Privacy & Cookies

PRIVACY NOTICE

Introduction

Our promise to you

California Consumer Privacy Act

Personal data

How we process personal data

Exercising your rights as a data subject

Resolving disputes

Information security

Sharing your personal data


INTRODUCTION

The International SOS Group of Companies has presence in 85 countries. We make sure that all of these group companies meet or exceed legislated and industry standards for Data Protection to ensure that your personal information is protected across borders while we assist you worldwide.
In this Notice we make a commitment to protect your privacy. We also describe what information we collect about you and why we collect it, how we use and safeguard that information, and what choices you have, including how to access and update or ask us to delete your information.

OUR PROMISE TO YOU

  • When we need your Personal Information, we always explain the purpose and will not use your information for any other purpose without asking you first.
  • We do not retain your personal information longer than required for the purpose of providing our services to you.
  • Your personal information can only be accessed by authorised personnel.
  • You can ask to review or update the personal information we hold about you.
  • We only share information with third parties for purposes either specified in this Privacy Notice, or for reasons required by law or with your explicit prior consent.
  • We carefully select the third-party service providers who support us with the processing of personal data and implement contractual clauses that hold them accountable to the same data protection and privacy standards we meet ourselves.
  • We actively monitor external threats and act quickly and transparently to protect your privacy.
  • We understand that technology develops rapidly. We continuously monitor and enhance the measures we have implemented to protect your information from unauthorised access and accidental loss or disclosure.

CALIFORNIA CONSUMER PRIVACY ACT

Please click here for more disclosures of your California privacy rights.


PERSONAL DATA

Types of Personal Data

Personal Identifiable Information (PII or “Personal Data”) is information that can be used on its own or in combination with other information, to identify, contact or locate a single person, or to identify an individual or natural person in context (and includes Personal Data). Personal Data is information pertaining to an identified or identifiable individual. PII and Personal Data do not include anonymised or statistical data that by itself does not allow identification of you as an individual. Sensitive Information or Special Category Personal Data we may collect includes information about an individual’s current health or health history, sexual orientation or religion.

In order to provide our services, we will usually need to collect some personal information about the individuals we are assisting. We will also sometimes pseudonymise and anonymise data and use it for statistical analysis and reporting, to help improve our services or for research purposes.

We collect Personal Information about you when you buy, use or benefit from International SOS' services or products. We also need to collect your Personal Data if you apply for a role with us.

We may not always receive personal information from you directly but also from other sources, such as the organisation which you are working for or providing service to ("your employer") or your relatives, your insurance company, other assistance companies, financial institutions, medical service providers or travel agencies.

 

Details about our services and activities:

If you cannot find the information you are looking for, please contact dpo@internationalsos.com.

In accordance with applicable Data Protection Regulation and our Data Protection Policy, you can seek information about, access to, or revise, or ask to delete or stop processing the personal information that International SOS has collected from you. You also have the right to withdraw your consent and the right to portability.

You can use our Data Subject Rights Portal to make a request:

  • Please click here to make a request under the California Consumer Privacy Act (CCPA)
  • Please click here to make any other Data Subject Rights Request

Our Privacy Portal is provided by a third party supplier, OneTrust LLC (https://www.onetrust.com/privacy/).

If you have a user account, you can also access and manage your records through our website. You can also contact the Assistance Centre, clinic, medical service facility or individual employee you have been dealing with. Or you can write to us using the contact link on our website. To unsubscribe from email alerts, you can contact onlinehelp@internationalsos.com.

Please note that when processing your personal data on your organisation's behalf, in the course of providing digital workforce resilience management and/or mobile services, International SOS is only permitted to act on instructions from your organisation so please either contact your organisation directly or we will contact them for authorisation before we can fulfill your request.

When you submit a Data Subject Right Request to International SOS,

  1. You will be asked to provide International SOS with details of the data requested to help us to discover the data more easily;
  2. If you are asking to correct your data, we may need to ask for the reasons why that data needs correction;
  3. You may be asked to provide proof of who you are;
  4. If we act as Data Processor on behalf of your employer, we will need to seek instructions from your employer before we can address your request;
  5. Sometimes we may not be able to fulfil your request due to conflicting legal obligations (such as having to maintain medical records for a certain amount of time) or because we have another legitimate interest that we consider lawful under applicable Data Protection Legislation.

We will acknowledge your request within five working days.

We strive to fully address your request as soon as possible and to respond to you within no more than 30 calendar days from the date it is received, and your identity has been verified. In some cases of greater complexity or if you have submitted multiple requests, we may need to extend this period by a further two months. We would let you know if an extension is required before the initial 30 days have elapsed.

If International SOS is asked to destroy personal information, we will ensure that its recreation is prevented and shall take reasonable care to make sure that there is no unauthorised disclosure during the destruction of the data. To allow us to do this, we will maintain a record of all such requests, including a minimum of personal information required. None of the personal data shared with you via the Privacy Portal under an access request will be retained longer than 30 days.

