0844 277 277 Mon-Fri 8am-6pm
CSS Insurance

Data protection

When handling the health data of its insured persons, CSS Insurance is subject to strict data protection provisions. Alongside the provisions of the law, the employees of CSS Insurance must additionally comply with internal guidelines on data handling. All employees are familiar with the requirements that apply to them and, on joining the company, expressly undertake to observe the duty of confidentiality and comply with data protection.

At CSS Insurance, the data of the insured person is always processed in conformity with the law and used only for the prescribed purposes. We only process those items of data about the insured person which are necessary to perform our tasks.

Thanks to regular and conscientious training for its employees and a continually optimised data handling process, CSS Insurance guarantees a high level of data protection and data security. 

Where European law (and especially Regulation (EU) 2016/679 (the General Data Protection Regulation)) applies to data processing, reference is made to this fact at the appropriate point.

Data security

The data on our systems is protected against loss, misuse, fraud and unauthorised access. The security of our systems is under constant review, both internally and externally. CSS IT systems have been certified in accordance with ISO standard 27001:2013 since 1 July 2015. This international standard specifies the requirements for establishing, implementing, operating, monitoring, maintaining and improving an information security management system.

Data protection quality seal

The certifications awarded to CSS underscore the importance of data protection at CSS Insurance. They guarantee that CSS will treat the data of its insured persons with care.

  • Since 2007, the Medical Advisory Service (MAS) has held the GoodPriv@cy* seal of quality and, since 2010, has also been certified under the Ordinance on Data Protection Certification (VDSZ).
  • Since 2013, CSS has had a certified data collection office in accordance with Art. 59a of the Swiss Health Insurance Ordinance. Its standardised regulations guarantee data privacy for every person insured with CSS, while at the same time paving the way for quick and client-oriented invoicing with hospitals. This permits CSS to settle DRG invoices from inpatient service providers efficiently and in conformity with the law.
  • CSS meets high information security standards. Its IT systems are certified in accordance with ISO standard 27001:2013. This international standard specifies the requirements for establishing, implementing, operating, monitoring, maintaining and improving an information security management system.
  • The process for receiving paper documents has been certified in accordance with the international GoodPriv@cy* system.
     

*The international GoodPriv@cy certificate is awarded by the independent Swiss Association for Quality and Management Systems (SQS) and confirmed by means of an annual audit.

Data Protection Officer / requests for information

If you have any questions about how your personal data is processed, or if you wish to have your personal data corrected or deleted, or restrict the way in which it is processed, or you would like to make an information request, please contact us by post, enclosing a copy of an official identity document:

CSS Insurance
Data Protection Officer
Tribschenstrasse 21
Postfach 2568
CH-6002 Lucerne
E-Mail: datenschutz@css.ch
058 277 11 11

Representative for matters under data protection law in the EU

Where CSS is subject to the EU's General Data Protection Regulation, the data protection officer in the sense of Art. 37 of the Regulation, and representative in the sense of Art. 27 of the Regulation is:

Dr. Christian Schäfer
Active Assets A2 GmbH
Gottlieb-Daimler-Str. 5
78467 Konstanz
Germany
E-Mail: privacy-eu@css.ch

Where CSS is subject to the EU's General Data Protection Regulation, you also have the right to transfer your data to another processor (‘data portability’).

Processing policy

The insurer must make its processing policy publicly accessible.