Data privacy policy - Toplis and Harding SA
General
Toplis et Harding SA is a Swiss-based company active in claims handling for Swiss and international insurers, in particular in the context of international insurance programmes. We attach great importance to the protection of the personal data entrusted to us and required to perform our tasks and therefore take the issue of data protection very seriously. This data privacy policy is intended to inform you about the nature, extent and purpose of the processing of personal data when you use our website, digital services or other services.
The Swiss Federal Data Protection Act (DPA) and the Ordinance on the Federal Data Protection Act (FDPA) generally apply to the processing of your personal data. In addition and in some cases, the European Data Protection Regulation (GDPR) also applies. This privacy policy for your personal data complies with both legal regimes.
1. Name and address of the responsible person
The controller of the file within the meaning of the DPA and the data controller within the meaning of the RGPD is :
Toplis et Harding SA (CHE-107.909.171)
Boulevard de Pérolles 17
1700 Fribourg
Switzerland
Telephone: +41 26 470 10 10
E-mail: office(at)toplis.ch
Website: www.toplis.ch
2. Name and address of the Data Protection Advisor
Our company has an external data protection advisor who is responsible for all matters relating to the protection of your data. His contact details are as follows
Mr. Pierre Moret
Hartmann Dreyer Attorneys and Notaries
Boulevard de Pérolles 7
1701 Fribourg
Switzerland
Telephone : +41 26 309 20 61
E-mail : pierre.moret(at)hartmanndreyer.ch
Website : www.hartmanndreyer.ch
3. The purposes for which we use personal data
We collect and process your personal data in order to provide our services to the insurance companies and brokers who commission us, or to carry out management analyses necessary for the management of our company in order to improve the services provided to our clients. In this respect, we only process your data on the instructions of our principals.
The purposes for which we process your personal data are as follows
- execution of the mandates entrusted to us : these are the technical operations necessary for the implementation of the guarantees and services agreed between policyholders and insurers. In this context, the data collected relates to the management of benefits and claims. In some cases, the insurer or the insurer acting as lead insurer may collect this information from other insurers or from co-insurers and reinsurers, either at the time of taking out the insurance contract or during the execution of the contractual provisions.
- Compilation of internal statistics and reporting to our clients.
- exercising recourse and managing claims and litigation.
- execution of legal, regulatory and administrative provisions in force : this may involve processing relating to the execution of tax or social insurance rules. The provisions that come under a particular regime are, for example, those that come under the specific regulations of a sector (e.g. anti-money laundering, etc.).
In addition, we reserve the right to invoke the purposes of our clients (insurance principals) where necessary.
For example, we use the information about you, provided by our clients, and relating to a claim in order to :
- check whether the case relates to the insurance benefits agreed with the insurer;
- carry out the necessary operations for the settlement of the claim in accordance with the mandate received.
4. The legal basis on which we process personal data
In accordance with the provisions set out in Article 6 § 1.b and f of the GDPR, the processing of personal data submitted by our customers is necessary in order to fulfil our contractual obligations towards them and to take action, at their request, to manage and settle a claim, and is also based on our legitimate interest.
The processing of special categories of personal data (such as health, biometric and genetic data) that have been collected by your insurer with your consent is carried out only to the extent necessary for the management of the claims cases entrusted to us and is therefore, for this reason, lawful in accordance with Article 9 § 2.a GDPR.
Under Swiss data protection law, the interest in processing your personal data by us as a subcontractor of our customers and by experts and specialist agents is considered to be a private interest justifying such processing.
5. Categories of data collected
The data relating to you that is processed by us must be relevant and proportionate to the purposes for which it is collected. This concerns :
Data relating to identification, i.e. :
- Civil status: this includes surnames, first names, gender, civil status, data relating to identity documents (driving licence, identity card, family record book, residence permit, passport, etc.), date of death, maiden name, date and place of birth, etc.
- Contact details: this includes addresses, telephone numbers (landline and mobile), fax numbers and e-mail addresses, internal processing code allowing the identification of the customer...
- Nationality: knowing the exact nationality of the persons who are parties or interested in the contract allows the insurer to know which legal framework applies to the insurance contract concluded under a local policy. The nationality is one of the information that makes it possible to determine which possible obligations (for example: fiscal or administrative) may affect the management of the file.
Data relating to the economic, property and financial situation, i.e:
- Data relating to the economic and financial situation : these aim to define income from work and other income, securities, real estate assets, debts, securities held, securities account statements, taxation data, credits, taxable income, bank card number, bank references (IBAN, BIC, postal statement), the situation of over-indebtedness or entitlement to benefits from social insurance (IA, IJ, etc.) ;
- The financial situation : concerns the assets making up the estate (in particular movable and immovable property);
Data relating to the professional situation, i.e. :
- the socio-professional category, the field of activity, the profession, the expected date of retirement, the professional skills and qualifications, any proof of unemployment;
- and according to the category of contract: the employer, the collective agreement, if applicable, the company name, the income or the turnover for self-employed persons.
