Privacy policy - Falck Global Assistance’s processing of personal data regarding personal Travel services and Medical Assistance Services abroad.
In connection with Travel services and Medical Assistance Services abroad, Falck Global Assistance A/S is collecting and processing, certain personal data about you as data controller. In this Privacy Policy we describe our processing, usage and disclosure of your personal data.
Please note this privacy policy is the first layer of the full privacy policy. You can find the full version including both layer one and two here: [Insert link, QR-code or similar].
- Why is Falck processing your personal data related to Travel Assistance Services?
- Which personal data does Falck process about you?
- On what basis and for how long is Falck allowed to process your personal data?
- Automated, individual decision making
- Who is Falck sharing your personal data with?
- What are your rights in connection with Falck’s processing of your personal data?
- Contact details
1. Why is Falck processing your personal data related to Travel Assistance?
Falck Global Assistance collects and processes certain information about you when we respond to your inquiries and requests for various travel assistance services in accordance with your travel insurance or other service agreements.
Here you can see examples under what specific circumstances and to what purpose Falck will process your data:
- To perform Medical Pre-Assessments and various pre travel services
- To decide on the provision of relevant services from FGA or our network of providers.
- To provide medical assistance abroad based on our monitoring and assessment of you condition and medical treatment.
- To provide evacuations and repatriation
- To assists with various other personal services related to situations such as
- Transport related issues such as flight delays etc.,
- Luggage issues,
- Statistical purposes
- Comply with legal obligations concerning the processing of personal data, if relevant, such as:
- Our obligations and your rights concerning the processing of your personal data
- Defend or prove a legal claim
- Secure the quality and IT-security around Falck’s processes and applications
- To comply with our obligations under the Nordic legislation, such as:
- Danish: The Health Care Act, The Complaints and Compensations Act, The Personal Data Act, The Bookkeeping Act.
- Norwegian: The Patient and User Rights Act, The Accounting Act, The Limited
Liability Companies Act on Annual Accounts and Annual Reports. - Swedish: The Patient Injury Insurance Act, The Accounting Act, The Patient Data Act.
- Finnish: Act on the Status and Rights of Patients, Act on the Protection of Privacy in Working Life, The Personal Data Act, The Value Added Tax Act.
Read more about Falck’s purposes to which Falck uses your personal data here
We collect and process personal data for the following possible purposes:
A. Medical Pre-Assessments
To establish the degree of insurance cover during a planned trip.
B. Issuing of certain medical Cards
To provide documentation of Medical Health Care Coverage.
C. Assistance related to medical treatment abroad
To provide the proper medical treatment and refer to the proper treatment facilities abroad.
D. Assistance related to evacuations and repatriation
To evacuate in case of e.g., a natural disaster or a medical emergency during a planned trip abroad and/or relocate to a preferred or specialized treatment facility abroad or in the home country.
E. Assistance related to transport related services
To ensure in case of e.g., transport cancelations or delays, that the schedule of a planned trip can be resumed in accordance with the terms and conditions of the applicable insurance policy.
F. Assistance related to luggage issues and services
To ensure the correct procedure enabling the optimum service from authorities, carriers and claims processing.
G. Statistical purposes
To generate data for anonymized statistics and reporting to continuously ensure and strengthen the service quality of case handling and resource planning.
H. In order to comply with any law, rule, regulation, legal and binding provision, decision or dic-tate by a supervisory authority (such as EU’s regulation about data protection and other health law etc.) such as:
- Documentation requirements.
- Compliance with basic principles for processing of personal data and legal basis for pro-cessing.
- Implementation and maintenance of technical and organisational security measures, in-cluding but not limited to prevent unauthorised access to systems and information, pre-vent receipt or distribution of malicious code, termination of denial-of-service-attacks and damage to computer systems and electronical communication systems.
- Investigation of a suspected or known security breach and reporting of such breach to in-dividuals and authorities.
- To process and respond to requests and complaints from data subjects and others.
- Handling of inspections and requests from authorities.
