Employee Extra, Health Insurance Providers in Ireland - VHI

Data Protection Statement -
Vhi Employee Extras

What is the purpose of this notice?
Our promise to you is that 'When you need us, we're there'. In order to fulfil that promise, and to provide you with suitable products and services, we need to get to know you and what your needs are.

In order to provide you with your Employee Extras package, we collect certain personal information about you from your employer. This notice sets out information that we collect, how we process it and how we share that information both internally with other Vhi entities and with third parties.
Who controls the use of your personal data?
Vhi Healthcare DAC (also referred to as 'we, us or our' in this statement), whose registered address is Vhi House, Lower Abbey Street, Dublin 1, is the company that controls and is responsible for personal data that is collected from your employer in relation to the Employee Extras Package.

Depending on the arrangement with your employer, Employee Extras will include some or all of the following services:

  1. Vhi Swiftcare
  2. Online Doctor
  3. Employee Assistance Programme
  4. Wellness
  5. Health Check
  6. Midwife Support at Home

When you access those services the provider of each of those services will be the Data Controller and is responsible for the data you provide and which is created when you access those services. A separate data protection notice will be provided to you by the Data Controller when you use a service.
What personal data is processed?
In order to provide our services to you we need to process certain personal data in relation to you, which includes:
Biographical data - When Vhi Healthcare is setting you up to avail of the Employee Extras package, we collect the following biographical data from your employer: name, assumed names, address, phone number, email address, gender, family relationships (e.g. spouse, children who will receive Employee Extras), date of birth and employment details.
Eligibility for services - In order to ensure you are entitled to avail of the Employee Extras services, we will process your Vhi private medical health insurance policy number and your employer's Vhi group scheme number.
Interactions with Customer Services - If you interact with us we will record details of those interactions (e.g. phone calls and logs of phone calls, email correspondence and hard copy correspondence). If you make a complaint to us we will process details in relation to that complaint.
Online services - When you interact with us online (by computer, tablet or smartphone), you will often provide personal data to us, which you will be aware of when using the services or for which you give consent. We also automatically collect data about your use of our services, such as the type of device you are using and its IP address, and how you interact with the services. Further details are available in the cookies policy and/or the Data Protection Statement that accompanies the relevant service.
Where does Vhi collect personal data from?
You or your Employer - In order to set you up for Employee Extras, you or your employer will give us the biographical data listed above. This information may be provided electronically.
Dependants - If you are eligible for Employee Extras because you are the dependant of an employee whose employer has purchased the Employee Extras package, we will have been provided with the biographical data listed above by the employee through their employer. This information may be provided electronically.
Online services - When you access our online services we will collect the information that you provide to us online. We will also automatically collect certain data in relation to your use of our services, such as the type of device you are using and its IP address and how you interact with the services.
Why do you process my personal data?
We process your personal data in order to provide you with Employee Extras services and to assist us in the operation of our business for the reasons set out below. This processing will be on the basis of our legitimate interest in making the services available to you and your employer, and running our business.
Administration of the Employee Extras package - We will process your personal data in order to administer the Employee Extras package and to verify your eligibility for the Employee Extras package with the providers of the services included in your package.
Providing you with services - Vhi provides different channels to engage with you in order to perform our contractual obligations, including where you have opted to avail of electronic channels such as MyVhi and our mobile app. The MyVhi section of our website, and our mobile applications, give you access to your Employee Extras package information in one secure place, anytime, anywhere.
Running our business - We will process your personal data in connection with the general administration of our business, including the generation of reports that detail how the business is functioning. We also carry out auditing and quality control to check that our processes are robust and are being followed. In addition, we also need to process your data to meet certain regulatory and legislative obligations that apply to our business. We try to do all of the above by using aggregated or anonymous data where possible, so you won't be identifiable from the data, but some of this work involves processing your data without anonymising it.
Administering our computer systems - Vhi relies on state of the art technology and computer systems to run our business and to process claims. We have an extensive team of developers and support engineers who are constantly testing our systems, running trials of new software, and providing support to our users. Where possible we try to use test data or anonymised data, but on occasion we may have to access live data directly, or we will often make a copy of some of the data that sits in our live systems and run our tests on that to make sure everything is working before we roll out a change. These copies may include your personal data. In general this processing of your personal data is justified by our legitimate interests in making sure our computer systems run properly and are safe and secure.

