Cigna Global: Customer Data Protection Notice

In this DPN references to "we" or "us" refers to the relevant Cigna group entity that is the controller of your personal information. Depending on the specific terms and conditions of the policy you are covered by, one of the following Cigna entities will be the controller for any of the personal information you provide:

• Cigna Life Insurance Company of Europe S.A.-N.V. (Registration Number 0421.437.284) is registered in Belgium with limited liability and authorized under license number 0938, having it’s registered office at Plantin en Moretuslei 309, 2140 Antwerp, Belgium and subject to the prudential supervision of the National Bank of Belgium and the supervision of the Financial Services and Markets Authority in the field of consumer protection and subject to limited regulation by the Financial Conduct Authority.
• Cigna Europe Insurance Company S.A.-N.V.(Registration Number 0474.624.562) is registered in Belgium with limited liability and authorized under licence number 2176, having it’s registered office at Plantin en Moretuslei 309, 2140 Antwerp, Belgium and subject to the prudential supervision of the National Bank of Belgium and the supervision of the Financial Services and Markets Authority in the field of consumer protection and subject to limited regulation by the Financial Conduct Authority.
• Cigna Europe Insurance Company S.A.-N.V. UK Branch (Financial Services Register No. 207198) is a foreign branch of Cigna Europe Insurance Company S.A.-N.V. (Brussels Trade Register no. 0474.624.562), registered in Belgium with limited liability at Plantin en Moretuslei 309, 2140 Antwerpen, Belgium). Registered in England and Wales with registered number BR017168, having its principal place of business at 13th Floor 5 Aldermanbury Square, London, EC2V 7HR. Authorised and regulated by the National Bank of Belgium. Authorised by the Prudential Regulation Authority. Subject to regulation by the Financial Conduct Authority and limited regulation by the Prudential Regulation Authority. Details about the extent of our regulation by the Prudential Regulation Authority are available from us on request.
• Cigna Global Insurance Company Limited, with corporate address at PO Box 155, Mill Court, La Charroterie, St Peter Port, Guernsey, GY1 4ET and regulated by the Guernsey Financial Services Commission under number 41925.
• Cigna European Services (UK) Limited (Company Number 00199739). Registered office at 5 Aldermanbury Square, London EC2V 7HR.
• Cigna Life Insurance Company of Europe SA-NV, UK branch (Financial Services Register No. 202845) is a foreign branch of Cigna Life Insurance Company of Europe S.A.-N.V. (Brussels Trade Register no. 00421.437.284), registered in Belgium with limited liability at Plantin en Moretuslei 309, 2140 Antwerpen, Belgium. Registered in England and Wales with registered number BR000754, having its principal place of business at 13th Floor 5 Aldermanbury Square, London, EC2V 7HR. Authorised and regulated by the National Bank of Belgium. Authorised by the Prudential Regulation Authority. Subject to regulation by the Financial Conduct Authority and limited regulation by the Prudential Regulation Authority. Details about the extent of our regulation by the Prudential Regulation Authority are available from us on request.
• Cigna Insurance Management Services (DIFC) Limited, with corporate address at Unit 01, Level 6, Currency House - Building 1, Dubai International Financial Centre (“DIFC”), Dubai, 112281, United Arab Emirates and regulated by the Dubai Financial Services Authority.

The company collecting your personal information depends on the insurance entity which provides your insurance cover.and can be found in your member booklet or certificate of insurance or will be the company which is in contact with you if you are our point of contact at a prospective client. This Cigna entity is the controller of your personal information. The Cigna group entity which is the controller for the purposes of this DPN can be found in your Policy Documents and certificate of insurance, or will be the Cigna group entity which is in contact with you if you are our point of contact at a prospective client. If you have any questions or queries about which Cigna group entity listed above is the controller in relation to your personal information, please do not hesitate to get in touch with us using the details set out in the “Contacting Us” section below.

As the controller we are responsible for complying with data protection laws. This DPN describes what personal information we may collect from you, why we use your personal information, your rights in relation to it, and more generally the practices we maintain and ways in which we use your personal information.

We have appointed a data protection officer to oversee our handling of personal information. If you have any questions about how we collect, store or use your personal information, you may contact our data protection officer using the details set out in the “Contacting Us” section below.

