elipsLife is an insurance company for institutional clients and offers biometric insurance products that cover the financial consequences of illness and accident with a focus on employee and individual benefits for mortality and disability risks. As a European insurance provider, we receive and process the personal data of individuals.
Data Protection is a core value of elipsLife: We are respecting the fundamental right of our clients to control their personal information, and have it adequately protected. Our relationship with our clients is built on trust, so the security and privacy of our client’s and insured’s personal information is an important responsibility for us.
Starting May 25th, the General Data Protection Regulation (GDPR) – one of the most ambitious legal projects of the European Union in the last years - give individuals more control over their data in a digitalized world by ensuring that all EU individuals benefit from the same strong, up-to-date data protection rights, regardless of where their data is processed.
The new regulation does not fundamentally change any of the existing core rules; instead it extends the requirements significantly by introducing a range of new obligations to support those core rules, which will have an impact on how we achieve compliance at elipsLife.
elipsLife is fully committed to protecting the rights and privacy of individuals in accordance with the upcoming GDPR, national Data Protection laws and all other requirements. Beyond that, we are committed to the fundamental data protection principles.
B. elipsLife’s response to GDPR
We have revised our comprehensive data protection compliance framework in order to fulfill our responsibilities to protect personal data and to respect privacy rights in compliance with data protection and privacy laws and regulations in all countries where we do business.
Our policies and standards
Our commitment to data protection and privacy is stated in our Code of Conduct: "We handle personal data with the greatest care and use it only for legitimate and specified business purposes". Furthermore, our data protection compliance framework – including policies, standards, information security measures, appointed Data Protection Officer, training and awareness program and business-relevant procedures – sets forth the following key principles:
• We respect the privacy rights of employees, customers, clients, business partners and other individuals whose personal data we have and use.
• We protect personal data by implementing appropriate technical and organizational measures in our data processing operations.
• We obtain personal data fairly and only use it for legitimate business purposes.
• We hold ourselves accountable for demonstrating compliance with applicable legal and regulatory requirements and understanding of our roles and responsibilities.
These principles derived from internationally recognized privacy principles as well as the foundational principles of the European Union's (EU) General Data Protection Regulation (GDPR). As a European company doing business in the EU, EEA and Switzerland, we comply with the GDPR, national member state and Swiss data protection regulations.
We updated our privacy notices and consent forms to ensure the heightened transparency requirements, and satisfying specific requirements when relying on data subject consent and when processing sensitive personal data. We are honoring data subject rights, and updated our procedures to ensure correct and timely handling of the enhanced individual rights.
In addition, we have embedded privacy measures into policies and operations, including the implementation of appropriate technical and organizational measures such as data protection by design and by default; conducting data protection Impact assessments; have a security breach management in place and maintain an up-to-date record of data processing activities.
We exercise due care when selecting a third party to ensure data is processed in accordance with the law, and updated the contractual agreements to stipulate responsibilities and liabilities.
We also regularly test the privacy measures implemented, and use the results of testing, audits, and metrics to demonstrate existing compliance and continuous improvement efforts.
Ultimately, it is our employees who are the most important element of our commitment. Our employees are involved in every step of the data lifecycle, including sourcing and receiving personal data, processing it in compliance with laws and regulations, employing safeguards, and establishing the means and schedules of retention and deletion. It is therefore imperative that our employees understand their role and be committed to safeguarding personal data. We design our training program to be relevant, focused on the individual and also focused on actual risks. We mandate face-to-face and eLearning trainings for all employees. In addition, we run regular data protection and information security awareness campaigns. We also share with our employees other knowledge resources on data protection and privacy topics. It is important that our employees understand the seriousness of protecting personal data and respecting privacy rights with the ability to relate this back to the risks and consequences from an individual perspective. Through our efforts, we wish to realize our goal that our employees and business partners understand their respective roles and responsibilities for data protection compliance.
