Purpose of this notice
The protection of your personal information is of paramount importance to Bupa (“we”, “us” and “our”). We’re (Bupa Global) committed to protecting and using your personal information responsibly. This privacy notice explains what information we collect about you, how we use it and how we protect it when you buy, use or contact us about our products and services or when you work with us as intermediaries or suppliers. Personal information means any information about you that directly or indirectly identifies you, such as your name, email or phone number. We will tell you whether the information we are requesting is essential or whether the supply of this information is optional.
This Privacy Notice also tells you how you can exercise your rights, including the right to object to some of the data handling we carry out. More information about your rights and how you can exercise them is set out in the “How to exercise your rights” section below.
Click on the links below to jump to the section:
Who this notice is for
About us
Where we collect your personal information
What personal information we collect
How and why we use your personal information
Sharing your personal information
Transferring your personal information abroad
How long we keep your personal information
Cookies, AI, analytics, and profiling
Opting out of marketing
Your rights
How to exercise your rights
Who this notice is for
This privacy notice is for:
This Privacy Notice also tells you how you can exercise your rights, including the right to object to some of the data handling we carry out. More information about your rights and how you can exercise them is set out in the “How to exercise your rights” section below.
- anyone who buys, uses or contacts us about our products and services (such as our health or dental insurance customers) who is based in France, and is serviced by ExpaTPA,
- patients of our dental practices, our health clinics or the Cromwell Hospital
- people who work with Bupa, such as intermediaries or suppliers (but not our employees or healthcare professionals)
About us
Who we are
- We’re a healthcare organisation that offers a wide range of services to support our customers’ health. When we say ‘Bupa’ in this notice, we mean Bupa Global. Bupa Global is a trading name of Bupa Global Designated Activity Company (BGDAC), a designated activity (insurance) company, having its registered office at Second Floor, 10 Pembroke Place, Ballsbridge, Dublin 4, D04 V1W, and Bupa Insurance Services Limited, (BISL) a company registered in England and Wales at Companies House (Company Number: 3829851) and with a registered office at 1 Angel Court, London EC2R 7HJ. BGDAC is regulated by the Central Bank of Ireland..
- ExpaTPA means ExpaTPA, Société par Actions Simplifiée de courtage d'assurances au capital de 60.000 Euros - 883 644 676 R.C.S. PARIS, having its Registered Office at 142 rue de Rivoli 75001 Paris, France. ExpaTPA provides policy and claims administration services to Bupa Global DAC members for policies domiciled in France. ExpaTPA is a controller of the personal information collected and processed when you use our products and services.
How we collect your personal information
We collect your personal information from you when you get in touch with us:
- by phone, where we may record or monitor calls for quality assurance and to make sure we’re keeping to legal rules, codes of practice and internal policies, in this case, you will be informed of the collection of telephone recording data and may object to this
- by email
- through our websites, including webchats and virtual assistants
- through our apps
- by using our products and services
- by post
- by completing an application or other form(s)
- by entering competitions
- through social media
Third parties
We also collect information about you from third parties. There’s more information about this under ‘Collecting and sharing your personal information’.
What categories of personal information does Bupa collect
Your data will only be collected and processed by Bupa if there is an appropriate and relevant legal basis for doing so. In particular, we will process your data to protect our own legitimate interests and those of third parties, provided that these interests do not override your fundamental rights and freedoms. The table below details the categories of data that could potentially be collected by Bupa if there is an appropriate and relevant legal basis for doing so.
