Privacy & Cookies

PRIVACY NOTICE 

The International SOS Group of Companies has presence in over 90 countries. We make sure that all of these companies meet or exceed legislated and industry standards for Data Protection to ensure that your personal information is protected across borders while we assist you worldwide.

In this Notice we make a commitment to protect your privacy. We also describe what information we collect about you and why we collect it, how we use and safeguard that information, and what choices you have, including how to access and update or ask us to delete your information.

Our promise to you:

  • When we need your Personal Information we always explain the purpose and will not use your information for any other purpose without asking you first.
  • We do not retain your personal information longer than required for the purpose of providing our services to you.
  • Your personal information can only be accessed by authorised personnel.
  • You can ask to review or update the personal information we hold about you.
  • We only share information with third parties for purposes either specified in this Privacy Notice, or for reasons required by law or with your explicit prior consent.
  • We carefully select the third-party service providers who support us with the processing of personal data and implement contractual clauses that hold them accountable to the same data protection and privacy standards we meet ourselves.
  • We actively monitor external threats and act quickly and transparently to protect your privacy.
  • We understand that technology develops rapidly. We continuously monitor and enhance the measures we have implemented to protect your information from unauthorized access and accidental loss or disclosure. 

 

Types of Personal Information

Personal Identifiable Information (PII or “Personal Information”) is information that can be used on its own or in combination with other information, to identify, contact or locate a single person, or to identify an individual or natural person in context (and includes Personal Data). Personal Data is information pertaining to an identified or identifiable individual. PII and Personal Data do not include anonymised or statistical data that by itself does not allow identification of you as an individual. Sensitive Information or Special Category Personal Data we may collect includes information about an individual’s current health or health history, sexual orientation or religion.

How we collect and use Your Personal Information

In order to provide our services, we will usually need to collect some personal information about the individuals we are assisting. We will also sometimes pseudonymise and anonymise data and use it for statistical analysis and reporting, to help improve our services or for research purposes.
We collect Personal Information about you when you buy, use or benefit from International SOS' services or products. We also need to collect your Personal Data if you apply for a role with us.
We may not always receive personal information from you directly but also from other sources, such as your employer or your relatives, your insurance company, other assistance companies, financial institutions, medical service providers or travel agencies.

Digital Travel Risk Management Services

If you use our travel assistance app, it will collect some Personal Information and Travel Information. This may include the email address of the app enabled device and your organisation or your personal International SOS membership number, depending on whether you have access to this service by virtue of your employment or whether you are an individual subscriber. The app also periodically collects usage data. 
While the assistance app can also be used without providing your email address, this information is integral to how the app works, as we need to know where you are in order to keep you safe. The app will provide local emergency contact details, tailored medical and security alerts for your location as well as monitoring your location so we can assist you during situations where you may be in danger. Location monitoring is a voluntary feature and you can enable and disable it at any time.

We have engaged a number of third parties to support us with the data processing required to deliver our services: (varies by individual client)¹:

 

1 Exceptions are based on individual client requirements. ETL Solutions (UK) is used for aggregation/transformation for a small number of clients due to technical restrictions on their side. The majority of GDS data streams are transformed by PASS Consulting. Some EU clients do not use a Global Distribution System (GDS) so there is no transformation/aggregation requirement and ETL/PASS are not involved. Some non-EU clients prefer to use the French server and some EU clients’ Personal Data is hosted on our US server by individual agreement.
*Hosting only for EU clients or by individual agreement 
**for clients using Active Monitoring
+where data is hosted by Orange in France
++where data is hosted by RackSpace in the US

 

If you require more detailed information, please contact dpo@internationalsos.com.

 

Manager View and TravelTracker Applications

You may have been nominated by your company to use our Manager View and TravelTracker applications. These systems will need to collect some Personal Information for the purpose of user identification and access authorisation, including your name, job role, email address and contact information. This information is integral to how the applications work, as we need to know who you are to deliver the right content to you.

Manager View and TravelTracker use the following first and third party cookies to provide essential functionality, help us better understand how the applications are used and enhance the user experience:

 

 

Assistance App

To make full use of this app and connected services such as TravelTracker, you will be prompted to provide your personal information. A detailed description of how your personal information will be managed, how International SOS protects your information and what your rights are can be found at https://www.internationalsos.com/privacy

The Mobile Services include services provided by Google Maps/Google Earth Application Programming Interfaces. Google’s Privacy policy applies to such services and can be found by visiting http://www.google.com/policies/privacy/.

