Privacy & Cookies

17 DECEMBER 2018

PRIVACY NOTICE 

The International SOS Group of Companies includes companies in over 70 countries. We make sure that all of these companies meet or exceed legislated and industry standards for Data Protection to ensure that your personal information is protected across borders while we assist you worldwide.
In this Privacy Notice we make a commitment to protect your privacy. We also describe what information we collect about you and why we collect it, how we use and safeguard that information and we explain what choices you have, including how to access and update or ask us to delete your information.

Our Promise to You:

  • When we need your Personal Information we always explain the purpose and will not use your information for any other purpose without asking you first.
  • We do not retain your personal information longer than required for the purpose of providing our services to you.
  • Your personal information can only be accessed by authorised personnel.
  • You can ask to review or update the personal information we hold about you.
  • We only share information with third parties for purposes either specified in this Privacy Notice, or for reasons required by law or with your explicit prior consent.
  • We carefully select the third-party service providers who support us with the processing of personal data and implement contractual clauses that hold them accountable to the same data protection and privacy standards we meet ourselves.
  • We actively monitor external threats and act quickly and transparently to protect your privacy.
  • We understand that technology develops rapidly and continuously monitor and enhance the measures we have implemented to protect your information from unauthorized access and accidental loss or disclosure. 

Types of Personal Information

Personal Identifiable Information (PII) or Personal Data is information that can be used on its own or in combination with other information, to identify, contact or locate a single person, or to identify an individual or natural person in context. Personal information does not include anonymised or statistical data that by itself does not allow identification of you as an individual. Sensitive Information or Special Category Personal Data we may collect includes information about an individual’s current health or health history, sexual orientation or religion.

How we collect and use Your Personal Information

In order to provide our services, we will usually need to collect some personal information about the individuals we are assisting. 

We collect information about you when you buy, use or benefit from International SOS' services or products. 

We may not always receive personal information from you directly but also from other sources, such as your employer or your relatives, your insurance company, other assistance companies, financial institutions, medical service providers or travel agencies. 

 

Digital Travel Risk Management Services

If you use our travel assistance app, it will collect some Personal Information and Travel Information. This may include the email address of the app enabled device and your organisation or your personal International SOS membership number, depending on whether you have access to this service by virtue of your employment or whether you are an individual subscriber. The app also periodically collects usage data. 


While the app can also be used without providing your email address, this information is integral to how the app works, as we need to know where you are in order to keep you safe. The app will provide local emergency contact details, tailored medical and security alerts for your location as well as monitoring your location so we can assist you during situations where you may be in danger. Location monitoring is a voluntary feature and you can enable and disable it at any time.

We have engaged a number of third parties to support us with the data processing required to deliver our services:

 

Location of Processing Services 
 USA (1) Server Hosting, Data Aggregation/Transformation 
 France (2) Server Hosting
 India Maintenance, Administration, Development & Support
 USA Administration & Support
 USA Administration & Support
 (1) European clients usually store data on our French server, in which case there is no hosting in the US
 (2) Only applicable to clients who store their data on our French server

If you require more detailed information, please review the Privacy Notice within the app itself or contact dpo@internationalsos.com

 

Medical and Security Assistance including Travel Services

When you speak with someone at one of our Assistance Centres, the call will usually be recorded. We do this for Training and Quality purposes. If you do not wish to be recorded, please let us know and we will call you back on an unrecorded line.

 

In order to assist you, we will usually need to ask you for some personal information, such as your name, contact details and the company you work for, and this will be recorded on our case management system. Such information is required to identify you and respond to you and where required keep a record of our interaction. We will only collect as much Personal Information as is required to provide the service you ask for in a safe and efficient manner. Some of this may be sensitive data such as medical information required to refer you to a suitable healthcare provider.

 

If our coordinators ask you for permission to share your personal information and medical information with your insurer, this will be to allow them to place a Guarantee of Payment so you will not be asked to pay for your medical expenses. Your consent will allow us to submit a claim to your insurer.