| Basic personal details | Name, membership or registration number or patient ID, age and date of birth |
| Contact | Username, address, email address and phone numbers |
| Residency, national identifiers | The country you live in and national identifiers such as national identification (i.e., French social security number, NIR), passport number, or health card (Carte Vitale) information |
| Communications | Details of any contact we’ve had with you, including phone calls and written complaints |
| Financial details | Payments and bank account details |
| Employment details | Your role and the company you work for, if your employer pays for your insurance, scheme or treatment |
| Criminal offences and convictions | We only process information relating to criminal convictions or offences where expressly permitted by law. This may include checks required under anti-money laundering regulations, using publicly available or lawfully accessible sources. We do not collect or process criminal record information unless legally authorised to do so. |
| Behavioural and usage information | How you use and access our digital services e.g., navigation data when you browse our sites |
| Technical information | The devices and technology you use and website browser settings e.g. your IP address, information about your device and information about your browser |
| Special category information – sensitive health data | Information about your physical or mental health, including genetic or biometric information. We will only collect this data when necessary for the purpose of servicing your policy, for example to process a claim or pre-authorise treatment. We may get this information from: • application forms • notes and reports about your health and any treatment and care you’ve received or need • notes from calls and other communications you’ve had with us • referrals from your existing insurance provider • quotes • records of medical services and treatment you’ve received |
How we use the personal information we collect
Under data protection laws, we can only process your information if we have a legal reason (known as a ‘lawful ground’) for doing so.
Click on the tabs below to find out how we use your personal information. The words in bold are the lawful grounds under data protection laws that we rely on to process your information. You can find out what the different types of information mean under ‘what personal information we collect’.
- Basic personal details
- Contact
- Communications
- Residency
- Financial details
- Employment details
- Special category information
- Behavioural and usage information
- Technical
- It’s necessary to provide the services set out in a contract
- It’s required or allowed by law
- We have a legitimate interest to:
- deliver our products and services
- tailor the delivery of our products and services to your specific needs and interests
For special category information
- It’s necessary for health or social care purposes such as:
- preventive or occupational medicine
- assessing your working capacity as an employee
- medical diagnosis
- providing healthcare or treatment
- providing social care
- managing healthcare or social care systems or services>
- With your consent (if required)
- When it's in your vital interests
- Basic personal details
- Contact
- Communications
- Residency
- Financial details
- Employment details
- Special category information
- Behavioural and usage information
- Technical
- It’s necessary to provide the services set out in a contract
- It’s required or allowed by law
- We have a legitimate interest to:
- manage our relationship with you, our business and third parties
- deliver our products and services
- tailor the delivery of our products and services to your specific needs and interests
- communicate with our customers and business partners
- process insurance claims and collect money owed to us
For special category information
- It’s necessary for insurance purposes such as:
- advising on, arranging, providing or managing an insurance contract
- dealing with a claim made under an insurance contract
- Relating to rights and responsibilities relating to or in an insurance contract or insurance law
- With your consent (if required)
- When it's in your vital interests
- Basic personal details
- Contact
- Communications
- Residency
- Financial details
- Employment details
- Criminal convictions and offences
- Behavioural and usage information
- Location
- It’s required or allowed by law
- We have a legitimate interest to:
- manage our relationship with you, our business and third parties
- resolve issues and answer questions about our products and services
- investigate and respond to complaints
- monitor how well we are meeting our clinical and non-clinical performance expectations
- protect the public against dishonesty, malpractice or other seriously improper behaviour
- manage a claim where a third party may be at fault
- With your consent (if required)
- Basic personal details
- Contact
- Communications
- Residency
- Financial details
- Employment details
- Criminal convictions and offences
- Behavioural and usage information
- Technical
- It’s required or allowed by law
- We have a legitimate interest to:
- detect and prevent fraud and financial crime
- ensure compliance with our terms and conditions, and policies
- Basic personal details
- Contact
- Residency
- Employment details
- Behavioural and usage information
- Technical
- It’s required or allowed by law
- We have a legitimate interest to:
- confirm that you’re an employee of your employer when they are paying for the product or service you’re using
- confirm you’re an employee of a business we’re purchasing products or services from
- identify you when you access our digital services and websites
- identify if you were redirected to our websites through an advert or referral link
- identify if you‘re under the age of 16
- identify fraud and fraudulent activity
- Basic personal details
- Contact
- Residency
- Financial details
- Employment details
- It’s necessary to provide the services set out in a contract