 

 

Log-In Details

When you first log into the app, you can do so anonymously by only entering your membership number. If your organisation has subscribed to TravelTracker services, it is important to also enter your email address so that your travel itineraries will be connected to your app profile, achieving full functionality as intended.

Location Check-In & Location Finder

Before you start using the app, you are asked whether you would like the app to access your location. Your consent to enable Location Services on your mobile device is needed for the app to display alerts for your current location and to determine your nearest Assistance Centre. The location information collected is integral to how the app works, as your location is essential to ensuring you are updated with relevant information throughout your travels. The app will provide local emergency contact details and tailored medical and security alerts for your location.

If your organisation subscribes to Check-in and/or Location Finder services, you may also choose to send your location to your organisation. This can be done either manually via Check-in button or automatically via Location Finder.

Location Finder is a voluntary feature and you can enable or disable it at any time in the Push & Location Settings page. The intention of Location Finder is explicitly to only find your location on behalf of your organisation in case you may be impacted by a major event while travelling. Your precise location is not being actively tracked, and only found and plotted once at the time of an incident for the purpose of keeping you safe while travelling.


 

Significant Change Location Service

The International SOS Assistance App collects information from your device to allow us to dynamically serve more relevant content and product support and improve our products and services. This includes analytic and information about your device, operation system, app version, app usage and crash reports.

In a strictly limited fashion, your location is also tracked to the country level in order to send you relevant alerts and information based on your current country. To accomplish this, the Assistance App leverages the “significant-change location service” of your smart phone, which offers a more power-friendly alternative for apps that need location data without requiring frequent updates or the precision of GPS. The service relies on GPS alternatives such as Wi-Fi and cellular information to determine your approximate location. Your precise location is never actively being tracked by International SOS or your organisation, and is only plotted into TravelTracker if you choose to Check-in or turn Location Finder on.


 

Accessing Assistance Services via Live Chat

If you contact us through Live Chat, your name, phone number and the name of your organisation (if applicable) will be displayed. Our coordinator will still ask you for these details to confirm your identity.

For detailed information please refer to the Medical and Security Assistance including Travel Services section below.

 

 

Disclosure of personal information to third parties

We will not disclose the personal information collected by the app unless lawfully instructed to do so by you or your organisation. We have engaged named sub-contractors to assist with the delivery of TravelTracker services. For a current list of these sub-contractors please refer to the Digital Travel Risk Management Services section above.

 

Medical and Security Assistance including Travel Services

When you speak with someone at one of our Assistance Centres, the call will usually be recorded. We do this for training and quality purposes. If you do not wish to be recorded, please let us know and we will call you back on an unrecorded line.

In order to assist you, we will usually need to ask you for some personal information, such as your name, contact details and the company you work for, and this will be recorded on our case management system. Such information is required to identify you and respond to you and where required keep a record of our interaction. We will only collect as much Personal Information as is required to provide the service you ask for in a safe and efficient manner. Some of this may be sensitive data such as medical information required to refer you to a suitable healthcare provider.

If our coordinators ask you for permission to share your personal information and medical information with your insurer, this will be to allow them to place a Guarantee of Payment so you will not be asked to pay for your medical expenses. Your consent will allow us to submit a claim to your insurer.

If our coordinators ask you for permission to share personal or medical information with your employer, this is because your employer has asked us to update them each time we provide assistance so that they can fulfil their Duty of Care and offer support where needed. They may also require us to obtain approval from them before paying for your medical expenses. You can withhold your consent for us to share either your personal information, medical information or both. Where your employer requires us to obtain their approval before making financial arrangements on your behalf, we may not be able to assist you with this if we do not have your consent to contact them.

If our coordinators ask you for permission to share your medical information with a third party provider, this will be to allow them to make arrangements on your behalf for which this information is required by the provider (such as hospital admission).

Data collected for the purpose of providing medical and security assistance services is kept for two years and then one year in archive.  Please refer to our Data Retention, Archiving and Destruction Policy under https://www.internationalsos.com/privacy.

We have engaged a number of third parties to support us with the data processing required to deliver our Medical and Security Assistance Services:

If you require more detailed information, please contact dpo@internationalsos.com.

 

Medical Services (Clinics)

If you visit one of our clinics, for example for a consultation, medical treatment or occupational health assessment, personal and sensitive information will be collected as part of your medical record maintained by the clinic which allows our medical staff to provide medical advice and treatment as appropriate. We retain original medical records in compliance with applicable regulation.

Medical records collected during the time of your treatment are kept for 3 years and then 30 years in archive. Please refer to our Data Retention, Archiving and Destruction Policy under https://www.internationalsos.com/privacy.

