Data protection

General

This privacy statement governs the processing of personal data by the website css.ch and applies to all products and services of the companies of the CSS Group (in particular CSS Health Insurance Ltd, CSS Insurance Ltd and CSS Life Insurance Ltd; together referred to as 'CSS', 'we' or 'us').

This privacy statement explains how we collect and process personal data. More information about the processing of specific data is provided in our cookie policy as well as in insurance applications, regulations and general insurance conditions, terms and conditions of participation, declarations of consent and other documents.

This privacy statement refers to our processing of the data of natural persons, including persons who are interested in a CSS product or services, persons who are or were insured with CSS or who are involved in a CSS insurance policy as a beneficiary or in another capacity, persons who interact with CSS in the context of their activities on behalf of service providers, public authorities and offices, and users of the websites, apps and other digital applications of CSS.

Controller, data protection officer, representative

Controller

The CSS company who is your contracting partner is responsible for the processing of data relating to your insurance contract. CSS Health Insurance Ltd is responsible for the processing of all other data.

We will inform you separately if CSS companies are jointly responsible for the processing of specific data.

Data protection officer

We have appointed a data protection advisor. You can contact us as follows if you have any questions or concerns pertaining to data protection:

CSS
Data Protection Officer
Tribschenstrasse 21
Postfach 2568
CH-6002 Lucerne
email: datenschutz@css.ch

Representative for matters under data protection law in the EU and within the scope of the GDPR

Insofar as our processing of data is subject to the EU’s General Data Protection Regulation (GDPR), Martina Schmid is our representative pursuant to Art. 27 GDPR. You can reach Martina Schmid as follows:

Martina Schmid
BWO GmbH
Bauernwaldstrasse 77
D-70195 Stuttgart
email: privacy-eu@css.ch

What personal data does CSS process?

Personal data is defined as all information relating to an identified or identifiable natural person. Depending on your relationship with us (e.g. policyholder, insured person, beneficiary, beneficial owner, premium payer), and sometimes also the product category, we may process the following categories of personal data in particular:

• Information about you as a person: in particular your name, contact details and financial information, date and place of birth, address, languages, family relationship, nationality, canton and commune of origin, phone number, email address, gender, profession, identifying information (e.g. passport, identity card), photos, whereabouts, AHV number, contract and insurance number, signature, deputyship;
• Information about the contract: in particular bank account details, contractual data required for the processing of payments (e.g. account numbers), premium payments and any premium reductions, outstanding balances and reminders; insurance product, nature and scope of benefits, start date and termination date, suspension and deductibles;
• Risk assessments relating to you as a person and the insured subject matter when reviewing applications, in particular information about previous and other insurance policies and claims incurred; profession and data concerning health, and in some cases information to determine your creditworthiness;
• Data for the processing of benefit claims: With regard to health insurance (basic insurance) and insurance under the VVG, we process the following personal data in particular: information about claims for repayment, billing data and health data, in particular data concerning diagnosis and treatment, doctor's reports and other information provided to us by doctors, hospitals, pharmacies and other service providers. For other insurance products, this refers to data about the insured items, buildings or activities, and their financing if necessary, as well as the settlement of claims, e.g. claim report, claim number, information relating to the claim assessment, number of claims and information about third parties, e.g. injured parties and involved persons;
• Communication data: in particular information about the preferred communication channel, information about and contents of correspondence by letter, email, phone, via myCSS or other communication channels, and records on client satisfaction. Phone and video calls may be recorded to document a conversation, for quality assurance purposes or for training and evidentiary purposes. In each case, callers will be expressly informed that the call is being recorded;
• Data pertaining to the use of the website or the myCSS client portal: in particular IP address and other device identifiers, access data (including passwords), date, time and number of visits to the website, pages and content called up, referring websites, cookies. More information about the use of cookies and similar technologies is provided in the cookie policy;
• Marketing data: in particular personal preferences and interests, newsletter subscriptions and cancellations, delivered marketing messages and reactions to such messages.