- It’s required or allowed by law
- We have a legitimate interest to:
- take payment and charge for our products and services
- review invoices and make payments
- Basic personal details
- Contact
- Residency
- Communications
- Behavioural and usage information
- Technical
- We have a legitimate interest to:
- market to our customers and prospective customers if they’ve shown an interest in us
- request feedback and from customers and people we work with
- follow your contact preferences, marketing, cookies and other tracking such as in-app, profiling and automated decision making (see ‘cookies, AI, analytics and profiling’ for details on this)
- follow your contact preferences, marketing, cookies and other tracking such as in-app, profiling and automated decision making (see ‘cookies, AI, analytics and profiling’ for details on this)
- follow your contact preferences, marketing, cookies and other tracking such as in-app, profiling and automated decision making (see ‘cookies, AI, analytics and profiling’ for details on this)
- develop and run tailored marketing
- With your consent (if required)
- Basic personal details
- Contact
- Communications
- Residency
- Financial details
- Employment details
- Health information
- Other sensitive information
- Behavioural and usage information
- Technical
- We have a legitimate interest to:
- undertake statistical research and analytics (see ‘cookies, AI, analytics and profiling’ for details on this)
- understand our customers and the people we work with
- understand more about our products and services, and how to improve them
- With your consent (if required)
- Basic personal details
- Contact
- Residency
- Behavioural and usage information
- Technical
- It’s required or allowed by law
- We have a legitimate interest to:
- undertake statistical research and analytics (see ‘cookies, AI, analytics and profiling’ for details on this)
- understand our customers and the people we work with
- understand more about our products and services, and how to improve them
- With your consent (if required)
- Basic personal details
- Contact
- Personal information shared with us during a phone call or other method of communication, such as webchat and email
- We have a legitimate interest to:
- monitor phone calls to us for training and to review the quality of our services
- review online and email exchanges between you and us for training and to review the quality of our services
- It’s required or allowed by law
Collecting and sharing your personal information
Sometimes we need to collect your information from, or share it with, other people or organisations. When we share your information, we only share the information needed, and as little of it as possible, for a specific purpose. For example, if you need treatment, we’ll share relevant medical details with your treatment provider.
We have processes in place to make sure that your information is protected when we share it with third parties. If you’re sharing someone else’s personal information with us, please make sure they’ve seen this privacy notice and are comfortable with you giving us their information.
We’ve set out below the types of third parties we collect and share information with, and our reasons for doing so. We may also disclose your personal information to other third parties if we’re required or permitted to do so by law.
All our businesses
- Deliver our products and services to you
- Send you communications about products and services that might interest you
- Undertake statistical research and analysis to understand more about our products and services and how to improve them
- Understand and improve clinical outcomes for our customers
- Product and service development
- Fraud prevention and detection
- Reporting on business activity and success
- Enabling us to deliver a seamless experience across our businesses, and give you easy access to our products and services across our businesses
- Deliver our products and services to you
- Manage our relationship with you
- Set you up as a customer
- Meet our regulatory obligations or comply with legal requests or legal claims
- Manage complaints, claims or individual rights requests
You’re working with us in a professional capacity as a business partner
- Product or service administration
- Transfer to a new service provider
- Set you up as a customer or business partner
- Manage our relationship with your employer
- Process and validate invoices, and make or receive payments
- Doctors, clinicians and other healthcare professionals
- Hospitals and clinics
- Dental laboratories
- Medical laboratories
- Individuals or organisations who pay for your care
- So you can give or have treatment
- Process and validate invoices, and make or receive payments
- To investigate complaints, claims and possible fraudulent activity
- Haute Autorité de Santé (HAS)
- Agence Régionale de Santé (ARS)
- Ordre des Médecins / Ordre des Chirurgiens-Dentistes
- Caisse Primaire d’Assurance Maladie (CPAM)
- And any other regulators, bodies or associations that are relevant in the country you received treatment
- For safeguarding purposes
- Investigate complaints and clinical incidents
- Monitor quality and performance
- Health insurance counter-fraud groups
- Financial crime screening services
- Detect and prevent fraud
- Meet our regulatory and legal obligations
- Lawyers, auditors, actuaries and tax advisors
- Translators and interpreters
- Support us to manage our business and meet our regulatory obligations
- Gain advice on business decisions and strategy
- Comply with our legal and regulatory obligations
- Protect our rights
- Electoral register
- Information about you on social media
- For our business partners, public sources that include professional information about you
- Validate and update our records
- Understand how our customers and business partners have reviewed or discussed us or our competitors online
- Check our business partners are legitimate, of good standing and quality, and investigate possible fraudulent activity or complaints