If you are dissatisfied with our response to your Data Subject Rights Request, please do not hesitate to contact us to discuss further. Please see below RESOLVING DISPUTES for details.

To resolve a dispute, you can contact the Assistance Centre, clinic, medical service facility or individual employee you have been dealing with. Or you can write to us using the contact link on our website.

You may also direct all enquiries, concerns or complaints regarding our processing of your personal information to our Chief Privacy Officer at dpo@internationalsos.com, and if you are based in the EU or EEA you can contact our Data Protection Officer, Europe at dpo.europe@internationalsos.com.
If you are dissatisfied with the manner in which your request or concern regarding our Online Services is being addressed, you can contact privacy@internationalsos.com.

We promise to investigate and address all concerns and complaints as quickly as possible. We will provide an acknowledgement of your query together with an indication of the approximate length of time that it will take us to review it within a week of receipt. If it will likely take us longer than two weeks to address your query, we will also provide you with regular updates throughout the process. We strive to fully address your request as soon as possible and to respond to you within no more than 30 calendar days from the date it is received. In some cases of greater complexity or if you have multiple concerns, we may need to extend this period by a further two months. We would let you know if an extension is required before the initial 30 days have elapsed.

If we act as Data Processor on behalf of a Data Controller such as your employer, a relative's employer, an association or institution, or an insurance or financial services program, we first need to seek instructions from this Data Controller. Should the Data Controller become unavailable to issue such instructions (ceased trading for instance), International SOS commits to independently address your query or complaint regardless, in as far as possible.
Likewise, if you receive services from International SOS through a third party such as listed above, and your personal information has been improperly handled a result of the actions or inactions of such third party, we cannot be liable for resolving any resulting disputes. We will direct you to the appropriate point of contact in such cases.

You have the right at any time, to raise your issues with a data protection authority or to take your case to a court of law.

  • We have group-wide independent certification to the International Information Security standard ISO 27001 https://www.iso.org/isoiec-27001-information-security.html
  • We have group-wide certification to the Bureau Veritas Data Protection Technical Standard
  • (GDPR) https://int.lead.bureauveritas.com/en/technical-standard-related-to-personal-data-protection
  • We invest in industry-standard encryption and commission regular penetration testing and continuous threat monitoring
  • We thoroughly and routinely vet the Information Security Management Systems of all our third-party IT vendors
  • The certification of our Binding Corporate Rules by the French Data Protection Authority (CNIL) means that you can be sure that your data is protected even when we need to transfer it to other entities of the International SOS group
  • Our Data Protection Officers monitor Data Protection regulation developments globally to ensure that we are always compliant with legal requirements.
  • We have internal policies to prevent inappropriate or unauthorised access or disclosure or accidental loss of personal information and all employees receive regular Data Protection training.
  • We have implemented physical security measures to safeguard personal information from misuse, alteration, accidental loss or destruction.


SHARING YOUR PERSONAL DATA

We do not sell your personal information in any circumstances and our business model does not rely on such action.

Your personal information may be transferred to other companies within the International SOS Group, or to third parties that help us deliver our services to you. These companies may be located in another country. If we need to transfer Personal Data outside of the EU/EEA, and the recipient country does not have adequacy status, we implement the required safeguards such as EC Standard Contractual Clauses. When transferring personal data outside of the EU/EEA to another International SOS entity, we assure that it remains protected. All International SOS entities acting as Data Controller have signed up to our Binding Corporate Rules (approved by the French Data Protection Authority, CNIL) and where they act as Data Processors, the data transfer is safeguarded by inter- company EC Standard Contractual Clauses.
We will first ask for your consent whenever we need to transfer sensitive Personal Information (such as medical information) to any third parties other than our sub-processors, listed in this Privacy Notice, or providers you have explicitly asked us to engage with on your behalf (for example when you ask us to schedule a medical appointment or admission to a hospital).

We do not share your personal information with third parties unless one of the following conditions or reasons applies:


We have a legitimate interest to do so

To be able to provide our services we may share some personal information with third parties in a way that you would expect, such as providing your name to the medical practice where you have asked us to arrange an appointment for you. We also provide personal information to other companies within the International SOS Group or other trusted businesses or persons to process it for us based on our instructions and in compliance with Data Protection Legislation, our Data Protection Policy and additional confidentiality and security measures. If you require a list of our third party data processors, please contact dpo@internationalsos.com.

Or

You have provided explicit consent

We will ask for your explicit consent before sharing any sensitive personal information about you. We will provide you with clear explanations to allow you to make an informed choice. You are entitled to withdraw your consent at any time.

Or

There is a legal obligation

We may transfer your personal information to Government authorities, agencies and institutions, but ONLY as required or allowed by applicable regulations.

Or

We need to verify your insurance or employment benefits

In some cases, we may need to notify third parties such as your insurer or employer, for example to verify your benefits before paying for your medical expenses, and share some of your personal information with them. We will always ask for your consent if sensitive data needs to be shared or if we need to share information for additional purposes that you may not expect.

 

Last Updated 1 December 2020