The data necessary to assess the damage to property, i.e:
These concern: the geographical location of the property concerned, the characteristics of the damaged dwelling or business premises, the conditions of occupation, information on insurable property, the type and characteristics of the insured property, information relating to the claims experience and the past history, the driving licence and its validity, and, if applicable, whether the property is used at the workplace and during business trips, elements leading to a forfeiture of cover...
The data necessary for the conclusion and application of the contract and for the management of claims and benefits, i.e:
- data relating to the contract : the insured's identification number with his insurer, the contract, the claim file, the method of payment, the premiums, the contributions, the commissions, the taxes, the outstanding debts, the references of the subscriber (insurer), any co-insurers and reinsurers, the duration, the deductibles, the exclusions, the direct debit authorisation, the data relating to the means of payment, the unpaid amounts, the recovery... ;
- data relating to the claim : the nature of the claim, the compensation, the insured value and the cover taken out, the description of the damage to property, the reports and opinions of technical and medical experts, the investigation reports, etc;
- data relating to the injured party: the degree of disability/incapacity, annuities, death benefits, the amounts of benefits, the terms of settlement, unemployment benefits, the amounts reimbursed by social insurance for supplementary benefits (care costs, illness, maternity, etc.).
Data relating to the determination or evaluation of damages, i.e:
- medical reports, medical expertise ;
- company estimates, intervention reports and technical expert reports.
Data relating to the location of persons or goods, i.e. :
This data is useful information in terms of assistance and insurance guarantees which may be included in your insurance cover (searches for lost or stolen vehicles, assistance for people who are ill or in difficulty, etc.) and which may be used in the management and settlement of the claim.
Data relating to personal life and lifestyle, i.e:
- Data relating to personal circumstances: i.e. family situation, number of children, descendants, ascendants and dependants, education and training, capacity and the protection regime ordered by the competent authorities for the protection of children and adults (curatorship)... ;
- Data relating to lifestyle: i.e. hobbies, sports and outdoor activities, journeys, mileage travelled and other such data.
Data relating to health:
The consent of the data subject to the collection of his or her health data must be obtained before processing. This is also the case at the time of the management of the claim, unless this is impossible (in particular when a person is physically or psychologically incapable of giving consent due to physical injury). This consent is in principle given by you when you conclude the insurance contract with your insurer, with the mention that the data collected in this way may be passed on to subcontractors. Otherwise, this consent may have to be renewed and/or confirmed by us in order to guarantee the lawfulness of the processing of your personal data.
In certain cases, and when the safeguarding of the life of the person and the urgency of the situations prevail, it is not always possible to collect the consent of the victim at the time of his or her treatment. Nevertheless, in this eventuality, it is possible to process your personal data without your consent (cf. art. 6 § 1.d GDPR).
The medical data processed within the framework of the mandates entrusted to us depend on the injuries suffered and/or the medical opinions and expert reports documenting the case of damage, but may concern all types of physical or psychological pathologies.
6. Categories of addressees
The recipients are the persons/organisations that have access to the personal data that we process in the course of our activities.
These recipients can be grouped into different categories, namely
In general
- staff responsible for the conclusion, management and execution of insurance contracts;
- Management delegates, insurance intermediaries;
- various service providers;
- subcontractors, or entities of the insurance group to which the controller belongs in the performance of their tasks;
- where applicable, the insurers of the persons involved or offering additional services
- where applicable, the co-insurers and reinsurers as well as the professional bodies and guarantee funds
- persons involved in the management of the case such as lawyers, experts, curators, health professionals, medical advisers and authorised personnel
- social insurers involved in the settlement of claims.
As persons interested in the contract:
- policyholders, members and beneficiaries of insurance contracts, and where applicable, their beneficiaries and representatives;
- where applicable: the beneficiaries of an assignment or subrogation of rights relating to the contract
- where applicable: the person or persons responsible, the victims and their representatives; witnesses, third parties interested in the execution of the insurance contract.
As authorised third parties:
- if applicable : the courts concerned, child and adult protection authorities, arbitrators, mediators;
- the relevant administrative authorities.
7. Transfer of personal data to third parties
We pay particular attention to the choice of our partners and transfer personal data to them when necessary.
Principle
We will only transfer your personal data if you have expressly consented to it, in particular in the context of the contract concluded with your insurer, if there is a legal obligation to do so or if it is necessary to assert certain rights arising from the contract concluded with your insurer.
When visiting our website
We pass on your data to third parties insofar as this is necessary for the use of the website, for example to our hosting company. The website is hosted on servers in Switzerland. The data is transmitted for the purpose of providing and maintaining the functionality of our website. This is our legitimate interest within the meaning of Article 6 § 1.f GDPR.