 

If our coordinators ask you for permission to share personal or medical information with your employer, this is because your employer has asked us to update them each time we provide assistance so that they can fulfil their Duty of Care and offer support where needed. They may also require us to obtain approval from them before paying for your medical expenses. You can withhold your consent for us to share either your personal information, medical information or both. Where your employer requires us to obtain their approval before making financial arrangements on your behalf, we may not be able to assist you with this if we do not have your consent to contact them.

 

If our coordinators ask you for permission to share your medical information with a third party provider, this will be to allow them to make arrangements on your behalf for which this information is required by the provider (such as hospital admission).

 

Data collected for the purpose of providing medical and security assistance services is kept 2 years and then 1 year in archive.  Please refer to our Data Retention, Archiving and Destruction Policy under https://www.internationalsos.com/privacy.

 

We have engaged a number of third parties to support us with the data processing required to deliver our Medical and Security Assistance Services:

 

 Location of Processing  Services
 USA  Server Hosting
 Singapore  Server Hosting
 India  Maintenance, Administration, Development & Support

If you require more detailed information, please contact dpo@internationalsos.com

 

Medical Services (Clinics)

If you visit one of our clinics, for example for a consultation, medical treatment or occupational health assessment, personal and sensitive information will be collected as part of your medical record maintained by the clinic which allows our medical staff to provide medical advice and treatment as appropriate. We retain original medical records in compliance with applicable regulation.

 

Medical records collected during the time of your treatment are kept for 3 years and then 30 years in archive.  Please refer to our Data Retention, Archiving and Destruction Policy under https://www.internationalsos.com/privacy.

 

Training and E-Learning

International SOS provides Training services and we will collect some personal information as part of attendance or completion records and to issue certificates to candidates.

 

Data collected during the time of your training are generally kept for 2 years and then 1 year in archive.  Please refer to our Data Retention, Archiving and Destruction Policy under https://www.internationalsos.com/privacy.

 

We have engaged a third party to support us with the provision of our Training and E-Learning Services:

 Location of Processing  Services
 UK  Learning Technology Services

If you require more detailed information, please contact dpo@internationalsos.com

 

Concierge Services 

We will ask for your Personal information and Credit Card Information (Card Company, Number, Expiry Date) to assist you and process your payment. We handle all payment information in accordance with the Payment Card Industry Data Security Standard (PCI DSS). Full details are available in the Aspire Privacy Statement at https://www.aspirelifestyles.com/en/privacy-policy.

 

Data collected during the time of Concierge Services have various length of retention, depending on the type of data.  Please refer to our Data Retention, Archiving and Destruction Policy at https://www.internationalsos.com/privacy.

 

We have engaged a number of third parties to support us with the data processing required to deliver our Concierge Services:

 Location of Processing  Services
 USA  Server Hosting 
 Singapore  Server Hosting 
 India  Maintenance, Administration, Development & Support

If you require more detailed information, please contact dpo@internationalsos.com

 

Occupational Health Assessment (MedFit)

We will receive your name and email address from your employer. In the course of providing services, we will also maintain relevant health records received from you and the occupational health clinic. At the end of contract, International SOS will return any such health records in accordance with instructions received from your employer.

 

Medical records collected during the time of your treatment are generally kept for 3 years and then 30 years in archive.  Please refer to our Data Retention, Archiving and Destruction Policy under https://www.internationalsos.com/privacy.

 

We have engaged a number of third parties to support us with the data processing required to deliver our services:

 

 Location of Processing  Services
 USA  Server Hosting 
 France  Server Hosting 

If you require more detailed information, please contact dpo@internationalsos.com

 

International SOS Website

Cookies and Tracking Technology

International SOS Assistance and its partners use cookies or similar technologies to analyse trends, run the website, track our users’ movements around the website, and to gather demographic information about our user base as a whole. You can control the use of cookies at the individual browser level, but if you choose to disable cookies, it may limit your use of certain features or functions on our website or service.

 

Some of our service providers (e.g. International SOS's service providers monitoring our satisfaction survey) use cookies on the International SOS site. We have no access to or control over these cookies. This privacy statement covers the use of cookies by the International SOS site only and does not cover the use of cookies by anyone else.