 

Training and E-Learning

International SOS provides Training services and we will collect some personal information as part of attendance or completion records and to issue certificates to candidates.

Data collected during the time of your training are generally kept for 2 years and then 1 year in archive. Please refer to our Data Retention, Archiving and Destruction Policy under https://www.internationalsos.com/privacy.

We have engaged third parties to support us with the provision of our E-Learning Services:

Utilisation of these third parties’ services will depend on individual agreement and this will be explicit in the respective contract.

If you require more detailed information, please contact dpo@internationalsos.com.

  

Concierge Services 

We will ask for your Personal information and Credit Card Information (Card Company, Number, Expiry Date) to assist you and process your payment. We handle all payment information in accordance with the Payment Card Industry Data Security Standard (PCI DSS). Full details are available in the Aspire Privacy Statement at https://www.aspirelifestyles.com/en/privacy-policy.

Data collected during the time of Concierge Services have various length of retention, depending on the type of data. Please refer to our Data Retention, Archiving and Destruction Policy at https://www.internationalsos.com/privacy.

We have engaged a number of third parties to support us with the data processing required to deliver our Concierge Services:

If you require more detailed information, please contact dpo@internationalsos.com. 

 

Occupational Health Assessment (MedFit)

We will receive your name and email address from your employer. In the course of providing services, we will also maintain relevant health records received from you and the Occupational Health clinic. At the end of contract, International SOS will return any such health records in accordance with instructions received from your employer.

Medical records collected during the time of your treatment are generally kept for 3 years and then 30 years in archive. Please refer to our Data Retention, Archiving and Destruction Policy under https://www.internationalsos.com/privacy.

We have engaged a number of third parties to support us with the data processing required to deliver our services:

 

 

If you require more detailed information, please contact dpo@internationalsos.com. 

 

Recruitment

The types of Personal Data that we request from you and the ways that we process it are determined by the requirements of the country in which the position is located, and not the country in which you reside.

We usually collect Personal Data directly from you when you apply for a role with us, such as your name, address, contact information, work and educational history, achievements, and test results. We also may collect Personal Data about you from third parties, such as professional recruiting firms, your references, prior employers, International SOS interviewers and employment background check providers to the extent this is permitted by applicable law.

“Sensitive Personal Data” is a subset of Personal Data and includes ethnicity, health, trade union membership, philosophical beliefs, sexual orientation, as well as other categories as prescribed by law. We do not seek to obtain and will not collect Sensitive Personal Data about a candidate unless permitted to do so by applicable laws (e.g. US equal opportunity monitoring).

We only use your Personal Data for legitimate Human Resources and business management reasons including:

  • identifying and evaluating candidates for potential employment, as well as for future roles that may become available;
  • record-keeping in relation to recruiting and hiring;
  • ensuring compliance with legal requirements, including diversity and inclusion requirements and practices;
  • conducting criminal history checks as permitted by applicable law; or
  • protecting our legal rights to the extent authorised or permitted by law.

We process your Personal Data for the purposes described above: when we have your consent to do so; when necessary to enter into an employment contract with you; when necessary for us to comply with a legal obligation; or when necessary for the purposes of our legitimate interests as an employer operating globally.

Data recipients and international data transfers

Your personal data may be accessed by recruiters and interviewers working in the country where the position for which you are applying is based, as well as by recruiters and interviewers working in different countries within the International SOS global organisation. Individuals performing administrative functions and IT personnel within International SOS may also have a limited access to your personal data to perform their jobs. In some countries, you may have fewer rights under local law than you do in your country of residence, but we have put in place legal mechanisms designed to ensure adequate data protection of your personal data that is processed by International SOS subsidiaries and affiliates within the International SOS global organisation, including the transfer of your Personal Data to countries other than the one in which you reside.

We may use third party service providers to provide a recruiting software system. We also share your Personal Data with other third party service providers that may assist us in recruiting talent, administering and evaluating pre-employment screening and testing, and carrying out background checks.

Where required by law, we put in place legal mechanisms designed to ensure adequate data protection of your Personal Data in a third country. If you would like more information about these legal mechanisms, which may include the EU’s Standard Contractual Clauses, please contact us at the address provided at the end of this Privacy Notice.

Data retention

If you accept an offer of employment by us, any relevant Personal Data collected during your pre-employment period will become part of your personnel records and will be retained in accordance with specific country requirements. If we do not employ you, we may nevertheless continue to retain and use your Personal Data for a period of time (which may vary depending on the country) for system administration purposes, to consider you for potential future roles, and to perform research. Thereafter, we retain a minimum amount of your Personal Data to record your recruiting activity with us.

