Security and Privacy Statement
Our aim is the responsible and secure handling of Personal Information, balancing the benefits of activities like research and data analytics to improve our products and service delivery, with our other commitments, including fairness, transparency and non-discrimination. We do so in accordance with the Data Protection Act 1988 and 2003 and the General Data Protection Regulation (GDPR) (EU) 2016/679.
Unless otherwise indicated, the laya healthcare digital services are not intended for use by individuals under the age of seventeen (17), and we request that if you are under seventeen (17) you do not provide Personal Information through the laya healthcare digital services.
Personal Information may be provided to us by you directly or by a third party. For example, an insurance policyholder such as a spouse or dependent may provide Personal Information about you so that you can benefit under their insurance policy.
Data we process
The Personal Information we collect, and hold depends on our relationship with you. We process the identification and contact information and the data you input into our online forms or provide to us over the phone when you request a quote or when you join laya healthcare.
This may include:
- application, proposal and claim forms, and other forms
- telephone calls, emails, meetings and other communications
- service providers, brokers and agents, claims investigators, witnesses, medical professionals and other third parties
- this website (the Site)
- the software applications made available by us on computers, smart phones and other mobile devices (the Apps)
- Our social media pages, other social media content, tools and applications (our Social Media Content).
As part of your use of services you may choose to give us special categories of data about you and others named on the insurance policy. We may seek and obtain from your physician or a hospital, information about you relating to any treatment or other services provided to you or other members of the insurance policy.
This may include:
- records of physical or mental illness or ill health
- medical histories
- information required in a pre-screening questionnaire
- records of treatments obtained by you
- length of any stay in a hospital
- other treatments or services, including wellness services, received by you or your dependant(s).
Other sensitive information we collect to provide you with products and services you require may include:
- Payment card number (credit or debit card)
- bank account or other financial account number and account details
- credit history
- credit reference information and credit score
- assets, income, and other financial information
- account log-in information and passwords for accessing insurance policy, claim and other accounts, and laya healthcare digital services.
The above sensitive information/special categories of information are not used to offer or determine any products for you or any other members of your insurance policy, and are only used to administer claims on that policy. We also collect and record certain information about you when you browse our website. For more information, please see our Cookies Policy below.
Type of Personal Information
Name, address, email and telephone number
Gender, marital and family status, date and place of birth
Education and employment information
Educational background, employer details and employment history, skills and experience, professional licences, memberships and affiliations
Insurance and claim information
Policy and claim numbers, relationship to policyholder, insured, claimant or other relevant individual, date and cause of property damage, loss or theft, injury, disability or death, activity records (for example, driving records), and other information relevant to insurance policy issuance, and claim assessment and settlement. For liability insurance, this will include details of the dispute, claim or proceedings involving you.
Government and other official identification numbers
Social security or national insurance number, passport number, tax identification number, driver’s licence number, or other government issued identification number
Financial information and account details
Payment card number (credit or debit card), bank account number, or other financial account number and account details, credit history, credit reference information and credit score, assets, income, and other financial information, account log-in information and passwords for accessing insurance policy, claim and other accounts, and laya healthcare digital services
Medical condition and health status
Current or previous physical, mental or medical condition, health status, injury or disability information, medical diagnosis, medical procedures performed, and treatment given, personal habits (for example, smoking or consumption of alcohol), prescription information, and medical history
Other sensitive information
Information about religious beliefs, ethnicity, political opinions or trade union membership (for example, if an insurance application is made through a third-party marketing partner that is a professional, trade, religious, community or political organization), sexual life and orientation, or genetic or biometric information
We may obtain information about criminal records or civil litigation history (for example, for preventing, detecting and investigating fraud)
Information provided voluntarily to us (for example, preferences expressed regarding medical treatment based on religious beliefs, where collected in accordance with applicable law)
Recordings of telephone calls with our representatives and call centres
Photographs and video recordings
Images (including photographs and pictures) or video recordings created in connection with our insurance or other business activities, including for claims assessment, administration and settlement, claim disputes, or for other relevant purposes as permitted by law, as well as CCTV recordings captured by equipment on our premises
Information to detect, investigate or prevent crime, including fraud and money laundering
Insurers commonly collect, hold and share information about their previous dealings with policyholders and claimants with the intention of the detection, investigation and prevention of fraud, money laundering and other criminal activities
Information enabling us to provide products and services
Location and identification of property insured (for example, property address, vehicle licence plate or identification number), travel plans, age categories of individuals to be insured, details of the risks to be insured, prior accident or loss history, and cause of loss, status as company officer or director, or partner, or other ownership or management interest in an organisation, history of disputes, civil or criminal proceedings or formal investigations involving you, and information about other insurance held
Marketing preferences, marketing activities and customer feedback
Marketing preferences, information relating to competitions, prize draws or other promotion entry, or responses to voluntary customer satisfaction surveys
To improve our marketing communications, we may collect information about interaction with, and responses to, our marketing communications
Online activity information
Supplemental information from other sources
Why do we process your data?
