘Use of Information’ for the legal bases of processing); you object to the processing of the data where they are processed on the legal basis of legitimate interests and there are no overriding legitimate grounds for us to process the data (see Section 3 ‘Use of Information’ for the legal bases of processing and the Right to Object at paragraph (vii) below); the personal data have been unlawfully processed; or the personal data must be erased for compliance with a legal obligation.

    However, this right does not apply in certain situations, including where the processing is necessary for compliance with a legal obligation, such as the performance of a contract (e.g. your insurance policy) or compliance with legislation (e.g. the Consumer Protection Code 2012, which requires us to retain data for at least 6 years); for statistical purposes, where this erasure of the data is likely to damage our ability to the achieve the objectives of that processing activity; or for the establishment, exercise or defence of legal claims.

  • E. Right to Data Portability

    You have a right to receive from us the personal data you have provided to us. You may also request that we send this personal data to another data controller (such as another financial services provider). Where we do so we will not be responsible for any action of the other data controller in respect of the transferred data.

  • F. Right to Object

    Where we state in this document that we process your personal data in the public interest or on the basis of a legitimate interest (see the legal bases for processing set out in Section 3 ‘Use of Information’), you are entitled to object to the processing in question on grounds relating to your particular situation. We will then stop processing the personal data in question unless we can demonstrate compelling legitimate grounds for us to continue processing the data or unless we need to use it in a legal claim.

    If you wish to exercise this right, please contact us (details in Section 1 ‘General’ above) setting out why you want us to stop processing your personal data based on your particular situation. We will then evaluate whether your rights outweigh the necessity of our purpose(s).

  • G. Right to Restrict Processing of Your Data

    You have the right to restrict us from processing your personal data where you feel that it is inaccurate, we are processing it unlawfully, we no longer need it or where you have invoked your Right to Object (as set out in Section 7 (F) above).

For information on the cookies we use and how to manage them, please see our cookie policy at www.axa.ie/data-protection/cookie-policy/.