Data protection

When processing its policyholders' health data, CSS Insurance is subject to strict data protection provisions. Alongside the provisions of the law, the employees of CSS Insurance must additionally comply with internal guidelines on data processing. All employees are familiar with the requirements that apply to them and, on joining the company, expressly undertake to observe the duty of confidentiality and comply with data protection.

At CSS Insurance, the data of the insured person is always processed in compliance with the law and used only for the prescribed purposes. We only process those items of data about the insured person which are necessary to perform our work.

Thanks to regular, thorough employee training for its employees and data processing which is optimised on an ongoing basis, CSS Insurance guarantees a high level of data protection and data security. 

Where European law (and especially Regulation (EU) 2016/679 (the General Data Protection Regulation)) applies to data processing, reference is made to this fact at the appropriate point.

Data security

The data on our systems is protected against loss, misuse, fraud and unauthorised access. The security of our systems is under constant review, both internally and externally. CSS IT systems have been certified in accordance with ISO standard 27001:2013 since 1 July 2015. This international standard specifies the requirements for establishing, implementing, operating, monitoring, maintaining and improving an information security management system.

Data protection quality seal

The certifications awarded to CSS underscore the importance of data protection at CSS Insurance. They guarantee that CSS will treat the data of its insured persons with care.

  • Since 2007, the Medical Advisory Service (MAS) has held the GoodPriv@cy* seal of quality and, since 2010, has also been certified under the Ordinance on Data Protection Certification (VDSZ).
  • Since 2013, CSS has had a certified (in accordance with the Ordinance on Data Protection Certification (VDSZ) and GoodPriv@cy*) data collection office in accordance with Art. 59a of the Swiss Health Insurance Ordinance. Its standardised regulations guarantee data privacy for every person insured with CSS, while at the same time paving the way for quick and client-oriented invoicing with hospitals. This permits CSS to settle DRG invoices from inpatient service providers efficiently and in conformity with the law.
  • CSS meets high information security standards. Its IT systems are certified in accordance with ISO standard 27001:2013. This international standard specifies the requirements for establishing, implementing, operating, monitoring, maintaining and improving an information security management system.
  • The process for receiving and digitalising paper documents by email, app and portal has been certified in accordance with the Ordinance on Data Protection Certification (VDSZ) and awarded the international "GoodPriv@cy*" certificate.

*The international GoodPriv@cy certificate is awarded by the independent Swiss Association for Quality and Management Systems (SQS) and confirmed by means of an annual audit.

Data Protection Officer and requests for information

If you have any questions about how your personal data is processed, or if you wish to have your personal data corrected or deleted, or restrict the way in which it is processed, or you would like to make a request for information, please contact us by post, enclosing a copy of an official identity document:

CSS Insurance
Data Protection Officer
Tribschenstrasse 21
Postfach 2568
CH-6002 Lucerne
Email: datenschutz@css.ch
Telephone: 058 277 11 11

Representative for matters under data protection law in the EU

Where CSS is subject to the EU's General Data Protection Regulation, the data protection officer as defined by Art. 37 of the Regulation, and representative in the sense of Art. 27 of the Regulation is:

Martina Schmid
BWO GmbH
Bauernwaldstrasse 77
70195 Stuttgart
Germany
Email: privacy-eu@css.ch

Where CSS is subject to the EU's General Data Protection Regulation, you also have the right to transfer your data to another processor (‘data portability’).