We collect and use the information you disclose to us, to provide you with your chosen products and services; including wellness services. Without collecting and using your Personal Information, it would not be possible for us to offer you a quote, help you choose the best plan for you, manage and administer your policy nor to underwrite or handle your claims.
More specifically, we use the information about you (both personal and sensitive personal data/ special categories of personal data) that we hold for the following purposes:
- for managing and administering your insurance policy
- for underwriting and claims handling
- for money laundering prevention purposes
- to analyse and examine the claims processes and treatment/over-night stay/convalescence options applied/utilised by medical service providers
- to audit medical service providers generally
- to examine the handling of claims by a medical service provider
- for the efficient payment of Stamp Duty, payable on your Health Insurance contract under section 125A of the Stamp Duties Consolidation Act 1999
- to provide you with access to digital wellness services.
We also process your information in order to comply with legal obligations to which we are subject and for the purposes of our legitimate interests such as to prevent fraud, for marketing and audit purposes for systems development and for managing and improving our services.
From time to time we would like to contact you to:
- invite you to events we are sponsoring
- invite you to various events we run exclusively for our members
- gauge satisfaction with the service you received from us
- perform market research.
Once you consent to us contacting you for the above purposes we will do so. If you later opt out of such communications, we will adhere to your preferences.
How do we use your data?
We use Personal Information for different purposes depending on our relationship with you.
The main purposes are to:
- Communicate with you and other individuals, dependents and members
- Make assessments and decisions (automated and non-automated, including by profiling individuals) about the provision and terms of insurance; the settlement of claims and the provision of other services.
- Provide insurance, claims and assistance services, and other products and services including services available through digital platforms, claim administration, settlement and dispute resolution.
- Provide information and guidance relating to medical diagnoses and healthcare services to you and your family through our Healthcare Concierge service, should you wish to avail of it.
- Assess your eligibility for payment plans, and process your premium and other payments
- Improve the quality of our products and services, provide team training and maintain information security (for example, for this purpose we may record or monitor phone calls).
- Prevent, detect and investigate crime, including fraud and money laundering, and analyse and manage other commercial risks.
- Carry out research and data analysis, including analysis of our customer base and other individuals whose Personal Information we collect, complete market research, including customer satisfaction surveys, and assess the risks faced by our business, in accordance with applicable law (including obtaining consent where required).
- Provide marketing information in accordance with preferences you have told us about or shared with us (marketing information may be about products and services offered by our third-party partners subject to your expressed preferences). We may carry out marketing activities in accordance with your preferences by using email, SMS and other text messaging, post or telephone.
- Allow you to participate in competitions, prize draws and similar promotions, and to administer these activities. These activities have additional terms and conditions, which will contain more information about how we use and disclose your Personal Information where this is useful to provide you with a full picture of how we collect and use Personal Information, so we recommend that you review those too.
- Personalise your experience when you use laya healthcare digital services or visit third party websites by presenting information and advertisements tailored to you, identify you to anyone to whom you send messages through the laya healthcare digital services, and facilitate sharing on social media.