- IT service providers: Cloud storage, databases and data repositories, practice management systems, customer relationship management systems (CRM), communication and phone software, back-up solutions, network security and monitoring solutions and other ‘software as a service’ providers
- Marketing, sales and business development: market and customer research consultants, social media platforms and marketing and digital marketing agencies, data set and contact list providers
- Customer service support: outsourced support with customer communication and servicing, including translation
- Help us run our business
- Manage our relationship and communicate with you
- Provide our products and services to you
- Understand our customers and market to them
- Identify and communicate with people that might be interested in our products and services
- Grow our business and keep our customers
Bupa Global
- Manage our relationship with you and the policyholder
- Issue invoices, request and take payment
- Insurance brokers
- Your agents
- Other intermediaries
- Confirm you’re entitled to claim discounts on our products and services
- Manage our relationship with you through your broker or agent
- Discuss purchase, renewal and availability of our products and services through your broker and agent
- Set you up as a customer or business partner
- Other health and benefit insurers
- Reinsurers
- Set you up as a customer
- Support you to transfer to a new insurer
- Manage and settle claims that are a third party’s fault
- If reinsurance is necessary
Transferring your personal information abroad
Bupa Global
We work with organisations (such as healthcare providers, other Bupa companies, and IT providers) that operate in, or from, various countries worldwide. This means that your information will be transferred to, or accessed from, countries located outside the European Union and/or European Economic Area ("EAA").
Here’s how we keep your personal information safe when we do this:
Protection by local law
Certain countries are considered safe by regulators since they have adequate data protection laws. We can freely transfer your personal information where needed.
The CNIL and the European Commission have lists of which countries they consider to have adequate protection for personal information.
Protection by other safeguards
We can also transfer personal information to countries that have not been assessed as adequate if we use appropriate safeguards. The main safeguards we use are:
- regulator-approved Standard Contractual Clauses
- additional contractual, organisational, and technical measures (as required following a risk assessment of the transfer)
Transfers within the Bupa group are covered by an agreement that contractually obliges each company to ensure an adequate and consistent level of protection.
ExpaTPA
In the provision of administration and claims services, ExpaTPA endeavours to store Personal Data in France, or at least within the European Economic Area (EEA).
However, it is possible that the Data they collect when you use their platform or as part of our services may be transferred to other countries. This is the case, for example, if some ExpaTPA service providers are located outside the European Economic Area.
In the event of a Transfer of this type, ExpaTPA guarantees that it will be carried out:
- To a country offering an adequate level of protection, i.e. a level of protection equivalent to that required by European regulations.
- Within the framework of standard contractual clauses.
- Within the framework of internal company rules.
How long we keep your information for
Bupa Global
For our insurance businesses, Bupa Global typically keeps personal information for seven years after you stop being our customer or business partner in line with our legal obligations and business needs.
How we calculate how long we keep your information for
How long we keep your information depends on several factors:
- how long you’ve been a customer with us, the types of products or services you have with us, any relevant events and when you’ll stop being our customer
- how long it’s reasonable to keep records to show we’ve met the obligations we have to you and by law
- any periods set by law or recommended by regulators, professional bodies or associations
- any time limits for making a legal claim
- any relevant proceedings that apply
We often have to keep your personal information to comply with a legal obligation, and this means that if you ask us to delete your personal information before the retention period has expired, we’ll be unable to do so.
ExpaTPA
ExpaTPA retains Personal Data only for as long as is necessary to fulfil the purpose for which it was collected. Retention periods vary depending on a number of factors, such as:
- ExpaTPA’s business needs
- Contractual requirements
- Legal obligations
- Recommendations from supervisory authorities
The retention periods for your Data which are held by ExpaTPA are as follows:
| Objective | Retention Period |
|---|---|
| Contract Management | 10 years |
| Manage your customer account | 2 years |
| Claims and after-sales service management | 2 years |
| Claims management, including images and documents | 7 years |
| Drawing up statistics to improve products and services | 5 years |
| Satisfaction surveys and opinion polls | 2 years |
| Pre-litigation and litigation management | 5 years |
| Fighting Fraud | 10 years |
| Combating money laundering and the financing of terrorism | 10 years |
| General and subsidiary accounting | 10 years |
Cookies, AI, analytics and profiling
For information on certain technologies we use to process your personal information, your choices and rights, please see Bupa Global’s Cookies, AI, analytics and profiling Policy which covers the following:
- cookies and tracking technologies
- profiling and automated decision making
- artificial intelligence and machine learning
- analytics
ExpaTPA's cookie policy can be found at https://expatpa.com/Home/CookiePolicy
Your choices and rights
Here you’ll find information on how to control your personal information and the rights you have under the law.