Onward Transfers/Privacy
Our partners are not permitted to share or use the personal information we make available to them for any purpose other than to perform the services we request of them. Like us, they are subject to the applicable legal provisions on data protection.
For example, we exchange health-related data with our medical advisors and with the organisations that provide care for our customers in a careful and rigorous manner. The same applies to our technical and legal experts.
All third parties who work with us are contractually bound to confidentiality, unless the law requires them to keep their activities strictly confidential. In particular, our medical and legal advisors and experts are bound by professional secrecy. Furthermore, we only transfer the data necessary for our partners to perform their tasks. We do not transfer data to partners who do not need it to perform their services.
In this context, data may be transferred in electronic form, by e-mail or in paper form.
Cross-border processing
Data received from our customers and processed in the course of our normal business activities will only be passed on from our company headquarters to them or to external agents, all of whom are located in Switzerland, the European Union or Great Britain, provided that this is in accordance with the purposes of the data processing described in this data privacy policy. These companies are obliged, as we are, to protect your data. If the level of data protection in a country does not correspond, or should no longer correspond, to that of Switzerland or the European Union, we will ensure, through the conclusion of a contract, that the protection of your personal data corresponds at all times to that of Swiss and European legislation.
8. Where do we store personal data?
We take appropriate measures to ensure that the data we collect and use is processed in accordance with this privacy statement.
Toplis & Harding AG maintains databases, servers and support services in Switzerland. We collaborate with third parties such as hosting services, suppliers and IT support services located in Switzerland in order to meet the needs of our company and our customers. We take appropriate measures, including contractual agreements, to ensure that personal data is processed, secured and transferred in accordance with applicable legal requirements.
9. How long we store your personal data
We store the personal data provided by our customers only for as long as is strictly necessary:
- to fulfil contractual obligations in relation to the files entrusted to us;
- to comply with relevant legal and regulatory obligations (accounting, tax requirements), and
- to manage operational requirements such as the proper management of client accounts, to provide adequate support in response to client requests or legal enquiries.
Therefore, we keep most of the data submitted by our clients for 10 years after the end of the specific mandate with which we are bound, or after an exceptional period of 30 years when the case falls under the Federal Law on Accident Insurance (LAA).
10. Your rights
In the event of the application of the GDPR
You have the right to assert your data protection rights at any time and, on request, to receive information about the personal data we store about you.
In addition, you have the right to have incorrect data corrected and your personal data deleted, provided that this does not conflict with a legal obligation to retain the data or with an authorisation to process the data.
You also have the right to request the data you have provided to us (right to data portability). On request, we will also pass on the data to a third party of your choice. You have the right to request that we pass on your personal data to you or to a third party of your choice in a standard format.
You can address your requests to our Data Protection Officer (see section 2 above), who will then process them. In order to process your requests, we will require proof of your identity.
In addition, you have the right to lodge a complaint with the competent supervisory authority regarding the processing of your personal data. You can do this at the supervisory authority at your place of residence, at your place of work or at the place of the alleged data breach. For persons residing in Switzerland, the competent supervisory authority is as follows :
Federal Data Protection and Information Commissioner
Feldeggweg 1
CH-3003 Bern
Telephone: +41 (0)58 462 43 95 (Monday to Friday, 10 a.m. to 12 noon)
Fax: +41 (0)58 465 99 96
Many data processing operations are only possible with your explicit consent. This consent may have been given to your insurer when the insurance contract was concluded and for the purposes relating to it. It may also have been given directly to Toplis & Harding SA on request. However, you can revoke a consent already given for the processing of personal data at any time. To do so, please inform our Data Protection Officer. The legality of the data processing that has taken place up to the revocation is not affected by the revocation.
Where the DPA applies
Your rights with regard to data protection are governed by articles 25 ff of the DPA. By contacting the data controller (see section 1 above), you can obtain information about the processing of your personal data by Toplis & Harding SA, access to your personal data, the correction or deletion of your personal data, the delivery of your personal data in a standard, usable format (in accordance with article 28 paragraph 1 of the DPA) and your objection to the processing of your personal data. In the latter case, you are expressly made aware of the fact that your objection may prevent Toplis & Harding SA from carrying out all or part of the mandate entrusted to it.
Prior contact with our Data Protection Advisor (see section 2 above) is always advisable.
If, after contacting our Data Protection Advisor, you feel that your rights have not been respected, you may lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC) using the following contact details:
Federal Data Protection and Information Commissioner
Feldeggweg 1
CH-3003 Bern
Telephone: +41 (0)58 462 43 95 (Monday to Friday, 10am to 12pm)
(www. https://www.edoeb.admin.ch/edoeb/en/home/datenschutz.html ).