Last update March 2023
What personal information we may collect from you and how we may use that information. We are committed to ensuring your privacy is protected. This Data Protection Notice (“DPN”) sets out details of the personal information that we may collect from you and how we may use that information. Please take your time to read this DPN carefully.
Cigna is a wide group of companies (the “Cigna group”) and, as set out in more detail in this DPN, personal data is shared between companies within the Cigna group in order to provide you with your policy.
You can find permanently updated information about the Cigna group on the following website: www.cignaglobal.com
By providing your personal information to us, you acknowledge that we may use it in the ways set out in this DPN. We may provide you with further notices highlighting certain uses we wish to make of your personal information. We may also give you the ability to opt-in or opt-out of selected uses, such as marketing, when we collect your personal information.
In addition to this DPN, some of our products and services may have their own notices (for example, the Cigna Online and Mobile Privacy Notice), which describe in more detail how your personal information is used in a particular context).
From time to time we may need to make changes to this DPN, for example, as a result of government regulation, new technologies, or other developments in data protection laws or privacy generally. If we change this DPN, we will notify you of the changes. Where changes to the DPN will have a fundamental impact on the nature of our processing of your personal information, or otherwise have a substantial impact on you, we will give you sufficient advance notice so that you have the opportunity to exercise your rights in relation to your personal information.
In this DPN references to "we" or "us" refers to the relevant Cigna group entity that is the controller of your personal information. Depending on the specific terms and conditions of the policy you are covered by, one of the following Cigna entities will be the controller for any of the personal information you provide:
The company collecting your personal information depends on the insurance entity which provides your insurance cover.and can be found in your member booklet or certificate of insurance or will be the company which is in contact with you if you are our point of contact at a prospective client. This Cigna entity is the controller of your personal information. The Cigna group entity which is the controller for the purposes of this DPN can be found in your Policy Documents and certificate of insurance, or will be the Cigna group entity which is in contact with you if you are our point of contact at a prospective client. If you have any questions or queries about which Cigna group entity listed above is the controller in relation to your personal information, please do not hesitate to get in touch with us using the details set out in the “Contacting Us” section below.
As the controller we are responsible for complying with data protection laws. This DPN describes what personal information we may collect from you, why we use your personal information, your rights in relation to it, and more generally the practices we maintain and ways in which we use your personal information.
We have appointed a data protection officer to oversee our handling of personal information. If you have any questions about how we collect, store or use your personal information, you may contact our data protection officer using the details set out in the “Contacting Us” section below.
We collect personal information about:
We collect information about you:
The personal information that we collect will depend on your relationship with us. We will collect different information depending on whether you are a policyholder, a covered party under a policy, claimant, witness, broker or other third party.
Please note, in certain circumstances we may request and/or receive "sensitive personal information" about you. For example we may need access to health records for the purposes of providing you with a policy or processing claims.
If you provide personal information to us about other individuals you agree:
(a) to inform the individual about the content of this DPN; and
(b) to obtain any consent where we indicate that it is required for the processing of that individual's personal information in accordance with this DPN.
We collect the personal information outlined above from a number of different sources including:
We may be required by law to collect certain personal information about you, or to collect your personal information as a consequence of a contractual relationship we have with you. Failure to provide this information may prevent or delay the fulfilment of these obligations. For example, if you do not provide certain personal information, we will not be able to provide you with a policy. We will inform you at the time your personal information is collected whether certain data is compulsory and the consequences of the failure to provide such data.
We may process your personal information for a number of different purposes. For each purpose we must have a legal ground for such processing. When the information that we process is classed as sensitive personal information, we must have an additional legal ground for such processing.
Generally we will rely on the following legal grounds:
We may use automated decision making processes to make decisions or conduct 'profiling' about you. This involves using software to process your personal information, to evaluate your personal aspects and to predict risks or outcomes. We use automated decision making processes:
These decisions may have legal or similar effects for you. For example, we may use them to decide what the cost of renewing your policy will be. We will, however, only make these kinds of automated decisions where:
You can contact us to request further information about automated decision-making. In some circumstances you can object to our use of automated decision-making processes, or request that an automated decision is reviewed by a human being.
From time to time, we may share your personal information with third parties for purposes consistent with those described in this DPN. If you would like further information regarding the disclosures of your personal information, please get in touch with us directly.
Disclosure within our group
From time to time, we may share your personal information within Cigna group companies for purposes consistent with those described in this DPN. You can find permanently updated information about the Cigna group on the following website: https:/www.cigna.com/about-us/. Access to personal information within Cigna is restricted to those individuals and entities who have a requirement to access the information for the purposes described in this DPN.
Disclosures to third parties
We also disclose your personal information to the third parties listed below for the purposes described in this DPN. This might include:
We may use your personal information to provide you with information about our products or services, or those of our partners which may be of interest to you, where you have provided your consent for us to do so.
In certain circumstances, we may also use your personal information to contact you for marketing purposes where we have a legitimate interest to do so. This will include where you are our business contact with a prospective client, and we would like to provide you with information about our products, services or events which we consider may be of interest to you and / or your business.If you wish to unsubscribe from emails sent by us, you may do so at any time by clicking on the "unsubscribe" link that appears in all marketing emails. Otherwise you can always contact us to update your contact preferences by using the details in the “Contacting Us” section below. Please note, however, that we will continue to send you service related (non-marketing) communications.
We will only keep your personal information for as long as reasonably necessary to fulfil the relevant purposes set out in this DPN and in order to comply with our legal and regulatory obligations. Our default retention period is 10 years. However, depending on the jurisdiction that governs our contract with you and the type of information involved, our general retention period may vary between 7 to 10 years. If you would like further information regarding the periods for which your personal information will be stored, please see the details in the “Contacting Us” section below for our contact details.
Due to the global nature of our services, your personal information may be transferred for processing/shared with and/or accessed by parties located in other countries and may be subject to data protection laws of those jurisdictions. The countries to which we may transfer your personal information may not be regarded by the European Commission or the DIFC Commissioner as ensuring an adequate level of protection for personal information (for instance the United States and Canada).
Where we transfer your personal information to any of these countries, we will conduct the transfer in accordance with applicable data protection law. This may include ensuring that appropriate safeguards, such as contractual obligations, are put in place with respect to the protection of your personal information and your fundamental rights and freedoms, and your rights in relation to your personal information. If you would like further information regarding the steps we take to safeguard your personal information, or to obtain a copy of the safeguards we put in place to protect it when it is transferred, please contact us using the details in the “Contacting Us” section below.
Depending on your location and the compliance requirements that may apply there you may receive additional privacy notices from us or from our partners.
Under data protection law you have certain rights in relation to the personal information that we hold about you. You may exercise these rights at any time by contacting us using the details set out in the “Contacting us” section below.
We use a range of physical, legal, organisational and technical security measures which are consistent with applicable data protection laws to protect your information. Firewalls are used to block unauthorised traffic to the servers and the actual servers are located in a secure location which can only be accessed by authorised personnel and our internal procedures cover the storage, access and disclosure of your information.
If you have any questions about how we collect, store or use your personal information, you may contact our data protection officer at:
Data Protection Officer / Cigna
Plantin en Moretuslei 309, 2140 Antwerp, Belgium.
We may update this DPN from time to time to ensure that it remains accurate. If we change this DPN, we will notify you of the changes. Where changes to the DPN will have a fundamental impact on the nature of our processing of your personal information, or otherwise have a substantial impact on you, we will give you sufficient advance notice so that you have the opportunity to exercise your rights in relation to your personal information.