Note: The providers of the services included in your Employee Extras package will produce usage reporting on an aggregate and anonymised basis to us and to your employer for the purpose of reporting on aggregate usage, future pricing and development of services. Personal data or individual usage data which could identify you are never provided to us or your employer by the service providers.
Who do we share your personal data with?
We share your personal data with the following third parties:
Employee Extra Service Providers - We will share the biographical data that your employer gives to us with the providers of Employee Extras services to allow them to verify that you have the Employee Extras Package and to provide you with the relevant services. Your Employee Extras identity number, your Private Health Insurance Policy number and your employer's group scheme number will also be shared.
Group companies - Vhi consists of a number of separate companies. Some of these companies provide services to each other. The provision of these services may involve the sharing of your personal data between one or more group companies. These services are subject to appropriate contracts and other safeguards.
Third Party providers for internal processes - We rely on trusted third parties to help us run the Vhi business and to provide us with specialised services. These can include companies that provide IT services (e.g. scanning and uploading documents and hosting data when providing software services). These can also include legal advisors, accountants and consultants. Where our service providers have access to your personal data, we ensure they are subject to appropriate contracts and other safeguards.
Employers - We may share the information received from your employer about you back with your employer as part of ongoing reporting to validate the identities of the individuals entitled to the employee extras package. This information may be provided electronically.
Regulators - In certain circumstances Vhi is obliged to provide information to a regulator, (e.g. the Data Protection Commission).
Transfers outside of the European Economic Area (EEA)
There are certain circumstances where we will transfer your personal data outside of the EEA to a country which is not recognised by the European Commission as providing an equivalent level of protection for personal data as is provided for in the EEA. If we transfer your personal data outside of the EEA please rest assured that we will ensure that appropriate measures are in place to protect your personal data and to comply with our obligations under applicable data protection law. This may mean that we enter into contracts in the form approved by the European Commission, or we ensure that the company to which we transfer your personal data has agreed to abide by an approved transfer mechanism, such as the EU-US Privacy Shield framework. If you would like further details about the measures we have taken in relation to the transfer of your personal data, or copies of the agreements that we have put in place in relation to the transfers, please contact us using the details at the bottom of this notice.
Retention of personal data
Vhi will retain your personal data in accordance with our record retention policy. This policy operates on the principle that we keep personal data for no longer than is necessary for the purpose for which we collected it. It is also kept in accordance with any legal requirements that are imposed on us. This means that the retention period for your personal data will vary depending on the type of personal data. For further information about the criteria that we apply to determine retention periods please see below:
Statutory and regulatory obligations - As we work in a highly regulated industry, we have certain statutory and regulatory obligations to retain personal data for set periods of time.
Managing legal claims - When we assess how long we keep personal data we take into account whether that data may be required in order to defend any legal claims which may be made. If such data is required, we may keep it until the statute of limitations runs out in relation to the type of claim that can be made (which varies from 2 to 12 years).
Business requirements - As we only collect personal data for defined purposes, we assess how long we need to keep personal data for in order to meet our reasonable business purposes.
Your rights
You have various rights under data protection law, subject to certain exemptions, in connection with our processing of your personal data:
Right to access the data - You have the right to request a copy of the personal data that we hold about you, together with other information about our processing of that personal data.
Right to rectification - You have the right to request that any inaccurate data that is held about you is corrected, or if we have incomplete information you may request that we update the information such that it is complete.
Right to erasure - You have the right to request us to delete personal data that we hold about you. This is sometimes referred to as the right to be forgotten.
Right to restriction of processing or to object to processing - You have the right to request that we no longer process your personal data for particular purposes, or to object to our processing of your personal data for particular purposes.
Right to data portability - You have the right to request us to provide you, or a third party, with a copy of your personal data in a structured, commonly used machine readable format.

In order to exercise any of the above rights, please contact us using the contact details set out below.
Questions and Complaints
If you have any queries or complaints in connection with our processing of your personal data, you can get in touch with us using the following contact details:
Post: Data Protection Officer, Vhi, Vhi House, Lower Abbey Street, Dublin 1

You also have the right to lodge a complaint with the Data Protection Commission if you are unhappy with our processing of your personal data. Details of how to lodge a complaint can be found on the dataprotection.ie website, or you can call the Data Protection Commission on 1890 252 231.