General information on data processing
Data protection and the protection of the privacy and fundamental rights of the persons whose data is being processed is very important to ÖKK. When processing personal data, ÖKK complies with the Federal Act on Data Protection (FADP), the Data Protection Ordinance (DPO) of 1 September 2023 and other potentially applicable data protection provisions, such as the European General Data Protection Regulation (EU-GDPR) to the extent it applies.
This data protection statement provides information on which personal data we collect, save and transmit. It also informs you of your rights that you are able to exercise with regards to the data protection provisions.
Personal data (hereinafter also referred to as “data”) includes all information that identifies or could identify you as a natural person, for example your last name, first name and (e-mail) address. We also process particularly sensitive personal data, in particular health-related data.
In this data protection statement, when we refer to processing your personal data, we mean any handling of your personal data. This includes saving, processing, using and deleting the data.
In this data protection statement, we describe what we do with your data when you visit our website, obtain/use our insurance products and services, use the myÖKK customer portal (web version and app), otherwise contact us within the framework of a contract, communicate with us or have anything other to do with us. We may also inform you about the processing of your data separately, for example in declarations of consent, additional data protection statements, forms, notes, terms and conditions for participation and terms and conditions of use.
When processing personal data, in particular especially sensitive data (health-related data), the employees of ÖKK shall comply with the applicable statutory data protection provisions as well as the relevant internal guidelines, directives and specific instructions. Targeted information and training is provided to employees to inform them of how to handle your personal data.
Table of contents
- Who is responsible for processing data?
- Which personal data do we process?
- Whose data do we process?
- From whom do we receive your personal data?
- On which legal basis do we process personal data?
- For what purposes do we process personal data?
- What are cookies and when are they used?
- How are marketing and analysis services used?
- What is profiling and when is it used?
- What is automated decision-making and when is it used?
- When is social media used?
- When is data forwarded to third parties?
- Is data disclosed abroad?
- How long is the data retained?
- Which measures are in place to ensure the data is secure?
- What are your rights?
- Changes
1. Who is responsible for processing data?
The following party is responsible for data processing as described in this data protection statement (unless otherwise communicated on an individual basis):
ÖKK Kranken- und Unfallversicherungen AG
Bahnhofstrasse 13
P.O. Box
7302 Landquart
The data protection officer of ÖKK (DPO) is registered with the Federal Data Protection and Information Commissioner (FDPIC).
Do you have a question about data protection? The ÖKK data protection officer is happy to help. Please use the web form to contact them with any data-protection-related issues.
2. Which personal data do we process?
- Your personal information: This includes, in particular, your first and last name, gender, date of birth, marital status, OASI and insurance number, languages, nationality, cantonal and municipality affiliation, (e-mail) addresses, telephone numbers and family members.
- Application data: This includes quotes, applications, offered/requested coverage, health declarations and risk assessments.
- Contractual data: This includes bank account details, contractual data on the settlement of payments (e.g. account numbers), premium payments and premium reductions, outstanding amounts and reminders, insurance products, type and amount of benefits, joining and leaving dates, notices of suspension, deductibles and accident cover.
- Risk assessments related to you and the insured item (e.g. bike insurance) when assessing applications: This includes information on previous insurance policies, other insurance policies and insurance claims made; occupational and health-related data and, under certain circumstances, information on determining your credit rating.
- Data for processing benefit claims: This includes, in particular, the following (list is not exhaustive): information on reimbursement applications, invoice data as well as health-related data, for example doctors’ reports and other information from service providers, diagnoses, benefit costs, data from third-party insurers, information related to queries, invoices from service providers.
- System usage data (internal/external): This includes data processed when using the myÖKK customer portal, such as user names, passwords, personal settings, login/logout times, server log files, access and user behaviour.
- Communication data: This includes preferred communication channel, journal entries, e-mails, written correspondence, customer feedback.
- Marketing data: This includes contact information such as title, name and (e-mail) address, details such as personal preferences and interests, contract status, campaign data, marketing communications sent and reactions to such communications and opt-out data.