We primarily collect personal data about the persons who are involved in a business relationship or the initiation of a business relationship, insured persons, clients and other business partners and service providers as well as data concerning the persons who use our websites, apps and other applications. This data is collected, for example, by way of contact and application forms, from email or letter correspondence, by phone, during participation in competitions and surveys, and in the context of contractual relationships, e.g. when performing benefit checks or making payments.

In certain situations we also collect personal data from third parties such as service providers, business partners, social insurance providers if official or administrative assistance is provided, other private insurance companies, deputies, legal representatives, social services and public sources. Information about the ways in which data is collected is provided in "Insurance relationship".

When you disclose data about third parties, we assume that you are authorised to do so and that this data is correct. You confirm this assumption by transmitting third-party data. We would therefore ask you to inform such third parties about our processing of their data and to give them a copy of this privacy statement. When we inform you that a new version of these documents has been published, you should also provide them with copies of the new version.

For what purposes do we process your data?

Visits to CSS websites

Data collected automatically

When you visit our websites, CSS stores and uses technical data and certain usage data. The following data in particular is saved in log files when you access our websites: IP address; general information on the operating system and browser; device API; date, time and duration of visit; browser query; any add-ons you use; the website that referred you to us; general information on your surfing behaviour, such as whether or not you click on advertising banners, complete a form or download files.

We use this data to improve the user experience, e.g. through website personalisation. The data allows us to provide the offered services and is also used for analyses.

Forms

Data that you send to CSS via the forms on the website is transmitted in encrypted form using the latest technology. This data is only used as intended for the processing of offers and for marketing purposes (excluding basic insurance) within CSS.

If you are already a client of CSS, or would like to become one, we can link the personal data that you provide to us via the website with the contract data which we already hold.

Premium calculator and online application

By entering your data in the premium calculator you grant permission for CSS to contact you by phone or other means with regard to providing you with a quote for insurance. Your personal data is only sent to us if you complete the electronic contact form with all your personal details and then confirm the process. Detailed information about the processing of data in connection with applying for and taking out insurance can be found in the insurance application form and client information about your insurance as well as the enclosed information sheet on data protection.

We will pass on your data to a service partner contracted by us if third-party services are required to process an enquiry you submit online or by phone, or to process your contract. In such cases, you authorise us to do so by providing us with your data. This partner is contracted by CSS and is subject to the same data protection provisions as CSS itself.

Live chat and digital assistance (SIA)

When using the live chat, the data submitted is processed to provide quick answers to your questions and to improve the user experience. This data is also processed using artificial intelligence (AI), among others. You can find more information in the cookie policy.

Insurance relationship

Basic insurance in accordance with the Federal Health Insurance Act (KVG)

The information provided in this section applies to the standard model as well as the alternative models. For mandatory basic insurance, we process data in accordance with the applicable legal basis, in particular for the purposes listed in Art. 84 KVG, e.g.

• to ensure compliance with the insurance obligation;
• to calculate and collect the premiums;
• to assess benefit claims and to calculate, grant and coordinate benefits with those paid by other social insurance schemes;
• to assess claims to premium reductions and to calculate and grant such reductions;
• to assert a right of recourse against a liable third party;
• to prepare statistical evaluations;
• to attribute or verify the insured person's AHV number;
• to calculate the risk compensation.
  

Alternative basic insurance models

In addition to the standard model, alternative models of basic insurance are also offered. The relevant information in this regard is provided below:

Family Doctor models: When taking out Family Doctor Insurance, insured persons agree that the coordinating doctor may receive access to the data necessary for this insurance model concerning diagnosis, treatment and billing in connection with the provision of medical care. This form of insurance also requires an exchange of data between the coordinating doctor, CSS, and any third parties involved.

The data in question concerns the diagnosis, treatment and billing of the insured persons. This data will be made available in particular to specialists, hospitals and other persons and institutions involved in organising or providing medical services for the purpose of performing the contract or if a change of coordinating doctor occurs.

Telmed models: When taking out a Telmed model, insured persons agree that CSS may process their personal data in order to determine the premium, process claims and perform statistical analyses.

CSS may pass on data to authorised third parties (in particular co-insurers or reinsurers) to the extent required and permitted by law. In addition, to the extent permitted by law, CSS may acquire data from service providers, other insurers and authorities as necessary to clarify the entitlement to benefits.

