This Fair Processing Notice tells you about processing of “personal data” by the CEGA Group 1.
We may hold and process your personal data in order to provide services relating to the insurance industry. Our activities (‘the Services) include claims handling, medical screening, risk assessment, and performing contracts of insurance which can include providing medical assistance abroad. We also provide non-insurance related medical assistance including repatriation, and other services related to our core businesses. When providing the services we are usually “data processors” of your personal data, and the “data controller” is the company with whom you (or your employer or family member) has an insurance policy. Sometimes, though, we may be a joint data controller with the insurance company. If you don’t know who is the proper data controller for your personal data, then you can contact us below, and we will check for you.
We are committed to processing all personal data fairly, lawfully, and transparently. To make things simpler, CEGA Group have nominated one data controller, CEGA Group Services Limited, to handle all requests or queries you might have about our processing of your personal data. We have, alongside a number of Charles Taylor Group entities, jointly appointed a CEGA Group Data Protection Officer (“DPO”) to oversee compliance with data protection law. Their contact details are: Barry Proudfoot; The Minster Building, 21 Mincing Lane, London, EC3R 7AG; +44 20 3320 2258, Barry.Proudfoot@ctplc.com .
You have various legal rights in your personal data including the right of: information and access to your data, including a “portable” copy of your data; erasure and rectification of your data; and rights to restrict or object to processing of your personal data. Where we rely on your consent to process your personal data you can withdraw that consent at any time. To exercise these data subject rights please contact the following email address: email@example.com .
The data we generally hold and process includes names, contact details, dates of birth, insurance policies or claims in which you may have been involved. This may include special category personal data including, potentially, information about your medical history, race, ethnicity, sexual orientation, religious beliefs, trade union membership, genetic and biometric data, political opinions, and any other physical or mental health details. This personal data is held only for the purposes of performing the Services.
CEGA Group will almost always obtain your data from its clients who are insurance companies or their clients, who in turn will have obtained it from you or your employer or family member in relation to an insurance policy or employee policy. Alternatively this may have been provided to us by a company in connection with the provision of medical assistance to you.
Our lawful bases for processing personal data include:
In all circumstances, however, we also rely on our legitimate interests, and those of our insurance industry clients or other clients, to ensure that you and the other people who are named under your insurance policy are properly protected by the provision of adequate insurance against the risk of misfortune, or, if the processing is unrelated to an insurance policy, to ensure that medical evidence can be effectively provided to individuals. Where we rely on our legitimate interests, we will always balance them against the rights and freedoms of the people whose personal data we process. Where their rights override our legitimate interests we will cease to process personal data.
From time to time, we may need to disclose personal data to third parties. Sometimes, these will be companies who process on our behalf and only act upon our instructions. Sometimes, these will be individuals and companies who are needed to provide services such as: doctors, clinics and hospitals, air ambulances, taxi services, or other services which may be covered under your insurance policy or company scheme. Your information may be shared with insurance participants, including the policyholder 2.
From time to time we will need to transfer your personal data outside the European Union. We will, save for exceptional circumstances, only do so:
We will always keep records of where your data has been sent outside of the EU and you can have access to these records if you wish. We will generally keep personal data for as long as we have a lawful basis (including the legitimate interest basis), or where that lawful basis comes to an end, we may retain it for six years and one year afterwards, for the purposes of litigation. Any data kept after this time will be pseudonymised so that you are no longer identifiable from such data.
There are some very limited circumstances where we, on behalf of our clients, use computer questionnaires to give you a quick decision on whether or not they can provide you with insurance cover, and in some cases to generate a quote based on your individual circumstances, including things which may involve your Special Category Personal Data (like your health data). This is a form of ‘automated decision-making’, because it compares your answers against our insurance client’s criteria, and makes a ‘decision’ about whether to provide cover and, at times, how much that might cost.
We will not use automatic decision making without either (a) your explicit consent; or (b) with a view to your entering into a contract of insurance with our insurance company client; or (c) in the public interest, according to the UK Data Protection Act 2018. However, if you are not happy with the result of an automated decision, you can request human intervention, express your own views, and/or contest the automated decision by writing to firstname.lastname@example.org (but please put ‘Automated Decision-Making’ in the email Subject line).
1 CEGA Group Services Limited (ICO Reg. No. Z5533202); CEGA Holdings Limited (ICO Reg. No. Z5097422); CEGA Solutions Limited (ICO Reg. No. ZA153272); CEGA Air Ambulance UK Limited (ICO Reg. No. Z1596084). All four companies are incorporated in England & Wales and have their address as The Minster Building, 21 Mincing Lane, London, EC3R 7AG. CEGA Group companies are part of the Charles Taylor Group of companies.
2 The words ‘Your information may be shared with insurance participants, including the policyholder’ were an addition to the Fair Processing Notice subsequent to the effective date of GDPR and were implemented into operational use on 18 October 2018.
Further details can be found in our privacy policies.
CEGA's other data protection policies are available upon request.