- Applicant details: This includes, in particular, CVs, other application documents, diplomas, references, personal information, education, work experience, skills, notes on previous employment as well as availability/notice periods, standard correspondence data such as mailing address, e-mail address and telephone number.
- Employee data: This includes, in particular, first and last names, residential address, telephone number, e-mail, date of birth, gender, marital status, family members, number of children, photographs, emergency contacts, place of birth, nationality, employment/residence permit.
- Information related to legal disputes: This includes data related to complaints and disputes concerning benefits / the contracts concluded in this regard, such as recourses and disputes as well as data from case files from authorities and courts.
3. Whose data do we process?
We collect and process data from the following categories of persons:
- Customers
- Potential customers
- Service providers
- Distribution partners
- Employees (incl. applicants and employee-insured persons)
4. From whom do we receive your personal data?
In principle, we gather personal data directly from you within the framework of a contract or the initiation of a contract. This is done, for example, via contact and application forms, as part of e-mail or written correspondence, by telephone, when taking part in competitions and surveys and within the scope of contractual relationships, e.g. when assessing benefits or making payments.
You are under no obligation to disclose your data with exceptions in individual cases (e.g. statutory requirements) If, however, you conclude a contract with us or wish to claim our benefits, for example, you must disclose certain data to us. Furthermore, it is not possible to use our website or online services without your data being processed.
In certain circumstances, we also obtain personal data from third parties, for example service providers, business partners, social insurers within the scope of administrative assistance, other private insurers or from public sources. We also receive data from third parties, such as sponsoring partners.
If we receive personal data from third parties, we assume that the third party is authorised to transmit this data to us, that the person concerned has been notified that the data is being transmitted and that the data is correct. If we receive data via third parties, we notify the person concerned within 30 days that we have received the data.
5. On which legal basis do we process personal data?
The following form the general legal basis for processing your personal data:
- the conclusion or performance of a contract with you or your application in advance of this
- your consent, which may be revoked at any time
- a balancing of interests, to which you may object under certain circumstances
- a legal obligation which may arise when balancing interests
A further legal basis for processing your personal data is our overriding interest in processing this data. Our overriding interests include the following:
- our customer service and maintaining our customer relationships (e.g. maintaining contacts, communicating with our business partners)
- our advertising and marketing activities
- the opportunity to familiarise ourself with the users of our website and online services
- the improvement and development of our products and services (e.g. IT security related to the use of our website, improvement of our online services offering)
- internal ÖKK administration
We will obtain your consent when required. Once you have given us your consent electronically by checking the tick box, we log your declaration of consent; this involves saving your user account name, the relevant page on the internet, as well as the data and time.
You are able to informally revoke your declaration of consent at any time or object to your data being processed. Use the web form for this purpose.
Within the scope of our public mandate, we also process your personal data based on the following legal bases:
- Federal Act on the General Aspects of Social Security Law (ATSG)
- Federal Act on the Supervision of Social Health Insurance (Health Insurance Supervision Act, KVAG)
- Federal Health Insurance Act (KVG)
- Federal Accident Insurance Act (UVG)
- Federal Act on Insurance Contracts (VVG)
- Federal Act on Data Protection (FDPA)
6. For what purposes do we process personal data?
In principle, you can visit our website without having to disclose any personal information. When sending personal data to ÖKK via e-mail, it should be considered that such data may under certain circumstances be seen by third parties if active encryption is not used. If ÖKK replies to an e-mail with sensitive information, the e-mail will be sent encrypted. ÖKK uses HIN encryption for this purpose. When receiving an e-mail for the first time, the recipient is sent a password separately. It is possible not to use encryption at the express wish of the recipient – and at their risk.
If you visit our website, our servers temporarily save the following data automatically:
- IP address of your computer
- entry page (website from which you navigated to our website)
- browser settings
- browser language and version
- date and time of access/visit
- name and URL of the data accessed
- your computer’s operating system and the browser you use
- country from which you are accessing our website
- name of your internet access provider
- time zone difference to Greenwich Mean Time (GMT)
- content of the request
- access status/HTTP status code
- data volume transmitted
- last visited website
- activated browser plug-ins
This data is processed to allow access to our website (establishment of connection), to safeguard the long-term system security and stability and to optimise our offering, unless this is done for internal statistical purposes. A personal user profile is not set up.