Within the framework of this insurance model, CSS delivers data pertaining to the insured person necessary for the performance of the contract to the telemedicine centre, in particular the insured person’s number, surname, first name, date of birth, gender, address, benefit statements and details of the insurance cover.

The telemedicine centre provides CSS with the data it requires to check the entitlement to benefits, in particular details of telephone calls (time of call) and the recommendations given. Health data pertaining to the insured person is only disclosed to the Medical Advisory Service of CSS.

Multimed: When taking out Multimed insurance, insured persons agree that CSS may process their personal data in order to determine the premium, process claims and perform statistical analyses of Multimed. Where necessary and permitted by law, CSS may disclose data to authorised third parties (e.g. service providers, other insurers, and authorities) and/or obtain data from these third parties to the same extent.

The information that is needed for treatment is available to all parties involved in the treatment in question (service providers and/or coordination partners) and may be exchanged between them or processed for the purposes of quality assurance and to ensure the best possible treatment. The data in question specifically concerns the diagnosis, treatment and billing of the insured person.

HMO model / group practice insurance (HMO): When taking out Health Maintenance Organisation Insurance (HMO model), insured persons agree that the coordinating doctor may receive access to the data necessary for this insurance model concerning diagnosis, treatment and billing in connection with the provision of medical care. This form of insurance also requires an exchange of data between the coordinating doctor, CSS, and any third parties involved.

The data in question concerns the diagnosis, treatment and billing of the insured persons. This data will be made available in particular to specialists, hospitals and other persons and institutions involved in organising or providing medical services for the purpose of performing the contract or if a change of coordinating doctor occurs.

Insurance plans in accordance with the Federal Insurance Contract Act (VVG)

CSS offers the following insurance plans in accordance with the VVG in particular:

Supplementary health insurance

• Alternative Insurance
• Outpatient Insurance
• Hospitalisation Insurance
• Dental Care Insurance
  

Special insurance

• Property Insurance (Household Contents, Buildings)
• Liability Insurance
• Illness- or Accident-Related Lump-Sum Insurance
• Travel Insurance
• Legal Expenses Insurance

Life insurance

• Pension Plan
• Death Benefit Insurance
• Loss of Earning Capacity Insurance
• Investment Plan
• Drawdown Plan
• Illness- or Accident-Related Lump-Sum Insurance
  

CSS processes data gathered from application and contract documents and during the performance of a contract as well as data received from third parties, and uses it to provide the insurance, in particular to determine premiums, for risk assessment purposes, to process claims and to perform statistical evaluations.

CSS may pass on data for processing to the extent required to third parties involved in the performance of the contract, in particular to CSS companies and occupational pension institutions, co-insurers, previous insurers, reinsurers and social insurance providers, liable third parties and their liability insurers, medical professionals and their auxiliaries, criminal investigation authorities, police and other authorities in Switzerland and abroad. In cases involving suspected offences against property or falsification of documents or if CSS withdraws from a contract because insurance claims have been made on the basis of false statements (Art. 40 VVG), the Swiss Insurance Association (SVV) may be notified and an entry made in the Insurance Information and Warning System (HIS).

To check the entitlement to benefits, CSS may forward the data to contractors. Further, CSS may obtain relevant information from official agencies and other third parties (e.g. service providers, insurers and/or insurers’ medical services). This condition applies regardless of whether a contract is actually concluded.

Further processing

Health-related offers and services

In the case of health-related offers and services, the data necessary to provide the offer or service is processed. In the case of 'health coaches', for example, this includes coaching data (in particular the subject of the coaching session/s, coaching plan, safety plan, case history).

Processing for advertising purposes

We may process personal data for marketing purposes, including to promote insurance, products and services electronically, by phone or by post. Personal data is not sold to third parties for their own marketing purposes. More information about the disclosure of personal data is provided in "Disclosure to third parties".

Participation in competitions, promotional events, sponsorship events and similar activities

We collect and process personal data if you participate in competitions, promotional events, sponsorship events or similar events. The type and scope of the personal data being processed are set out in the relevant terms and conditions of participation, in which we also refer to the subject and scope of the consents that may be needed.