- Manage our business operations and IT infrastructure esystems, in line with our internal policies and procedures, including those relating to finance and accounting; billing and collections; IT systems operation; data and website hosting; data analytics; business continuity; records management; document and print management; and auditing
- Manage complaints, feedback and queries, and handle requests for data access or correction, or the exercise of other rights relating to Personal Information
- Comply with applicable laws and regulatory obligations (including laws and regulations outside your country of residence), for example, laws and regulations relating to anti-money laundering, sanctions and anti-terrorism; comply with legal process and court orders; and respond to requests from public and government authorities (including those outside your country of residence)
- Establish, enforce and defend legal rights to protect our business operations, and those of our group companies or business partners, and secure our rights, privacy, safety or property, and that of our group companies or business partners, you, or other individuals or third parties; to enforce our terms and conditions; and pursue available remedies and limit our damages
- To analyse the way you have used our services to enable us to better tailor our products to your needs at renewal and assess the likelihood of you renewing your policy so that our marketing activity can be more focussed. You can object to us carrying out this analysis by contacting us using the details below:
Writing: Data Protection Officer, Laya Healthcare, Eastgate Road, Eastgate Business Park, Little Island, Co Cork, T45 E181
Laya healthcare may share your data with others in order to provide you with great healthcare and quality benefits; and so as to comply with our legal obligations. As part of your health insurance cover with us we might share your information with our service providers such as Spectrum Health Limited who provide our healthcoach benefit, 24/7 Mental Wellbeing Support Programme and health and wellbeing programmes, Ed Advanced Medical Services Limited t/a Advanced Medical Services who provide our HeartBeat cardiac screening benefit and other screening services, Webdoctor who provide our CareOnCall services, Cognate Health who provide our occupational health programmes. Data Ireland for address verification and/or other partners. The data shared with laya healthcare from our partners unless explicitly consented by the member will not be stored as identifiable information.
We may also share your Personal Information with hospitals and/or consultants to aid the efficient processing of claims.
We are also obligated under the Health (Provision of Information) Act 1997 to provide information to the National Cancer Registry Board, the Minister for Health or a health board, hospital or other body or agency participating in any cancer screening.
In the event you switch to another insurer, we will share your information with the new insurer in accordance with the Health Insurance Act 1994 (Determination of Relevant Increase under section 7A and Provision of Information under section 7B) Regulations 2014 to confirm information that you have provided on taking out a policy with the new insurer.
Our agents or subcontractors may also have access to your data on a strictly confidential basis.
In order to provide you with products and services, this information will be held in the data systems of laya healthcare or by our agents or subcontractors.
When you request a quote from us, you may receive a phone call or text message and/or email in relation to that quote. If you would prefer not to receive such communications, please contact us to let us know.
Information on Consent
By using our services, and when it is appropriate and in line with Data Protection you will be asked to provide your consent to Laya processing your data.
Providing consent and any subsequent withdrawal of consent does not affect your Health Insurance Policy.
You can manage and review your consent preferences through your Privacy settings page in your Members Area.
When you withdraw consent
In some cases, Laya are obliged to retain information for legal purposes regardless of the current status of your consent, as a result even after you revoke we are required to maintain and process certain data
When you re-consent
Any data that was retained for legal purposes will be re-displayed to you where appropriate
Data Protection Information for Online Services
The information you provide will be used to manage the administration of your policy and is held in accordance with data protection law .We may need to collect sensitive information about you and others named on the insurance policy. You can only share a dependent’s information with us, with their full permission (unless agreed otherwise with laya healthcare). Medical information will be kept confidential and may be disclosed, on a strictly confidential basis to those involved with your treatment or care, their health professional agents and the underwriter Insurance provided by Elips Insurance Limited (Inc. Leichtenstein). Information may also be shared with other insurers, either directly or through people acting for the insurer such as Investigators and where we are entitled to do so under the Data Protection Acts. However, anonymised data – that is, information which does not identify an individual – may be used by laya healthcare, or disclosed to others, for research or statistical purposes, in accordance with appropriate consents. Access to non-medical information may be granted by laya healthcare to others on a strictly confidential basis in the course of and for the purpose of the efficient administration of laya healthcare (for example in connection with audit, systems development, managing and improving our services).
How do we use data to detect, investigate and prevent fraud?
We may use Personal Information to detect, investigate and prevent fraud, and this may include sharing Personal Information with other insurers and law enforcement agencies. We are committed to detecting and preventing fraud, and other financial crime. We take this commitment very seriously and use Personal Information in a number of ways for this purpose.
