Data Privacy Policy

Our approach to personal information

It is of great concern for us, YOUNA, to inform you, our customers, how your personal data is used and processed. Please take some time to read to following important points. In order to provide our health insurance related services, a company such as ours needs to receive the necessary data, store it, and undertake checks on it.

For example, we need to collect the financial data of our customers in order to make the transactions related to reimbursement.

We receive the data that we use either directly from our customers or from intermediaries such as their employers. Our customers are the main members or lead insured as well as his spouse/her husband and the other members of his/her family (the children) who are included in the insurance contract.

If you have questions concerning personal data protection, please contact our data protection office at any time.

Contact details concerning your personal data:

Youna International TPA Services

Privacy Officer

Route des Jeunes 35, 1227 Les Acacias – Switzerland

Tel:: +41 22.552.41.23

E-mail: privacyofficer@youna-ihs.com

 

YOUNA Belgium remains our GDPR representative within the EU:

Youna Belgium

231 Avenue Louise, 1050 Bruxelles

Tel: +32 2 319 64 13

E-mail: privacyofficer@youna-ihs.com

Your personal data

Personal data is information which relates to an identified person or allows identifying (directly or indirectly) a natural person. This includes, in our case as a health insurance company:

  • Identification information (first name, last name, nationality…)

  • Directory information (telephone number, addresses, email…)

  • Financial information (IBAN, bank information)

  • Professional information (position, address, matricule number…)

  • Health information (medical certificate, medical form, medical invoices…)

We put a specific emphasis on the security and the appropriateness of the way we stored and process your personal data taking the Swiss and European Union’s General Data Protection Regulations as our standard. Our IT environment is regularly audited with regard to the access authorizations, the security measures, the continuity and change management.

The reason why we use personal data

We provision and process your personal data in order to either affiliate you and provide you with our health insurance services or perform business analysis necessary to run or company and improve our services to our customers.

More specifically, we:

  • Set up insurance plans with our customers

  • Refund our customers for the treatments that are included in their plans

  • Refund the healthcare providers for the treatments that are included in the plans

  • Perform actuarial and statistical analyses necessary for the management of the business.

For instance, we are provided with the details of a hospitalisation or illness of our customers in order to:

  • check whether the case relates to the health insurance benefits we provide

  • and if this is true, pay the corresponding bill to the person involved.

The legal ground under which we process personal data

Our personal data processing operations are lawful and fair.

In compliance with article 6 [1.a] of the General Data Protection Regulation, the processing of our customer’s personal data is necessary either to perform our contractual obligations with them or to take steps, at their request, to enter into a health insurance plan. We process some personal data other than health data, in a pseudonymised way in order to produce statistics necessary for the management of our activities. Such statistical processing are compatible with the performance of our contractual services to our customers and are based on our legitimate interest in compliance with article 6[1.f] and recital 50.

With regard to personal health information, we only process this category of information in the context of employment and social security (e.g. reimbursement of healthcare) as allowed by article 9 [1.b].

Who we can transfer personal data to

We pay a great attention to the choice of our business partners and we transfer personal data to them when this is indispensable.

Our business partners are not permitted to share or use personal information we make available to them for any other purpose than to provide services to us. They are required to follow the General Data Protection Regulation as much as we are.

For instance, we provide financial information to our bank partners to reimburse our customers. We provide directory information to our mail delivery partners in order to provide our customers with the contractually agreed information. We cautiously and rigorously exchange health data with both our own medical advisors so as with the organisms providing healthcare services to our customers.

All our third parties are contractually bound to confidentiality. In particular, our medical advisors are bound to medical secrecy. Moreover, we only transfer the type of data that is necessary for the specific third party. We do not transfer data to business partners who don’t need it for their services.

In this context, data may be transferred as electronic file, by email by fax or on paper.

Where we store personal data

We take steps to ensure that the information we collect is processed according to this Privacy Statement and the requirements of applicable laws wherever the data is located.

YOUNA has networks, databases, servers, systems, support, and help desks hosted in Switzerland. We collaborate with third parties such as cloud hosting services, suppliers, and technology support located in those this country to serve the needs of our business, workforce, and customers. Through contractual agreements and audits, we take appropriate steps to ensure that personal information is processed, secured, and transferred according to applicable law.

Due to the global nature of our services, your personal information may be transferred for processing/shared with and/or accessed by parties located in other countries and may be subject to data protection laws of those jurisdictions. The countries to which we may transfer your personal information may not be regarded by the European Commission or the DIFC Commissioner as ensuring an adequate level of protection for personal information.

When we transfer your personal information to any of these countries, we will conduct the transfer in accordance with applicable data protection law. This may include ensuring that appropriate safeguards, such as contractual obligations, are put in place with respect to the protection of your personal information and your fundamental rights and freedoms, and your rights in relation to your personal information. If you would like further information regarding the steps we take to safeguard your personal information, or to obtain a copy of the safeguards we put in place to protect it when it is transferred, please contact us using the details in the “Contacting Us” section below.