Use of WLAN

If you use WLAN provided by us in our offices, you must log in with your name and mobile phone number or email address. During this process we collect device- and usage-specific data, in particular the date, time and duration of the connection.

Areas subject to video surveillance

We make video recordings in certain designated areas at CSS or in their vicinity. These are processed to ensure the safety of our employees and for evidentiary purposes. If a punishable offence is suspected, we may make these videos available to the criminal investigation authorities under the conditions set down in law.

Studies, science and official queries

We process personal data in order to use this data for scientific purposes (in particular studies) and to respond to official queries. Whenever possible this personal data is anonymised.

Security management

We process the data of persons who pose a threat to the safety and security of the premises and employees of CSS. For example, we keep a list of persons who are not permitted to enter our premises.

Accounting, payment of commission

We process personal data to ensure compliance with generally accepted accounting practice and to calculate, pay and, if need be, reclaim commissions paid for new insurance contracts.

Legal basis where the GDPR applies

Insofar as the processing of personal data by CSS is subject to the GDPR, the legal basis for the processing of your personal data is provided by one or more of the following.

Contract preparation and performance

Most of the processing done by us is necessary to fulfil our contractual obligations towards you, such as to provide you with mandatory health insurance or supplementary insurance. This also applies to the processing of data concerning health in order to evaluate benefit claims. Regarding the conclusion of contracts, including risk assessment, we process only the data that is necessary to take steps prior to entering into the contract, and if this involves the processing of data concerning health, we obtain your separate consent.

Legal obligations

We may be obliged by statutory provisions to process data.

Consent

We may process other data on the basis of consent given to us. If we request your consent for the processing of specific data, we will inform you separately about the purposes of the processing. You can withdraw your consent at any time by notifying us in writing; our contact details are provided in "Controller, data protection officer, representative". As soon as we receive your notice of withdrawal of consent, we will stop processing your data for the purposes to which you originally consented, unless we have another legal basis for processing. The withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of this consent before it was withdrawn.

Legitimate interests

We process personal data if we have a legitimate interest in doing so, provided that your interests do not outweigh ours, e.g. for administrative and security purposes, to carry out credit checks, for the purposes of market research and marketing, to improve our services, for product development and in order to comply with Swiss legal provisions.

What applies to profiling?

Profiling refers to any form of automated processing of personal data where that data is used to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, whereabouts or movements.

CSS uses such automated processing of data for analysis and forecasting purposes, to the extent permitted by law. The most important areas in which profiling is used include risk assessments, creditworthiness checks, benefit checks, the combating of fraud, the combating of money laundering and the financing of terrorism, client relations, and sometimes also marketing. CSS may combine behavioural and preference data, and also master and contract data, with the technical data attributed to you in order to better understand you as a person with your different interests and personal needs.

Does CSS engage in “automated individual decision-making”?

During the process of applying for life insurance, CSS takes decisions based solely on automated processing that may lead to a rejection of the application (automated individual decision-making). A review of such a decision by a natural person may be requested.

Disclosure to third parties – to whom do we disclose your personal data?

We may disclose personal data to third parties if we are obliged or entitled to do so by law or if you have given your valid consent in accordance with the applicable legal provisions. In this case, the recipients qualify either as an independent controller (e.g. public authority) or as a processor processing the personal data for our purposes (e.g. IT provider). We will never sell your personal data to third parties. We do not trade in your personal data.

Depending on how you are or were insured with CSS, whether you are interested in a CSS product, or are a service provider, public authority or user of this website, we may disclose personal data to the following categories of recipients:

• Providers of services to us (e.g. banks, insurance companies, consultants, IT providers, providers of marketing services, debt collection companies, credit reference agencies, telemedicine centre, etc.);
• Brokers;
• Merchants, suppliers, subcontractors and other business partners;
• National and international public authorities, social and private insurers, official agencies or courts, if legally obliged to do so;
• Buyers or interested buyers of business areas, companies or other parts of CSS;
• Other parties to potential or actual administrative and court proceedings;
• Other companies of the CSS Group, including for their marketing purposes such as to promote their insurance, products and services electronically, by phone or by post, subject to compliance with the legal restrictions on disclosure that apply, for example, to mandatory healthcare insurance, to ensure their compliance with the legal provisions on the prevention and combating of fraud and to ensure the safety and security of their premises and employees;
• Partners in group contracts for the purpose of verifying the discount entitlement.
  