We collect personal information about:

• Previous, current and prospective policyholders
• Previous, current and prospective covered parties under policies
• Users of the https:/www.cignaglobal.com/website
• Claimants
• Business contacts at prospective clients

We collect information about you:

• On application for a policy
• On underwriting of a policy
• If a claim is made under a policy
• On renewal of a policy
• When you contact us to make a mid-term alteration to your policy
• When you use our website
• When you respond to a customer survey
• When you contact us, including when you get in touch to ask questions or update your personal information
• When you make a complaint
• From third parties (you can find out more about this in the sections below)

The personal information that we collect will depend on your relationship with us. We will collect different information depending on whether you are a policyholder, a covered party under a policy, claimant, witness, broker or other third party.

Please note, in certain circumstances we may request and/or receive "sensitive personal information" about you. For example we may need access to health records for the purposes of providing you with a policy or processing claims.

If you provide personal information to us about other individuals you agree:

(a) to inform the individual about the content of this DPN; and

(b) to obtain any consent where we indicate that it is required for the processing of that individual's personal information in accordance with this DPN.

Personal information

• General information such as your name, address, contact details, date of birth, gender, relationship to the policyholder (where you are not the policyholder)
• Identification information such as national insurance number, passport number or driving license number
• Information about your job including job title, employment history, education history and professional accreditations
• Information relevant to your insurance policy Information relevant to your claim (for example a medical report)
• Information relating to previous policies or claims
• Financial information such as your bank details, payment details and information obtained as a result of our credit checks
• Information obtained through our use of cookies. You can find more information about this in our cookies policy
• Any correspondence via email or telephone with our Customer Contact Centres
• Your marketing preferences and information about the types of Cigna products and services in which you may be interested

Sensitive Personal Information

• Details of your current and past physical and/or mental health
• Data concerning your sex life and/or sexual orientation

We collect the personal information outlined above from a number of different sources including:

• Directly from you or from someone else on your behalf such as:
  • From other third parties involved in your insurance policy or claim such as your broker or another insurer, claimants, defendants or witnesses
  • From other third parties who provide a service in relation to your insurance policy or claim such as loss adjusters, claims handlers, experts (including medical experts), healthcare providers and other service providers
  • From medical reports and counsel opinions
  • From emergency assistance and medical services providers
  • From claims services providers
• Via publicly available sources such as internet search engines, business directories and / or social media sites
• From other companies within the Cigna group
• Through customer surveys
• From credit reference agencies
• Via insurance industry fraud prevention and detection databases and sanctions screening tools

We may be required by law to collect certain personal information about you, or to collect your personal information as a consequence of a contractual relationship we have with you. Failure to provide this information may prevent or delay the fulfilment of these obligations. For example, if you do not provide certain personal information, we will not be able to provide you with a policy. We will inform you at the time your personal information is collected whether certain data is compulsory and the consequences of the failure to provide such data.

We may process your personal information for a number of different purposes. For each purpose we must have a legal ground for such processing. When the information that we process is classed as sensitive personal information, we must have an additional legal ground for such processing.

Generally we will rely on the following legal grounds:

• Where the use of your information is necessary for the performance of a contract to which you are a party, or in order to take steps at your request before entering into a contract. For example, we will use this legal ground to provide your insurance policy and our services, and for activities such as assessing your application, managing your insurance policy and handling claims
• Where we have a legitimate interest in using your personal information. If we rely on this legal ground, we will put in place robust safeguards to ensure that your privacy is protected and that our legitimate interests are not overridden by your interests or fundamental rights and freedoms. We may rely on this legal ground for the purpose of maintaining our business records or developing and improving our products and services, for developing and carrying out certain marketing activities and provide you with information which may be of interest to you and/or your business, or where we have a legal or regulatory obligation to use your personal information
• In exceptional circumstances, where our use of your personal information is in your, or another person's vital interests
• Where the use of your personal information is necessary to establish, exercise or defend our legal rights and/or claims
• It is necessary for the purposes of preventive or occupational medicine
• It is necessary for an insurance purpose, in line with any laws that apply (for example, dealing with a claim made under an insurance contract, or relating to rights and responsibilities arising in connection with an insurance contract or law)
• It is necessary for the purposes of preventing or detecting an unlawful act (for example , anti-fraud checks)
• It is necessary for a purpose designed to protect the public against dishonesty, malpractice or other seriously improper behaviour
• It is in the public interest, in line with any laws that apply
• Where you have provided your consent to our use of your personal information. If we ask for your consent to process your personal information, you may withdraw your consent at any time by contacting us using the details at the end of this DPN.