- Management of disputes with data subjects and third parties.
- Processing and transfer of your personal data for the purpose of yours or other individuals’ significant interests if such processing and transfer is based on a legal requirement.
- Processing and transfer of your personal data for purpose of ensuring the public safety and the public interests, insofar such processing and transfer is based on a legal requirement.
Your personal information will not be shared, sold, or disclosed other than as described in this Privacy Policy.
When we collect personal information directly from you, it is necessary in order for us to serve you in accordance with the terms and conditions in your travel insurance or other service agreement. You are not obligated to provide the personal data to us. If you do not provide us with the personal data described below, the consequence will be that we may not be able to provide the requested services to you, either to the same standard or at all.
2. Which personal data does Falck process about you?
Falck exclusively processes personal data necessary to meet the purpose(s) described in section 1. This information is (in the scope of relevance for you):
- Name
- Address
- Contact information, such as e-mail, phone number etc. including where relevant contact information on relatives and co-travelers.
- Insurance information
- Information on the assistance case in general.
- Monitoring and assessing the medical treatment you receive abroad.
- Travel information, booking data.
- Information on expenditure incurred.
- Agreements between FGA and You.
Read more about which data, Falck processes on you here
Ordinary personal data
- Name
- Address
- Phone number
- Insurance information, insurance coverage or other relevant service agreement information.
- Sex
- Age
- Birthday
Confidential personal data
- Social Security Number
- Received from You or your insurance company
- Geolocation
- Only registered in relation to special security services.
- Received from you via a special Mobile App, and where data and geo data precision is approved by you.
- Bank information
- Only to the extent relevant for certain refunds made to you.
- Received from You
Special categories of personal data (hereafter ‘sensitive personal data’)
- Health information including medical history and information about contacts with the healthcare system and alternative treatment providers
- Received from You, Your general practitioner or relevant treatment facilities.
- Ethnic origin
- Only registered to the rare extent relevant for certain security services.
- Received from You
- Religious beliefs
- Only registered to the extent relevant for certain postmortem services.
- Received from relatives
3. On what basis and for how long is Falck allowed to process your personal data?
Before Falck is allowed to process your information for the above stated purposes in section 1, Falck must first identify the legal basis of the processing of your personal data, including defining how long your personal data is stored at Falck.
According to the General Data Protection regulation (‘GDPR’) Falck is using the following legal basis for the processing of your information:
- Legal obligations, art. 6,1 (c, d) and art. 87
- Consent and explicit consent, art. 6(1)(a) and art. 9(2)(a)
- Legitimate interest, art. 6(1)(f)
- Art 9,2 (c, f, h)
The legislations used by Falck for the processing and storing of personal data will be based on the relevant national legislation.
Falck will process and store your personal data in different periods of time according to which law and legal basis is used.
Read more about the basis and for how long your information is processed by Falck here
- Compliance with legal obligations in specific cases, such as transfer of personal data to public authorities (incl. police), other third parties in case of substantial interest, public interests etc. You will be informed of such cases should they occur unless this is prohibited by law.
a. Retention and deletion criteria: Defined based on the specific legal basis for which we are required to transfer your information in the specific case.
b. Legal basis: Varies depending on the specific case and circumstance. - Legal documentation, such as documentation of handling a request from you, storing personal data based on an ongoing or coming case at court, investigation of suspected or identified da-ta breach etc.
a. Retention and deletion criteria: Personal data in relation to legal documentation will only be stored in cas-es where it’s relevant and only for the time for which it’s required.
b. Legal basis:
Ordinary personal data: Legal requirement, GDPR art. 6(1)(c).
Possible sensitive personal data: legal claims, GDPR art. 9(2)(f).
Other legal bases dependent on the specific case. - Medical Pre Assessment, Operational Travel Assistance – Medical (incl. medical journal), Opera-tional Travel Assistance – Non Medical, Claims handling, Invoicing.
a. Retention and deletion criteria: 10 years from case closure. Certain medical injury case types can have an extended retention period up to 20 years according to the doctor’s medical as-sessment in order to secure the data subjects access to process claims with long term ef-fects.
b. Legal basis:
Ordinary personal data: Legitimate interest, GDPR art. 6(1)(f).