Our data protection experts
A team of fully committed Legal & Compliance Officers and a Data Protection Officer with expert knowledge covers all of our business units, functions and locations. They advise management and employees regarding their obligations, including on data protection impact assessments, providing training and monitoring compliance with the GDPR, other applicable laws, and elipsLife’s policies and procedures. They also engage in industry knowledge sharing and collaboration initiatives with the Swiss Re Group, and monitor regulatory developments in the areas of data protection and privacy.
The team is involved in all matters relating to data protection and coordinates with risk management, audit, and information security colleagues so that we can optimize the implementation of the data protection compliance framework, identify and address gaps, further mitigate risks and monitor compliance.
Our information security
To assure the confidentiality, integrity and availability of personal data within our care, we have a comprehensive, risk-based information security program in place. We recognize the impact on individuals from the increasing volume, variety and pace of information usage and the heavy dependence on the Internet as a business channel and communication medium.
Our information security program and management approach is based on the international information security standard ISO/IEC 27002. We have implemented multiple layers of protection to minimize the risks to personal data and the privacy of individuals. Such protection includes network security controls, logical and physical access controls, maintaining up-to-date inventories (authorized hardware and software), system hardening and monitoring, usage of state-of-the-art protection software, monitoring and response procedures, as well as regular information security awareness training of all employees.
Annually, we review our information security policies. We also conduct at least one annual risk assessment of cyber security resilience, benchmarked against best practice security standards in line with Swiss Re. The process includes stakeholders throughout the company and results in mitigation measures and the revision of controls to respond to technological developments and evolving threats. It considers the specific risks of elipsLife’s business operations related to cyber security, our business information collected or stored, our IT landscape, and the availability and effectiveness of controls to protect information and IT landscape. Furthermore, we test the effectiveness of our incident response plans with simulation exercises, cross-functional stakeholders, and evolve them based upon the lessons learned from each exercise.
Our internal audit function tests the design and effectiveness of implemented safeguards to ensure effective coverage and to maintain focus on key risks. This is a cycle that we continue to improve, as risks are always evolving and security can never be 100% assured. Vigilance and collaboration are crucial to our efforts to ensure the security of personal data. Finally, our compliance Policy Management Framework includes at least annual review of our information security policies to ensure that their requirements still appropriately address our risk exposure. Our internal assurance functions and external auditors also regularly audit these policies.
We take particular care when working with third parties. We only share personal data with affiliates, business partners, third party service providers or vendors when we have a legitimate business purpose for doing so and when permitted by law. We require third parties to maintain similar standards to ours for the protection of personal data, as verified by our due diligence process. We have implemented a holistic and consistent risk mitigation process to identify and assess the cyber resilience of third parties. A risk-based approach is followed, covering the whole lifecycle of our engagement with a third party. The applied methodology is based on international standards and frameworks such as ISO/IEC 27002, COBIT and NIST, and takes into account the criticality of the processed data, the way the data is processed and elipsLife’s dependency on the third party. Once we enter into these relationships, we continue to monitor the data practices of third parties, and reserve the right to conduct audits as appropriate. We require them to maintain these standards with their sub-contractors and other parties that might further process our personal data on their behalf.
Incident / data breach response
In the event of security or data privacy incidents that may implicate unauthorized access to personal data, we have incident response procedures in place, including appropriate reporting channels. Our breach detection and containment procedures consider the potential business, reputational, legal and regulatory impact on our company. They also entail assessing whether the breach could have consequences for individuals and determine who needs to be notified of the breach, including regulatory authorities, individual data subjects, or other stakeholders. We involve all relevant internal and external stakeholders in our attempt to minimize the harm to elipsLife and affected individuals. Our plans aim to mitigate and resolve such incidents in order to minimize harm to the company and to data subjects.
Be in touch. Responding to your requests.
Please contact us at pbzcyvnapr@ryvcfYvsr.pbz if you have questions regarding data privacy. Our Legal & Compliance team will respond to your requests for clarity, access to your personal data, or the exercise of any other privacy rights. You can also ask us to remove you from marketing communications, and we will do so. We will respond with your requests in a timely manner and in compliance with relevant legal or regulatory requirements. We ask that corporate clients contact us through the usual business channels.