These recipients may have their registered office in Switzerland or abroad. In particular, you must expect your data to be transmitted to Germany and all countries in which the service providers used by us and their agents are located.

Data security – how do we protect your personal data?

Data in our systems is appropriately protected against loss, unintentional modification, misuse, falsification, involuntary disclosure and unauthorised access. To this end we implement suitable security measures of a technical (e.g. encryption, pseudonymisation, logging, access restrictions, data backups, etc.) and organisational nature (e.g. instructions to our employees, confidentiality agreements, controls, etc.). CSS employees are subject to a contractual and legal obligation to maintain confidentiality (e.g. by Art. 33 of the Federal Act on General Aspects of Social Security Law, ATSG). CSS employees are trained in and made aware of data protection issues, and data handling processes are monitored and optimised on an ongoing basis.

The security of our systems is constantly monitored internally and externally. The CSS IT systems are certified in accordance with ISO standard 27001. This international standard specifies the requirements for establishing, implementing, operating, monitoring, maintaining and improving an information security management system. The following additional certifications also underscore the importance of data protection at CSS:

The CSS Medical Advisory Service (MAS) holds the GoodPriv@cy seal of quality and has also been certified under the Ordinance on Data Protection Certification (VDSZ).

CSS has a certified (in accordance with VDSZ and GoodPriv@cy) data collection office in accordance with Art. 59a of the Federal Health Insurance Ordinance. Its standardised regulations guarantee data privacy for every person insured with CSS, while at the same time paving the way for quick and client-oriented billing in relation to hospitals. This permits CSS to settle DRG invoices from inpatient service providers efficiently and in conformity with the law.

The process for receiving and digitalising paper documents by email, app and portal has been certified in accordance with VDSZ and awarded the international GoodPriv@cy certificate.

The VDSZ and GoodPriv@cy certifications are awarded by the independent Swiss Association for Quality and Management Systems (SQS) and confirmed by means of annual audits.

For how long do we store your data?

The statutory retention periods apply to the storage of your personal data. For example, certain data is subject to a retention period of ten years after the end of the contractual relationship. Shorter retention periods apply to other data, such as surveillance videos or log data relating to certain internet interactions.

We further retain personal data if required to do so for specific reasons. This can be the case, in particular, if we need personal data to assert or fend off claims, for archiving purposes, and to guarantee IT security. In some cases we may also ask you for your consent if we want to store personal data for a longer period.

What rights do you have?

You have the following rights in particular, subject to the restrictions on disclosure under the Data Protection Act, provided that the relevant legal conditions are met and there are no grounds for restricting or suspending these rights. You can contact the address provided in "Controller, data protection officer, representative" if you wish to exercise your rights. Please send us a copy of an official identity document (e.g. passport or ID card) for identification purposes. Information that is not required (e.g. photo, height, commune of origin) may be blacked out.

Information

You have the right to request information from us about your stored personal data.

Rectification

You have the right to request the rectification or completion of incorrect or incomplete personal data as well as the right to be informed about the rectification.

Objection, restriction and erasure

You have the right to object to our processing of your data for marketing purposes (promotion of insurance, products and services) and to request the restriction of this processing or the erasure of your personal data.

Amendments to this data privacy statement

CSS reserves the right to amend this data privacy statement at any time. This also applies to the version published on the website of CSS.

Abbreviations and laws

• Federal Act on General Aspects of Social Security Law (ATSG)
• Federal Act on Data Protection (FADP)
• Federal Act on the Oversight of Social Health Insurance (KVAG)
• Federal Act on Health Insurance (KVG)
• Federal Act on Insurance Contracts (VVG)
• General Data Protection Regulation of the EU (GDPR)