For example, if relevant to our relationship with you we may (where permitted by applicable law):
submit your Personal Information (including details of any claims you make, for example, details of injuries) so that they appear on registers of claims which are shared between different insurance providers
search registers of previous claims when assessing a claim
share your Personal Information with other insurers and law enforcement agencies.
Are automated decisions made using data?
Sometimes we use automated decision-making tools (i.e. where a person is not involved in the decision). We typically use these tools when making straightforward decisions about you (for example, in certain claims handling and medical screening processes).
Sometimes, as part of our business operations, decisions about you are taken using automated computer software and systems. These decisions do not involve human input, and the software and systems apply pre-defined logic programming and criteria to make a decision and assess how we deal with you in connection with the provision of services.
For example, we sometimes use automated decision making as part of a process to:
- decide whether an outpatient claim should be paid as requested (for example, if pre-specified criteria are met by responses that you provide, the claim will be paid automatically without the need for additional human intervention)
- identify known pre-existing medical conditions to decide whether we can offer life insurance to you and on what terms.
We provide you with more information in relation to any automated decision processes before or at the time that we intend to make decisions in this way. You have the right in certain circumstances not to be subject to a decision which is based solely on automated processing.
Who is responsible for Personal Information?
Laya healthcare, proudly part of AIG is responsible for looking after the Personal Information we collect, hold and use. Laya Healthcare Limited trading as laya healthcare is underwritten by Elips Insurance Ltd.
The AIG group comprises a number of companies, including, but not limited to, the AIG parent company American International Group, Inc., AIG Europe S.A. and American International Group UK Limited, Laya Healthcare Limited and AIG Life Limited.
For more precise information about the specific company or companies in the AIG group that have access to and are responsible for your Personal Information (including the identity of the relevant AIG companies that are the data controller(s) for your Personal Information), please contact us. Stuart Anderson is the GDPR Data Protection Officer (DPO) for Laya Healthcare.
We may also share your information with third parties. Those third parties will assume certain responsibilities under data protection law for looking after the Personal Information that they receive from us:
- Where permitted by applicable law, AIG may share Personal Information with other third parties, for example, other insurers, reinsurers, insurance and reinsurance brokers, other intermediaries and agents, appointed representatives, distributors, affinity marketing partners and financial institutions, securities firms and other business partners.
- External third party service providers, such as medical and security professionals, accountants, actuaries, auditors, experts, lawyers and other professional advisors; travel and medical assistance providers; call centre service providers; IT systems, support and hosting service providers; printing, advertising, marketing and market research, and data analysis service providers; banks and financial institutions that service our accounts; third party claim administrators; document and records management providers; claim investigators and adjusters; construction consultants; engineers; examiners; jury consultants; translators; and other third party vendors and outsourced service providers that assist us in carrying out business activities.
- We may also share Personal Information with: (a) government or other public authorities (including, but not limited to, workers’ compensation boards, courts, regulatory bodies, law enforcement agencies, tax authorities and criminal investigations agencies); and (b) third party participants in legal proceedings and their accountants, auditors, lawyers, and other advisors and representatives, as we believe to be necessary or appropriate.
- We may share Personal Information with payees; emergency providers (fire, police and medical emergency services); retailers; medical networks, organisations and providers; travel carriers; credit bureaus; credit reporting agencies; other people involved in an incident that is the subject of a claim; as well as purchasers and prospective purchasers or other parties in any actual or proposed reorganisation, merger, sale, joint venture, assignment, transfer or other transaction relating to all or any portion of our businesses, assets, companies or stock (i.e. company shares).
- Where permitted by applicable law, Personal Information (including details of injuries) may be put on registers of claims and shared with other insurers. We may search these registers when dealing with claims to prevent, detect and investigate fraud.
- If you benefit from another party’s insurance policy or service arrangement with laya healthcare (for example, a policy taken out by your employer), Personal Information relating to the administration of that insurance policy or service may be shared with that other party.
Personal Information may also be shared by you on message boards, chat, profile pages and blogs, and other laya healthcare digital services to which you are able to post information and materials (including, our Social Media Content).