We may use automated decision making processes to make decisions or conduct 'profiling' about you. This involves using software to process your personal information, to evaluate your personal aspects and to predict risks or outcomes. We use automated decision making processes:

• in the context of auto-renewal of certain types of policies, including to determine what the cost of renewing the policy will be;
• for the purposes of fraud prevention.

These decisions may have legal or similar effects for you. For example, we may use them to decide what the cost of renewing your policy will be. We will, however, only make these kinds of automated decisions where:

• they are necessary for entering into a contract with you;
• they are authorised by law;
• you give your consent to us carrying out automated decision-making.

You can contact us to request further information about automated decision-making. In some circumstances you can object to our use of automated decision-making processes, or request that an automated decision is reviewed by a human being.

From time to time, we may share your personal information with third parties for purposes consistent with those described in this DPN. If you would like further information regarding the disclosures of your personal information, please get in touch with us directly.

Disclosure within our group

From time to time, we may share your personal information within Cigna group companies for purposes consistent with those described in this DPN. You can find permanently updated information about the Cigna group on the following website: https:/www.cigna.com/about-us/. Access to personal information within Cigna is restricted to those individuals and entities who have a requirement to access the information for the purposes described in this DPN.

Disclosures to third parties

We also disclose your personal information to the third parties listed below for the purposes described in this DPN. This might include:

• Our insurance partners such as brokers, other insurers and intermediaries and agents, reinsurers, reinsurance brokers, appointed representatives or other companies who act as insurance distributors
• Other third parties who assist in the administration of your insurance policy or claim or to whom the administration of your insurance policy or claim is outsourced, such as loss adjusters, claims handlers, accountants, auditors, lawyers and other experts
• Fraud detection agencies and other third parties who operate and maintain fraud detection registers
• External law firms who are assisting us with recoveries, fraud matters or disputed claims issues
• Investigative firms we brief to look into claims on our behalf in relation to suspected fraud
• Health providers (for example, a hospital which is responsible for any treatment you receive through your policy)
• Our emergency assistance and medical services providers, and other third parties they use to assist with claims including healthcare providers, overseas agencies and cost containment agencies.
• Our regulators and other governmental or public authorities where we believe it necessary to comply with a legal or regulatory obligation
• The police and other third parties or law enforcement agencies where we believe it necessary for the prevention or detection of crime or to comply with a legal or regulatory obligation
• Third parties involved in court actions where we believe to be necessary or appropriate to comply with legal process
• Debt collection agencies
• Credit referencing agencies
• Professional advisors such as actuaries, auditors, lawyers, accountants and tax advisers
• Our third party services providers such as IT suppliers, marketing agencies, translators, document management providers and the print provider(s) that print policy documents and customer communications on our behalf
• Third parties who undertake analysis on our behalf for the purposes of improving our services and products
• Selected third parties in connection with any sale, transfer or disposal of our business

We may use your personal information to provide you with information about our products or services, or those of our partners which may be of interest to you, where you have provided your consent for us to do so.

In certain circumstances, we may also use your personal information to contact you for marketing purposes where we have a legitimate interest to do so. This will include where you are our business contact with a prospective client, and we would like to provide you with information about our products, services or events which we consider may be of interest to you and / or your business.If you wish to unsubscribe from emails sent by us, you may do so at any time by clicking on the "unsubscribe" link that appears in all marketing emails. Otherwise you can always contact us to update your contact preferences by using the details in the “Contacting Us” section below. Please note, however, that we will continue to send you service related (non-marketing) communications.

We will only keep your personal information for as long as reasonably necessary to fulfil the relevant purposes set out in this DPN and in order to comply with our legal and regulatory obligations. Our default retention period is 10 years. However, depending on the jurisdiction that governs our contract with you and the type of information involved, our general retention period may vary between 7 to 10 years. If you would like further information regarding the periods for which your personal information will be stored, please see the details in the “Contacting Us” section below for our contact details.

Due to the global nature of our services, your personal information may be transferred for processing/shared with and/or accessed by parties located in other countries and may be subject to data protection laws of those jurisdictions. The countries to which we may transfer your personal information may not be regarded by the European Commission or the DIFC Commissioner as ensuring an adequate level of protection for personal information (for instance the United States and Canada).