If you require more detailed or country-specific information, please contact dpo@internationalsos.com. 

 

International SOS Websites

Cookies and Tracking Technology

International SOS and its partners use cookies or similar technologies to analyse trends, run the website, track our users’ movements around the website, and to gather demographic information about our user base as a whole. You can control the use of cookies at the individual browser level, but if you choose to disable cookies, it may limit your use of certain features or functions on our website or service.

Some of our service providers (e.g. International SOS' service providers monitoring our satisfaction survey) use cookies on the International SOS site. We have no access to or control over these cookies. This privacy statement covers the use of cookies by the International SOS site only and does not cover the use of cookies by anyone else.

Acceptance and links to other websites

This website may contain links to other websites, which are there for your convenience and not as an indication of International SOS’ approval. These other websites may have their own policies, which we do not control, and therefore are not covered by this statement or the International SOS Data Protection Policy. 

Data Protection for Minors

We do not knowingly collect any information on anyone who has not reached the age of 18 years through the online services and the International SOS website.

 

CCTV (Closed-Circuit Television)

Closed-Circuit Television, also known as video surveillance, is the use of video cameras to transmit a signal to a specific place, on a limited set of monitors. International SOS uses CCTV solely to deter or detect unlawful behaviour in and around International SOS property and to support the conduct of investigations.

 

At locations where International SOS operates CCTV, a privacy notice is displayed.  CCTV recorders are located in areas with restricted access and operated by specifically trained staff only. Tapes are retained no longer than 90 days.  Local legislative requirements are adhered to.

 

How long we keep your Personal Information

We only retain your personal information as long as it is required and we have a lawful reason. When your personal information is no longer required it will be securely destroyed or transferred in accordance with prior contractual agreement or your own preference. Our data retention policy is published at www.internationalsos.com/privacy.

 

Sharing your Personal Information

We do not sell your personal information in any circumstances and our business model does not rely on such action. 

Your personal information may be transferred to other companies within the International SOS Group, or to third parties that help us deliver our services to you. These companies may be located in another country. If we need to transfer Personal Data outside of the EU/EEA, and the recipient country does not have adequacy status, we ensure that the organisation we are transferring the data to is either Privacy Shield certified (if US based) or we have applied the required safeguards such as EC Standard Contractual Clauses. When transferring personal data outside of the EU/EEA to another International SOS entity, we assure that it remains protected. All International SOS entities acting as Data Controller have signed up to our Binding Corporate Rules(approved by the French Data Protection Authority, CNIL) and where they act as Data Processors, the data transfer is safeguarded by inter-company EC Standard Contractual Clauses.

Whenever we need to transfer sensitive Personal Information (such as medical information), we will first ask for your consent. 

We do not share your personal information with third parties unless one of the following conditions or reasons applies:

We have a legitimate interest to do so

To be able to provide our services we may share some personal information with third parties in a way that you would expect, such as providing your name to the medical practice where you have asked us to arrange an appointment for you. We also provide personal information to other companies within the International SOS Group or other trusted businesses or persons to process it for us based on our instructions and in compliance with Data Protection Legislation, our Data Protection Policy and additional confidentiality and security measures. If you require a list of our third party data processors, please contact dpo@internationalsos.com

Or

You have provided explicit consent

We will ask for your explicit consent before sharing any sensitive personal information about you. We will provide you with clear explanations to allow you to make an informed choice. You are entitled to withdraw your consent at any time. 

Or

There is a legal obligation

We may transfer your personal information to Government authorities, agencies and institutions, but ONLY as required or allowed by applicable regulations.

Or

We need to verify your insurance or employment benefits

In some cases we may need to notify third parties such as your insurer or employer, for example to verify your benefits before paying for your medical expenses, and share some of your personal information with them. We will always ask for your consent if sensitive data needs to be shared or if we need to share information for additional purposes that you may not expect. 

 

Accessing, correcting or deleting your Personal Information

In accordance with applicable Data Protection Regulation and our Data Protection Policy, you can seek access to, or revise, or ask to delete or stop processing the personal information that International SOS has collected from you by using our Data Subject Rights Request Form: https://app.whispli.com/InternationalSOS-Data-Subject-Rights-Request.

If you have a user account, you can access and manage your records through our website. You can also contact the Assistance Centre, clinic, medical service facility or individual employee you have been dealing with. Or you can write to us using the contact link on our website.

If your International SOS Membership was purchased by your organisation and you wish to exercise your rights to access, correct or delete your travel information, please contact your organisation directly. When processing your personal information in the course of providing these digital travel management and mobile services, International SOS is only permitted to act on instructions from your organisation.