Please note that any information you post or disclose through these services will become public information, and may be available to visitors and users of the laya healthcare digital services and to the general public. We urge you to be very careful when deciding to disclose your Personal Information, or any other information, when using the laya healthcare digital services.
Where do we process Personal Information?
We may process Personal Information both nationally and internationally. This may include transferring Personal Information outside the European Economic Area (EEA). Rest assured, we are committed to protecting and respecting your data protection and privacy rights. We take additional steps to ensure the security of Personal Information when we transfer it outside the EEA.
Depending on the nature of our relationship with you, we will transfer Personal Information to parties located in other countries in the EU an EEA.
For example, we may transfer Personal Information in order to process international travel insurance claims and provide emergency medical assistance services when you are abroad. We may transfer Personal Information in order to sanction screen in accordance with our anti-money laundering policy. We may transfer information internationally to our group companies, service providers, business partners, government or public authorities, and other third parties.
When making these transfers, we will take steps to ensure that your Personal Information is adequately protected and transferred in accordance with the requirements of data protection law.
This typically involves the use of data transfer agreements in the form approved by the European Commission and permitted under Article 46 of the EU General Data Protection Regulation (GDPR) (the relevant data protection law). If there is no data transfer agreement in place, we may use other mechanisms recognised by the GDPR as ensuring an adequate level of protection for Personal Information transferred outside the EEA (for example, the US Privacy Shield framework or any framework that replaces it).
How do we keep your data secure?
Information security is extremely important to us. Laya healthcare uses appropriate technical, physical, legal and organisational measures, which comply with data protection laws to keep Personal Information secure. If, despite our efforts, you believe that Personal Information is no longer secure, please tell us so that we can resolve any security issue.
As most of the Personal Information we hold is stored electronically we have implemented appropriate IT security measures to ensure this Personal Information is kept secure. For example, we may use anti-virus protection systems, firewalls, and data encryption technologies. We have procedures in place at our premises to keep any hard copy records physically secure. Our team receive regular training on data protection and information security.
When laya healthcare engages a third party (including our service providers) to collect or otherwise process Personal Information on our behalf, the third party will be selected carefully and required to use appropriate security measures to protect the confidentiality and security of Personal Information.
Unfortunately, no data transmission over the Internet or electronic data storage system can be guaranteed to be 100% secure.
If you believe that your interaction with us is no longer secure (for example, if you feel that the security of any Personal Information you might have sent to us has been compromised), please contact us immediately.
A copy of our Information Security Policy can be requested by submitting a request through our contact us page
What is the legal justification for our use of data?
We are obliged to advise you on the legal justification we rely on for using your Personal Information.
Data protection law seeks to ensure that the way Personal Information is used is fair. We may be required to obtain Personal Information from you to comply with applicable legal requirements, and certain data may be needed to enable us to fulfil the terms of our contract with you (or someone else), or in preparation of entering into a contract with you (or someone else). We may inform you of this at the time that we are obtaining the data from you. In these circumstances, if you do not provide the relevant data to us, we may not be able to provide our products and benefits to you.
For more sensitive special categories of Personal Information we will rely on either your consent or one or more of the other legal justifications set out in the table below and typically one of the following two additional justifications (however other legal justifications may be available):
- the use is necessary for the establishment, exercise or defence of legal claims, or whenever courts are acting in their judicial capacity (for example, when a court issues a court order requiring the processing of Personal Information)
- the use is necessary for the purposes of preventive or occupational medicine, medical diagnosis or the provision of health or social care or treatment.
These more sensitive special categories of Personal Information include Personal Information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning an individual’s sex life or sexual orientation.
Additional legal justifications may also be available in the country in which you are based and we may also rely on these justifications from time to time.
Processing of Personal Information relating to criminal convictions and offences is subject to the relevant legal requirements.
Where we rely on our legitimate business interests or the legitimate interests of a third party to justify the purposes for using your Personal Information, those legitimate interests will be set out in a supplemental privacy notice (which is tailored to our relationship with you where this is useful to provide you with a full picture of how we collect and use Personal Information). In any event our legitimate interests will usually be:
pursuit of our commercial activities and objectives, or those of a third party (such as direct marketing)
compliance with legal and regulatory obligations, and any guidelines, standards and codes of conduct (such as detecting or investigating fraud or money laundering)
improvement and development of our business operations and service offering, or those of a third party
protection of our business, shareholders, employees and members, or those of a third party (such as ensuring IT network and information security, enforcing claims, including debt collection)
analysing competition in the market for our services (such as research, including market research).