Opting out from marketing
You can ask us to stop sending you email marketing by clicking on the ‘unsubscribe’ link in any marketing emails we send you.
For all other types of marketing, you can opt out (ask us not to send it) or change your preferences:
Opt out through email [email protected] or by sending us a message through Mon Espace Sante
Need to know: You can’t unsubscribe from service communications. These are communications we need to send you for administrative or customer service reasons.
Your rights
You have rights under privacy law about your personal information.
Right of access
You can ask us for a copy of the personal information we hold about you.
Right to rectification
You can ask us to correct or remove inaccurate information we hold about you.
Right to restriction of processing
You can ask us to use your information for restricted purposes only.
Right to portability
You can ask us to send your information to you or to someone else in a format that can be read by computer.
Right to erasure
You can ask us to delete your information if there’s no good reason for us to keep it. If there’s a reason why we can’t do this, for example legally we need to keep it for a certain length of time, we’ll let you know.
Right to withdraw consent
You can withdraw any consent you’ve given us. We’ll let you know if we have to stop providing a product or service to you as a result. Any processing of your personal information that happened before you withdrew your consent will remain lawful.
Right to set up guidelines for after your death
You have the right to set up guidelines for the retention, deletion, and disclosure of your personal data after your death.
Right to object
You can object to us processing your information when:
- we’re processing it or profiling you for direct marketing purposes
- we’re processing it for a legitimate interest (see ‘how we use the personal information we collect’ for when this applies)
- our processing is based on a task carried out in the public interest (such as prevention of crime)
However, we may be unable to action your objection if there’s an overriding reason or the processing is necessary for legal claims. We’ll tell you if this applies when you contact us.
You don’t always have the right to object. We’ll let you know if you can’t and our reasons for turning down your objection.
Rights in relation to profiling and automated decisions
You can ask us not to make solely automated decisions about you or use profiling if this has a legal effect on you or an effect as significant as a legal effect.
You can also ask us to reconsider an automated decision and find out more how the decision was made. If you do, we’ll see if we can review the decision and let you know the outcome.
We may be unable to action with your request if:
- the automated decision making or profiling is necessary for us to enter into a contract
- we’re authorised by law to make an automated decision or undertake profiling
You also have a right to make a complaint to your local privacy supervisory authority
If you’d like to do this, please tell us first, so we have a chance to address your concerns.
If we are unable to address your concerns, you can complain to:
- the Data Protection Commissioner (www.dataprotection.ie) who can be contacted at, 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland. Tel +353 (0)761 104 800 or +353 (0)57 868 4800 or
- the Commission Nationale de l'Informatique et des Libertés – CNIL who can be contacted at, 3 Place de Fontenoy, TSA 80715 – 75334 Paris, Cedex 07. Tel. +33 1 53 73 22 22
- if you’re based in another country, we’ll let you know your relevant authority.
How to exercise your rights
If you want to exercise your rights, please email: [email protected].
What to expect
1. Identification
We may ask you to confirm your identity and provide information that helps us understand your request better.
2. We’ll let you know if we can fulfil your request.
Unless you’re exercising an absolute right (such as the right to object to the processing of personal information for direct marketing purposes), we may be unable to fulfil your request. We’ll let you know and explain why.
3. Our response
We’ll respond to requests about automated decisions in 21 days. For all other requests, we’ll tell you within one month what action we’ve taken, starting from the day we receive them.
How to get in touch or complain
If you have any questions, comments or would like to complain about this notice, or any other questions about the way we process your information, please get in touch with our Data Protection Officer and privacy team.
- By email: [email protected]
- By post: C/O Bupa. ExpaTPA, 142 Rue de Rivoli, 75001 Paris – France