Falck’s legitimate interest is based on our ability to handle complaints, to safeguard our financial interests, and perform quality assurance.
Sensitive personal data:
Medical diagnosis and treatment, GDPR art. 9(2)(a, c, f and h). - Telephone recordings
a. Retention and deletion criteria: Recordings are kept according to relevant retention policies.
b. Legal basis:
Ordinary personal data: is based on Article 6(1)(a) and
Sensitive personal data: 9(2)(a).
If a processing is based on your consent: You have a right to withdraw your consent, however this will not affect the processing already incurred prior to withdrawal of the consent.
You can withdraw your consent by contacting us on: dpc.fga@falck.com or the FGA Operations.
4. Automated, individual decision making
Your personal data is not used for automated, individual decision making or profiling.
5. Who is Falck sharing your personal data with?
Falck will, to the extent necessary and in certain cases only with your consent, share personal data about you to other recipients (‘third parties’), in order to offer you the services based on the purposes in section 1. These third parties will be independent data controllers and they will thereby be responsible for their processing of your personal data.
These third parties are:
- Falck Danmark A/S
- Assistance sub-providers
- Your Insurance Provider
- IT Suppliers
- Financial Suppliers
Apart from the third parties listed above, Falck will also share your personal data with suppliers (‘data processors’), who will process your personal data based on instruction from Falck. These data processors are primarily located within the EU/EEA, but a transfer to countries outside the EU/EEA (‘third countries’), such as India and the US may occur, as Falck uses IT-functions who have support function in these countries.
Read more about the parties Falck is sharing your personal data with here
Your personal information will – where relevant - be disclosed to and shared with the following third-party recipients:
Falck Danmark A/S
- Country:
- Sector: Counseling and consulting services.
- Purpose with the transfer of data: The mother company of the Falck group, which – amongst other – provides counselling for legal and auditing services for the other Falck group companies.
- Reference to relevant data processing in section 3: I and II.
Independent data controllers in specific cases such as public authorities (incl. police), other individuals etc.
- Country: May vary depending on the specific case and circumstance.
- Sector: May vary depending on the specific case and circumstance.
- Purpose with the transfer of data: compliance with legal obligations in specific circumstances where Falck is obligated to transfer the information to other controllers, such as public authorities (incl. police), for example for the protection of substantial public interests, legal requirement etc.
- Reference to relevant data processing in section 3: I and II.
[Assistance sub providers]
- Country: Globally
- Sector: Travel assistance sub providers
- Purpose with the transfer of data: In order to execute necessary elements in the provision of assistance services
- Reference to relevant data processing in section 3: Item III.
- Industri: Treatment facilities, Financial transfer, passenger and patient logistics, accommodation etc.
- Derogations Art. 49 see item c below
Your employer / insurance provider
- Country: Contract dependent
- Sector: Business to business (Duty of Care services) / Insurance & Pension
- Purpose with the transfer of data: Falck may transfer your information to your employer/ insurance provider, insofar you receive services through your employer / Insurance, and if Falck is required to provide your employer /insurance with information to comply with the contract with Falck.
- Reference to relevant data processing in section 3: Item III
Beside the above-mentioned recipients, then your personal information will also be shared with the following categories of suppliers (“Data Processors”):
IT suppliers
- Location: EU, India, USA and others.
- Sector: IT
- The category of suppliers includes the following processing chains: Falck Global IT, HCL, Microsoft
- Purpose of the data processing: IT-support, system development, handling of ServiceDesk, server hosting, database support, supplier for network infrastructure and IT-operations.
- Industry: IT-operations, IT-support, system development and cloud.