We may need to collect, use and disclose Personal Information in connection with matters of important public interest, for instance when complying with our obligations under anti-money laundering and terrorist financing laws and regulations, and other laws and regulations aimed at preventing financial crime. In these cases, the legal justification for our use of Personal Information is that the use is necessary for matters of public interest. Additional justifications may also apply depending on the circumstances.
Do we record calls and monitor email communications with us?
To ensure that we can meet the needs of our members we may record telephone calls in an effort to:
- improve the standard of service that we provide by providing our team with feedback and training
- address queries, concerns or complaints
- prevent, detect and investigate crime, including fraud and money laundering, and analyse and manage other commercial risks
- comply with our legal and regulatory obligations
We may also monitor electronic communications between us (for example, emails) to protect you, our business and IT infrastructure, and third parties including by:
- identifying and dealing with inappropriate communications
- looking for and removing any viruses, or other malware, and resolving any other information security issues
How long do we keep data for?
We will typically keep your Personal Information for a period of seven years after the expiration date of your policy.
As a regulated financial services institution, there are laws and regulations that apply to us which set minimum periods for retention of Personal Information.
- where we hold Personal Information to comply with a legal or regulatory obligation, we will keep the information for at least as long as is required to comply with that obligation.
- where we hold Personal Information in order to provide a product or service (such as an insurance policy and claims handling), we will keep the information for at least as long as we provide the product or service, and for a period of seven years after expiry of the policy and the handling of any related claim.
The number of years varies depending on the nature of the product or service provided – for example, for certain insurance policies it may be necessary to keep the Personal Information for several years after the expiry of the policy. Among other reasons, we retain the information in order to respond to any queries or concerns that may be raised at a later date with respect to the policy or the handling of a claim.
Typically, for consumer insurance products, the retention period is seven years.
For further information about the period of time for which we retain your Personal Information, please contact us.
Telling us about your marketing preferences
We will provide you with regular opportunities to tell us your marketing preferences, in our communications to you.
You must consent to receiving marketing communication from us. Similarly, should you wish to opt out or change your marketing preferences at any time please contact us.
Similarly, you can also opt-out of receiving marketing communications, such as:
- Receiving email messages and text messages from us. If you no longer want to receive marketing emails or text messages from laya healthcare, you can opt-out of receiving these marketing-related messages by clicking on the link to “unsubscribe” provided in each email message, following the stop instructions in a text message, or by contacting us.
- Receiving telephone communications and postal mail from us. If you no longer want to receive marketing via telephone communications or postal mail from laya healthcare, you may opt-out of receiving these marketing communications by contacting us. You may also be able to contact a "Do not call" registry in your country to opt-out on a general basis from receiving marketing communications by telephone, although we may still contact you if you are listed on such a register if you have given your consent.
- Sharing of your Personal Information with our group companies for their marketing purposes. With your consent we may share your Personal Information with our group companies for their own marketing purposes. If you change your mind, you may opt-out of this sharing by contacting us.
- Sharing of your Personal Information with selected third-party partners for their marketing purposes: If you have provided your consent we may share your Personal Information with our third-party partners for their own marketing purposes. If you change your mind, you may opt-out of this sharing by contacting us.
- We aim to comply with your opt-out requests within a reasonable time-period and in any event within any period prescribed by law. Please note that if you opt-out as described above, we will not be able to remove your Personal Information from the databases of third parties with whom we have already shared your Personal Information (i.e. to those to whom we have already provided your Personal Information as of the date on which we respond to your opt-out request).
- Please also note that if you do opt-out of receiving marketing communications from us, we may still send you other important service and administration communications relating to the services which we provide to you, and you cannot opt-out from these service and administration communications.
What are your Personal Information rights?
You have a number of rights in relation to your data, all of which apply in different circumstances:
- Right of access to Personal Information - you have the right to receive a copy of the Personal Information we hold about you and information about how we use it. This right is applicable at all times when we hold your Personal Information (subject to certain exemptions).