When you submit a Data Subject Right Request to International SOS, 

  1. You will be asked to provide International SOS with details of the data requested to help us to discover the data more easily;
  2. If you are asking to correct your data, we may need to ask for the reasons why that data needs correction; 
  3. You may be asked to provide proof of who you are; 
  4. If we act as Data Processor on behalf of your employer, we will need to seek instructions from your employer before we can address your request;
  5. Sometimes we may not be able to fulfil your request due to conflicting legal obligations (such as having to maintain medical records for a certain amount of time) or because we have another legitimate interest that we consider lawful under applicable Data Protection Legislation.

We will acknowledge your request within five working days.

We strive to fully address your request as soon as possible and to respond to you within no more than 30 calendar days from the date it is received and your identity has been verified. In some cases of greater complexity or if you have submitted multiple requests, we may need to extend this period by a further two months. We would let you know if an extension is required before the initial 30 days have elapsed.

If International SOS is asked to destroy personal information, we will ensure that its recreation is prevented and shall take reasonable care to make sure that there is no unauthorised disclosure during the destruction of the data. To allow us to do this, we will maintain a record of all such requests, including a minimum of personal information required. If you are dissatisfied with our response to your Data Subject Rights Request, please do not hesitate to contact us to discuss further. Please see below How to resolve disputes with International SOS for details.

 

How we protect your Personal Information

  • We have group-wide independent certification to the International Information Security standard ISO 27001 https://www.iso.org/isoiec-27001-information-security.html 
  • We have group-wide certification to the Bureau Veritas Data Protection Technical Standard (GDPR) https://int.lead.bureauveritas.com/en/technical-standard-related-to-personal-data-protection
  • We invest in industry-standard encryption and commission regular penetration testing and continuous threat monitoring
  • We thoroughly and routinely vet the Information Security Management Systems of all our third party IT vendors
  • The certification of our Binding Corporate Rules  by the French Data Protection Authority (CNIL) means that you can be sure that your data is protected even when we need to transfer it to other entities of the International SOS group
  • Our Data Protection Officers monitor Data Protection regulation developments globally to ensure that we are always compliant with legal requirements.
  • We have internal policies to prevent inappropriate or unauthorised access or disclosure or accidental loss of personal information and all employees receive regular Data Protection training.
  • We have implemented physical security measures to safeguard personal information from misuse, alteration, accidental loss or destruction.

 

How to resolve disputes with International SOS

To resolve a dispute you can contact the Assistance Centre, clinic, medical service facility or individual employee you have been dealing with. Or you can write to us using the contact link on our website.

You may also direct all enquiries, concerns or complaints regarding our processing of your personal information to our Chief Privacy Officer at dpo@internationalsos.com, and if you are based in the EU or EEA you can contact our Data Protection Officer, Europe at dpo.europe@internationalsos.com.

If you are dissatisfied with the manner in which your request or concern regarding our Online Services is being addressed, you can contact privacy@internationalsos.com

We promise to investigate and address all concerns and complaints as quickly as possible. We will provide an acknowledgement of your query together with an indication of the approximate length of time that it will take us to review it within a week of receipt. If it will likely take us longer than two weeks to address your query, we will also provide you with regular updates throughout the process. We strive to fully address your request as soon as possible and to respond to you within no more than 30 calendar days from the date it is received. In some cases of greater complexity or if you have multiple concerns, we may need to extend this period by a further two months. We would let you know if an extension is required before the initial 30 days have elapsed.

If we act as Data Processor on behalf of a Data Controller such as your employer, a relative's employer, an association or institution, or an insurance or financial services program, we first need to seek instructions from this Data Controller. Should the Data Controller become unavailable to issue such instructions (ceased trading for instance), International SOS commits to independently address your query or complaint regardless, in as far as possible.

Likewise, if you receive services from International SOS through a third party such as listed above, and your personal information has been improperly handled a result of the actions or inactions of such third party, we cannot be liable for resolving any resulting disputes. We will direct you to the appropriate point of contact in such cases.

You have the right at any time, to raise your issues with a data protection authority or to take your case to a court of law.

 

Changes to this Notice

We regularly review and on occasion update this statement to ensure it remains in line with developments in our business and operational infrastructure and capabilities, and with applicable regulation and our Information Security and Privacy Policies. We will inform you of such changes by prior notification, usually through the www.internationalsos.com website. This statement is not intended to create any contractual or other legal rights; its purpose is to explain how your personal information will be processed to allow the provision of International SOS services and how you can make use of your rights under data protection legislation in relation to such processing.

 

Last Updated 05 July 2019