Where we transfer your personal information to any of these countries, we will conduct the transfer in accordance with applicable data protection law. This may include ensuring that appropriate safeguards, such as contractual obligations, are put in place with respect to the protection of your personal information and your fundamental rights and freedoms, and your rights in relation to your personal information. If you would like further information regarding the steps we take to safeguard your personal information, or to obtain a copy of the safeguards we put in place to protect it when it is transferred, please contact us using the details in the “Contacting Us” section below.

Depending on your location and the compliance requirements that may apply there you may receive additional privacy notices from us or from our partners.

Under data protection law you have certain rights in relation to the personal information that we hold about you. You may exercise these rights at any time by contacting us using the details set out in the “Contacting us” section below.

Please note:

• In some cases we may not be able to comply with your request (e.g. we might not be able to delete your data) for reasons such as our own obligations to comply with other legal or regulatory requirements. However, we will always respond to any request you make and if we can't comply with your request, we will tell you why
• In some circumstances exercising some of these rights (including the right to erasure, the right to restriction of processing and the right to withdraw consent) will mean we are unable to continue providing you with your policy and may therefore result in the cancellation of your policy. Your policy terms and conditions set out what will happen in the event your policy is cancelled.

Your rights include

• The right to access your personal information. You are entitled to a copy of the personal information we hold about you and certain details about how we use it. There will not usually be a charge for dealing with these requests. Your information will usually be provided to you in writing, unless otherwise requested, or where you have made the request by electronic means, in which case the information will be provided to you by electronic means where possible.
• The right to rectification. We take reasonable steps to ensure that the information we hold about you is accurate and complete. However, if you do not believe this is the case, you can ask us to update or amend it.
• The right to erasure. In certain circumstances, you have the right to ask us to erase your personal information. Please note that in some circumstances exercise of this right will mean we are unable to continue providing you with your policy and may therefore result in the cancellation of your policy. Your policy terms and conditions set out what will happen in the event your policy is cancelled.
• The right to restriction of processing. In certain circumstances, you are entitled to ask us to stop using your personal information. Please note that in some circumstances exercise of this right will mean we are unable to continue providing you with your policy and may therefore result in the cancellation of your policy. Your policy terms and conditions set out what will happen in the event your policy is cancelled.
• The right to data portability. In certain circumstances, you have the right to ask that we provide your personal information to you in a commonly used electronic format, and to transfer any personal information that you have provided to us to another third party of your choice.
• The right to object to marketing. You can ask us to stop sending you marketing messages at any time.
• The right not to be subject to automated decision-making (including profiling). You have a right in some circumstances to not be subject to a decision based solely on automated means. Please note that personal information, including sensitive personal information, may be used in the context of auto-renewal of certain types of policies which involves automated decision making to determine what the cost of renewing the policy will be. We will ask you when you purchase your policy if you would like to opt into auto-renewal. However, even if you opted in at this point, you have the right to opt out at any time.
• The right to withdraw consent. For certain uses of your personal information, we will ask for your consent. Where we do this, you have the right to withdraw your consent to further use of your personal information. Please note that in some circumstances exercise of this right will mean we are unable to continue providing you with your policy and may therefore result in the cancellation of your policy. Your policy terms and conditions set out what will happen in the event your policy is cancelled.
• The right to lodge a complaint with a data protection authority. You have a right to complain to the applicable data protection commissioner or to the data protection authority in the location in which you live or work, or in which you consider your complaint arose, if you believe that any use of your personal information by us is in breach of applicable data protection laws and regulations. More information can be found at:
• The Information Commissioner’s Office website at: https://ico.org.uk/ and;
• The Dubai International Finance Centre (DIFC) website at: https://www.difc.ae/business/operating/data-protection/.
• If you require further information on how to raise a complaint or would like the details of the applicable data protection authority please get in touch using the details in the “Contacting Us” section below and we can provide you with this information. Making a complaint will not affect any other legal rights or remedies that you have.

We use a range of physical, legal, organisational and technical security measures which are consistent with applicable data protection laws to protect your information. Firewalls are used to block unauthorised traffic to the servers and the actual servers are located in a secure location which can only be accessed by authorised personnel and our internal procedures cover the storage, access and disclosure of your information.

If you have any questions about how we collect, store or use your personal information, you may contact our data protection officer at:

Data Protection Officer / Cigna

Plantin en Moretuslei 309, 2140 Antwerp, Belgium.

Email: privacy.europe@cigna.com