- Right to rectification of Personal Information - you have the right to ask us to correct Personal Information we hold about you where it is incorrect or incomplete. This right is applicable at all times when we hold your Personal Information (subject to certain exemptions)
- Right to erasure of Personal Information - this right is sometimes referred to as 'the right to be forgotten'. This right entitles you to request that your Personal Information be deleted or removed from our systems and records. However, this right only applies in certain circumstances.
Examples of when this right applies to Personal Information we hold include (subject to certain exemptions):
- when we no longer need the Personal Information for the purpose we collected it
- if you withdraw consent to our use of your information and no other legal justification supports our continued use of your information
- if you object to the way we use your information and we have no overriding grounds to continue using it
- if we have used your Personal Information unlawfully
- if the Personal Information needs to be erased for compliance with law.
- Right to restrict processing of Personal Information - you have the right to request that we suspend our use of your Personal Information. However, this right only applies in certain circumstances.
Where we suspend our use of your Personal Information we will still be obliged to store your Personal Information, but any other use of this information while (subject to certain exemptions) our use is suspended will require your consent.
You can exercise this right if:
- you think that the Personal Information we hold about you is not accurate, but this only applies for a period of time that allows us to consider if your Personal Information is in fact inaccurate
- the processing is unlawful and you oppose the erasure of your Personal Information and request the restriction of its use instead
- we no longer need the Personal Information for the purposes we have used it to date, but the Personal Information is required by you in connection with legal claims
- you have objected to our processing of the Personal Information and we are considering whether our reasons for processing override your objection.
- Right to data portability - this right allows you to obtain your Personal Information in a format which enables you to transfer that Personal Information to another organisation. However, this right only applies in certain circumstances.
You may have the right to have your Personal Information transferred by us directly to the other organisation, if this is technically feasible.
This right will only apply:
- to Personal Information you provided to us
- where we have justified our use of your Personal Information based on your consent
- the fulfilment by us of a contract with you
- if our use of your Personal Information is by electronic means.
Right to object to processing of Personal Information - you have the right to object to our use of your Personal Information in certain circumstances.
You can object to our use of your Personal Information where you have grounds relating to your particular situation and the legal justification we rely on for using your Personal Information is our (or a third party's) legitimate interests. However, we may continue to use your Personal Information, despite your objection, where there are compelling legitimate grounds to do so or we need to use your Personal Information in connection with any legal claims.
You can also object to the use of your Personal Information for direct marketing purposes at any time (including if we are carrying out profiling related to direct marketing).
Rights relating to automated decision making and profiling - you have the right not to be subject to a decision which is based solely on automated processing (without human involvement) where that decision produces a legal effect or otherwise significantly affects you. However, this right only applies in certain circumstances.
This right is not applicable if:
- we need to make the automated decision in order to enter into or fulfil a contract with you
- we are authorised by law to take the automated decision
- you have provided your explicit consent to the decision being taken in this way using your Personal Information.
- Right to withdraw consent to processing of Personal Information - where we have relied upon your consent to process your Personal Information, you have the right to withdraw that consent. This right only applies where we process Personal Information based upon your consent.
- Right to complain to the relevant data protection authority - if you think that we have processed your Personal Information in a manner that is not in accordance with data protection law, you can make a complaint to the data protection regulator. If you live or work in an EEA member state, you may complain to the regulator in that state. This right applies at any time.
- Right to provide instructions regarding the management of your Personal Information after your death (only where such right applies under applicable law)
You may have the right to inform us of instructions on how we manage the Personal Information we hold about you after your death. This right is applicable at all times when we hold your Personal Information (only where such right applies under applicable law).
If you wish to exercise any your rights, please contact us.
Who to contact about your Personal Information?
If you have any questions or concerns about the way your Personal Information is used by us, you can contact us by email or post.
If you have any questions, concerns or complaints about the way your Personal Information is used by us, you can contact us by email or post using the details below.
Writing: Data Protection Officer, Laya Healthcare, Eastgate Road, Eastgate Business Park, Little Island, Co Cork, T45 E181
What user and device data do we collect through Laya healthcare digital services?