 

Acceptance and links to other websites

This website may contain links to other websites, which are there for your convenience and not as an indication of International SOS’s approval. These other websites may have their own policies, which we do not control, and therefore are not covered by this statement or the International SOS Data Protection Policy. 

 

Data protection for minors

We do not knowingly collect any information on anyone who has not reached the age of 18 years through the online services and the International SOS website.

 

CCTV (Closed-Circuit Television)

Closed-Circuit Television, also known as video surveillance, is the use of video cameras to transmit a signal to a specific place, on a limited set of monitors. International SOS uses CCTV solely to deter or detect unlawful behaviour in and around International SOS property and to support the conduct of investigations. 

At locations where International SOS operates CCTV, a privacy notice is displayed.  CCTV recorders are located in areas with restricted access and operated by specifically trained staff only. Tapes are retained no longer than 90 days.  Local legislative requirements are adhered to.

 

How long we keep Your Personal Information

We only retain your personal information as long as it is required and we have a lawful reason. When your personal information is no longer required it will be securely destroyed or transferred in accordance with prior contractual agreement or your own preference. Our data retention policy is published at https://www.internationalsos.com/privacy

Sharing your Personal Information

We do not sell your personal information in any circumstances and our business model does not rely on such action. 

 

Your personal information may be transferred to other companies within the International SOS Group, or to third parties that help us deliver our services to you. These companies may be located in another country. If we need to transfer personal data outside of the EU/EEA, and the recipient country does not have adequacy status, we ensure that the organisation we are transferring the data to is either Privacy Shield certified (if US based) or we have applied the required safeguards such as EC Standard Contractual Clauses. When transferring personal data outside of the EU/EEA to another International SOS entity, we assure that it remains protected. All International SOS entities acting as Data Controller have signed up to our Binding Corporate Rules (approved by the French Data Protection Authority, CNIL) and where they act as Data Processors, the data transfer is safeguarded by inter-company EC Standard Contractual Clauses.

 

Whenever we need to transfer sensitive personal information (such as medical information), we will first ask for your consent. 

 

We do not share your personal information with third parties unless one of the following conditions or reasons applies:

 

We have legitimate interest to do so
To be able to provide our services we may share some personal information with third parties in a way that you would expect, such as providing your name to the medical practice where you have asked us to arrange an appointment for you. We also provide personal information to other companies within the International SOS Group or other trusted businesses or persons to process it for us based on our instructions and in compliance with Data Protection Legislation, our Data Protection Policy and additional confidentiality and security measures.  If you require a list of our third party data processors, please contact dpo@internationalsos.com. 

Or

You have provided explicit consent
We will ask for your explicit consent before sharing any sensitive personal information about you. We will provide you with clear explanations to allow you to make an informed choice. You are entitled to withdraw your consent at any time. 

Or

There is a legal obligation
We may transfer your personal information to Government authorities, agencies and institutions, but ONLY as required or allowed by applicable regulations.

Or

We need to verify your insurance or employment benefits
In some cases we may need to notify third parties such as your insurer or employer, for example to verify your benefits before paying for your medical expenses, and share some of your personal information with them. We will always ask for your consent if sensitive data needs to be shared or if we need to share information for additional purposes that you may not expect. 

 

Accessing, correcting or deleting your Personal Information

In accordance with applicable Data Protection Regulation and our Data Protection Policy, you can seek access to, or revise, or ask to delete or stop processing the personal information that International SOS has collected from you by using our Data Subject Rights Request Form: https://app.whispli.com/InternationalSOS-Data-Subject-Rights-Request

 

If you have a user account, you can access and manage your records through our website. You can also contact the Assistance Centre, clinic, medical service facility or individual employee you have been dealing with. Or you can write to us using the contact link on our website.

 

You can also contact our Data Protection Officer responsible for the jurisdiction in which you are living or where you are receiving our products or services. You can contact our Data Protection Officers at dpo@internationalsos.com.