How long we store personal information

We store our customers’ personal data for the longest of the periods necessary:

  • To comply with the applicable regulatory and legal obligations and

  • To manage our operational constraints such as an adequate customer account management, an adequate support to our customer requests or answering to legal claims

Therefore, we keep the vast majority of our customers’ information at least 10 years after the end of our contractual agreement with them. As a matter of fact, we only delete those data when absolutely required and mandatory to do so.

How we secure personal information

YOUNA takes data security seriously, and we use appropriate technologies and procedures to protect personal information. Our information security policies and procedures are closely aligned with widely accepted international standards and are reviewed regularly and updated as necessary to meet our business needs, changes in technology, and regulatory requirements.

The following list of technical and organizational measures describes the measures we applied within YOUNA’s environment:

Confidentiality

  • Physical Access Control
    No unauthorised access to Data Processing Facilities, e.g.: magnetic or chip cards, keys, electronic door openers, facility security services and/or entrance security staff, alarm systems, video/CCTV Systems

    Electronic Access Control
    No unauthorised use of the Data Processing and Data Storage Systems, e.g.: (secure) passwords, automatic blocking/locking mechanisms, two-factor authentication, encryption of data carriers/storage media
    Internal Access Control (permissions for user rights of access to and amendment of data)
    No unauthorised Reading, Copying, Changes or Deletions of Data within the system, e.g. rights authorisation concept, need-based rights of access, logging of system access events
    Pseudonymisation
    The processing of personal data in such a method/way, that the data cannot be associated with a specific Data Subject without the assistance of additional Information, provided that this additional information is stored separately, and is subject to appropriate technical and organisational measures.

  • Data Transfer Control 
    No unauthorised Reading, Copying, Changes or Deletions of Data with electronic transfer or transport, e.g.: Encryption, Virtual Private Networks (VPN), electronic signature.

  • Data Entry Control
    Verification, whether and by whom personal data is entered into a Data Processing System, is changed or deleted, e.g.: Logging, Document Management.

  • Availability Control
    Prevention of accidental or wilful destruction or loss, e.g.: Backup Strategy (online/offline; on-site/off-site), Uninterruptible Power Supply (UPS), virus protection, firewall, reporting procedures and contingency planning

  • Rapid Recovery

  • Procedures for regular testing, assessment and evaluation

  • Data Protection Management

  • Incident Response Management

  • Data Protection by Design and Default

  • Order or Contract Control
    No third party data processing as per Article 28 GDPR without corresponding instructions from the Client, e.g.: clear and unambiguous contractual arrangements, formalised Order Management, strict controls on the selection of the Service Provider, duty of pre-evaluation, supervisory follow-up checks.

Cookies and automated decision-making programs

We do not use cookies or any automated decision-making program. If, however, such statement changes in the future, we will comply with industry guidelines and applicable laws.

Links and connections to third-party services

Our Services may contain links to and may be used by you in conjunction with third-party apps, services, tools, and websites that are not affiliated with, controlled, or managed by us. Examples include Facebook, LinkedIn, Twitter® and, third-party apps like voice software and readers. The privacy practices of these third parties will be governed by the parties’ own Privacy Statements. We are not responsible for the security or privacy of any information collected by these third parties. You should review the privacy statements or policies applicable to these third-party services.

Your rights as data subjects

We respect the General Data Protection Regulation.

Therefore, we only use data that has been provided upon request from you and process it under contractual agreement with you and we will gladly comply to any legitimate request you may have:

  • Access: You have the right to access and rectify your personal information at any time.

  • Erasure and restriction: under legitimate conditions, you may also have the right to request erasure of your personal data or a restriction on a given processing. For instance, the processing might be restricted in order to correction on specific personal data. 

  • Objection: under specific regulatory criteria, and with regard to the terms and conditions of our contractual agreement, you may have the right to object to the processing of your personal data (e.g. processing related to direct marketing, processing based on your consent or processing based on our legitimate interest if you actively intent to contest its lawfulness)

  • Portability: for personal data you directly provided to us and which we process with automated means, you have the right to obtain your personal data in a structured, commonly used machine-readable format and transfer it to another organisation of your choice. You may also request us to transfer those data directly to another organisation: we will be glad to comply in the limit of our technical means.

In addition, you have the right to lodge a complaint with a public supervisory authority in Switzerland and/or the European Union.

In any case, please contact our Data Protection Officer.

Errors and Omission

If you believe that there may be an error in any of the information that you have submitted to YOUNA, or in any personal information that we have displayed, please email:

privacyofficer@youna-ihs.com

We will review your records as soon as possible

Additional information

We will amend this privacy statement from time to time and for this reason, it is valid for a period of 1 day from the date you have viewed it. We recommend that you read this statement regularly.