Along with our third-party service providers we may collect user and device data in a variety of ways when you use laya healthcare digitals services including:
- internet browser and electronic device information
- app usage data
- information collected through cookies, pixel tags and other technologies
- demographic information
- data grouped together so that it is not possible to link the data to a particular individual, known as aggregated data.
Method of Data Collection
Through your internet browser or electronic device
Certain information is collected by most websites or automatically through your electronic device, such as your IP address (i.e. your computer’s address on the internet), screen resolution, operating system type (Windows or Mac) and version, internet browser type and version, electronic device manufacturer and model, language, time of the visit, pages visited, and the name and version of the Laya healthcare services (such as the App) you are using. We use this information to ensure that the Laya healthcare services function properly.
Through your use of an App
When you download and use an App, we and our service providers may track and collect App usage data, such as the date and time the App on your electronic device accesses our servers and what information and files have been downloaded to the App based on your device number.
Using cookies and online tracking
You can refuse to accept the cookies we use by adjusting your browser settings. However, if you do not accept these cookies, you may experience some inconvenience in your use of the Site and some online products. We do not respond to browser do not track signals at this time. Please see our Cookies Policy for information on how you can control the cookies used by our website. Third parties may collect information about your use of Laya healthcare services and your use of other websites or online services. For more detailed information about the cookies we use on our laya healthcare site, see below.
Using pixel tags, web beacons, clear GIFs or other similar technologies
We may use pixel tags, web beacons, clear GIFs and other similar technologies with your consent (where required by applicable law). These may be used in connection with some Laya healthcare services and HTML-formatted email messages to, among other things, track the actions of users of Laya healthcare services and email recipients, measure the success of our marketing campaigns and compile statistics about usage of laya healthcare digital services and response rates.
Subject to applicable law (and your consent where required by applicable law), we may collect the physical location of your electronic device by, for example, using satellite, mobile/cell phone tower or WiFi signals. We may use your device’s physical location to provide you with personalized location-based services and content.
Subject to your marketing preferences and applicable law, we may also share your device’s physical location, combined with information about what advertisements you viewed and other information we collect, with our marketing partners to enable them to provide you with more personalized content and to study the effectiveness of advertising campaigns.
In some instances, you may be permitted to allow or deny such uses and/or sharing of your device’s location, but if you choose to deny such uses and/or sharing, we and/or our marketing partners may not be able to provide you with the applicable personalized services and content.
In addition, we may obtain the precise geolocation of your device when you use our mobile applications for travel or other assistance services. In connection with providing travel or other assistance services, we may share your device’s precise geolocation information with our clients and other entities with whom we work. You may opt-out of our collection and sharing of precise geolocation information by deleting the mobile application from your device, by disallowing the mobile application to access location services through the permission system used by your device’s operating system, or by following any additional opt-out instructions provided in the privacy notice available within the mobile application.
Using information provided by you
Some information (for example, your location or preferred means of communication) is collected when you voluntarily provide it. Unless combined with Personal Information, this information does not personally identify you.
By aggregating information
We use a number of cookies and tracking technologies on our website. Among other things, cookies help us to understand user behaviour, make our website work better and target online advertising. For further information about the cookies we use, and how to block or erase those cookies, see our Cookies Policy here
Who is responsible for third party services accessed via laya healthcare digital services?
We are not responsible for the privacy, information or other practices of any third parties, including any third party operating any site or service to which the laya healthcare digital services link.
Please note that we are not responsible for the collection, usage and disclosure policies and practices (including the information security practices) of other organizations, such as Facebook®, Twitter®, Apple®, Google®, Microsoft®, RIM/Blackberry® or any other app developer, app provider, social media platform provider, operating system provider, wireless service provider or electronic device manufacturer, including any Personal Information you disclose to other organizations through or in connection with laya healthcare digital services.
Responsible Disclosure Guidelines
Security issues should be disclosed to firstname.lastname@example.org. Please note we cannot respond to individual policy queries on this address and these should be raised through our contact us page. We will investigate legitimate security reports and respond within 1-2 business days, and make every effort to quickly correct any issues, while following Data Protection guidelines and responsibilities. If you identify a security issue you should not modify or access data that does not belong to you.