 

When you make a Data Subject Right Request, 

(a) You will be asked to provide International SOS with details of the data requested to help us to discover the data more easily;
(b) If you are asking to correct your data, we may need to ask for the reasons why that data needs correction; 
(c) You may be asked to provide proof of who you are; 
(d) If we act as Data Processor on behalf of your employer, we will need to seek instructions from your employer before we can address your request;
(e) Sometimes we may not be able to fulfil your request due to conflicting legal obligations (such as having to maintain medical records for a certain amount of time) or because we have another legitimate interest that we consider lawful under applicable Data Protection Legislation.

 

We will acknowledge your request within 5 working days.

 

We strive to fully address your request as soon as possible and to respond to you within no more than 30 calendar days from the date it is received and your identity has been verified. In some cases of greater complexity or if you have submitted multiple requests, we may need to extend this period by a further two months. We would let you know if an extension is required before the initial 30 days have elapsed.

 

If International SOS is asked to destroy personal information, we will ensure that its recreation is prevented and shall take reasonable care to make sure that there is no unauthorised disclosure during the destruction of the data. To allow us to do this, we will maintain a record of all such requests, including a minimum of personal information required. If you are dissatisfied with our response to your Data Subject Rights Request, please do not hesitate to contact us to discuss further. Please see below How to resolve disputes with International SOS for details.

 

How we protect your Personal information

  • We have group-wide independent certification to the International Information Security standard ISO 27001 https://www.iso.org/isoiec-27001-information-security.html 
  • We invest in industry-standard encryption and commission regular penetration testing and continuous threat monitoring
  • We thoroughly and routinely vet the Information Security Management Systems of all our third party IT vendors
  • The certification of our Binding Corporate Rules  by the French Data Protection Authority (CNIL) means that you can be sure that your data is protected even when we need to transfer it to other entities of the International SOS group
  • Our Data Protection Officers monitor Data Protection regulation developments globally to ensure that we are always compliant with legal requirements.
  • We have internal policies to prevent inappropriate or unauthorised access or disclosure or accidental loss of personal information and all employees receive regular Data Protection training.
  • We have implemented physical security measures to safeguard personal information from misuse, alteration, accidental loss or destruction.

 

How to resolve disputes with International SOS

To resolve a dispute you can contact the Assistance Centre, clinic, medical service facility or individual employee you have been dealing with. Or you can write to us using the contact link on our website. 

 

You may also direct all enquiries, concerns or complaints regarding our processing of your personal information to our Chief Privacy Officer at dpo@internationalsos.com, and if you are based in the EU or EEA you can contact our Data Protection Officer, Europe at dpo.europe@internationalsos.com. If you are dissatisfied with the manner in which your request or concern regarding our Online Services is being addressed, you can contact privacy@internationalsos.com. 

 

We promise to investigate and address all concerns and complaints as quickly as possible. We will provide an acknowledgement of your query together with an indication of the approximate length of time that it will take us to review it within a week of receipt. If it will likely take us longer than two weeks to address your query, we will also provide you with regular updates throughout the process. We strive to fully address your request as soon as possible and to respond to you within no more than 30 calendar days from the date it is received. In some cases of greater complexity or if you have multiple concerns, we may need to extend this period by a further two months. We would let you know if an extension is required before the initial 30 days have elapsed.

 

If we act as Data Processor on behalf of a Data Controller such as your employer, a relative's employer, an association or institution, or an insurance or financial services program, we first need to seek instructions from this Data Controller. Should the Data Controller become unavailable to issue such instructions (ceased trading for instance), International SOS commits to independently address your query or complaint regardless, in as far as possible.

 

Likewise, if you receive services from International SOS through  a third party such as listed above, and your personal information has been improperly handled a result of the actions or inactions of such third party, we cannot be liable for resolving any resulting disputes. We will direct you to the appropriate point of contact in such cases.

 

You have the right at any time, to raise your issues with a data protection authority or to take your case to a court of law.

 

Changes to this Statement

We regularly review and on occasion update this statement to ensure it remains in line with developments in our business and operational infrastructure and capabilities, and with applicable regulation and our Information Security and Privacy Policies. We will inform you of such changes by prior notification, usually through the www.internationalsos.com website. This statement is not intended to create any contractual or other legal rights; its purpose is to explain how your personal information will be processed to allow the provision of International SOS services and how you can make use of your rights under data protection legislation in relation to such processing.