- Transfer basis: EU Standard Contractual Clauses (a)
- Additional information: The location ‘others’ cover the services provided by Microsoft and its suppliers. A full list of locations for Microsoft can be found on this link: https://servicetrust.microsoft.com/ViewPage/TrustDocumentsV3?command=Download&downloadType=Document&downloadId=ede6342e-d641-4a9b-9162-7d66025003b0&tab=7f51cb60-3d6c-11e9-b2af-7bb9f5d2d913&docTab=7f51cb60-3d6c-11e9-b2af-7bb9f5d2d913_Subprocessor_List.
Financial suppliers
- Location: EU and India.
- Sector:
- The category of suppliers includes the following processing chains: Falck Global Business Services and Wipro.
- Purpose of the data processing: Support for financial processes.
- Industry: Financial support.
- Transfer basis: EU Standard Contractual Clauses (a)
Additional information on the legal basis used to transfer your data to the third country/countries (see the reference next to the country in the above matrixes), can be seen here:
- EU Standard Contractual Clauses: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_de
- Adequacy protection of personal data as of the EU commission’s decision: "https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en"
- A specific situation, which is based on the relevant exceptions, as stated in the GDPR art. 49 (1)(a, c, e and f).
6. What are your rights in connection with Falck’s processing of your personal data?
The personal data which Falck processes are yours alone. Because of this you have certain rights you can act upon in this regard, if you wish to do so. These rights are, amongst other:
- insight into a copy of which personal data Falck is processing about you;
- request Falck to delete the personal data processed about you with limitations in the legislation;
- correction of incorrect or incomplete personal data about you;
- within the limitations of the law, restrict Falck’s access to process your personal data;
- access to data portability, and;
- object to Falck’s processing of your personal data.
These rights can be limited on account of legal bases and legislations being used to process your personal data (see section 3).
You can exercise your rights by contacting Falck on the named contact information in section 7
You also have the right to lodge a complaint with the supervisory authority:
- In Denmark: Datatilsynet; https://www.datatilsynet.dk/
- In Norway: Datatilsynet; https://www.datatilsynet.no/
- In Sweden: Integritetsskyddsmyndigheten IMY. https://www.imy.se/
- In Finland: The Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto). https://tietosuoja.fi/en/home
Read more about your rights here
You have – with the limitations of legislation – among other things:
- right to access to your personal data;
- You have, with a few limitations in the legislation, the right to, free of charge, receive a copy of all your personal data processed by Falck in an easily readable and understandable way.
- right to rectify incorrect personal data;
- You have the right to correct or complete any processed personal data which is incorrect or incomplete.
- right to deletion of personal data;
- You have the right to request Falck to delete the personal data processed about you. The right to get your personal data deleted may, however, be limited based on national and European legislation. As an example, then your data cannot be deleted if Falck is required to process your personal data for a specific legal obligation or in cases where continual processing of your personal data is required to establish or defend a legal claim.
- right to limit the processing of your personal data;
- You have the right in specific cases to limit Falck’s access to process your personal data, which would result in Falck only being able to store the data, but not used them for any other purposes. The right to limit the processing of your personal data may be used in case, where the correctness of the data is disputed, if you do not want your personal data deleted or if you want to object to the processing of your personal data.
- right to data portability;
- You have the right to receive your processed personal data in a structured, commonly used and machine-readable format.
- right to object to the processing of personal data, including automated, individual decisions.
- You have the right to object to Falck’s processing of your personal data, in which cases Falck only can continue the processing of the personal data, insofar it is possible to present a valid legal basis for the continual processing of your personal data. This can, as an example, be where Falck is required by law to process your personal data or in cases where continual processing of your personal data is necessary to establish or defend a legal claim.
- The right to object to Falck’s processing of your personal data also includes your right to object to a processing which is based on automatic and individual decision-making on the basis of your personal data, insofar such a processing occurs in your specific circumstance.
7. Contact details
If you have any questions regarding the processing of your personal data or you wish to act on your rights in accordance with the law, you are asked to contact us on DPC.FGA@falck.com. You may also contact our data protection officer by sending an e-mail to dpo@falck.com.
Falck Global Assistance A/S
Sydhavnsgade 18, 2450 København
Denmark