When you visit our website, we use cookies as well as applications and tools that are based on using cookies. More information can be found in section 10 “What are cookies and when are they used?”.
You can contact us by e-mail, via the contact form, via social media or by telephone. To process your query by e-mail or via the contact form, it is necessary to enter your e-mail address and your message to us. We require your date of birth so that we can clearly identify people who are already entered in our system. The disclosure of further data is voluntary.
When our telephone lines are extremely busy, you have the option of one of our employees calling you back. To organise the call-back as efficiently as possible, we require your first and last names, your telephone number and your date of birth. The disclosure of further data is voluntary.
We use the “Microsoft Teams” tool to hold telephone conferences, online meetings, video conferences and/or online seminars (summarily referred to as “online meetings”). Microsoft Teams is a product of Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA.
Various types of data are processed when using Microsoft Teams. The scope of the data depends, among other things, on which data is provided before/while taking part in an online meeting. This includes the following:
- information on the user, e.g. their display name, e-mail address, profile picture (optional), preferred language.
- meeting metadata, e.g. date, time, meeting ID, telephone numbers, location
- text, audio and video data It is possible to use the chat function in an online meeting. In this respect, the text entered by the relevant people is processed so that it can be displayed in the online chat. For the video display / audio output, the relevant data is processed by your device’s video camera / audio display for the duration of the meeting. At any time during the meeting, users can themselves turn off the camera or mute the microphone in the Microsoft Teams application.
- if online meetings are to be recorded, this will be transparently communicated in advance and, if necessary, consent will be requested.
- the contents of the chat will be recorded when using Microsoft Teams. If necessary, for the purposes of the recording the results of an online meeting, we will record the contents of the chat.
- processing this data is within our overriding interest. In these cases, our overriding interest is in effectively holding an online meeting.
More information on how data is processed in Microsoft Teams can be found in the data protection statement for this tool.
We offer various online forms on our website. This includes forms for changing personal data, such changes of name and address as well as forms for making changes to insurance-specific information, such as adjustments of deductibles or accident cover.
How the personal data is processed depends on the respective online form. When you use an online form, we process the following personal data, for example:
- insurance number
- first name
- last name
- e-mail address
- address
- postcode
- town/city
- telephone
- date of birth
- date on which the requested change takes effect
- reason for the change
- IBAN number
- account holder
- file upload
- information on the general practitioner
- existing insurance model
- any other comments on your part
We may process your data to initiate and provide our services.
We process personal data to the extent required in order to provide you with the contractual / pre-contractual benefits and to execute further services requested by you. The data processed for this purpose as well as the type, scope, purpose and necessity for it to be processed depends on the underlying contractual relationship.
How the personal data is processed depends on the respective service. The data processed includes personal information:
- first and last name
- gender
- date of birth
- marital status
- OASI and insurance number
- languages
- nationality
- cantonal and municipality affiliation
- (e-mail) address
- telephone number
- family members
- application information (e.g. quotes, applications, offered/requested coverage, health declarations and risk assessments)
- contractual data on the settlement of payments (e.g. account numbers)
- premium payments, any premium reductions, outstanding amounts and reminders, insurance products
- type and amount of benefits, joining and leaving dates
- notices of suspension and deductibles
The data is processed for the following purposes in particular:
Basic insurance
With regards to basic insurance under the KVG, we process data in accordance with the relevant legal bases, in particular for the purposes listed in Art. 84 KVG, for example to
- ensure the obligation to have insurance is met
- to calculate and charge the premiums
- to assess benefit claims, to calculate and grant benefits and to coordinate benefits with other social insurers
- to assess any entitlement to premium reductions as well as to calculate and grant the reductions
- to exercise a right of recourse vis-à-vis a liable third party
- to maintain statistics
- to assign or verify an OASI insurance number
- to calculate the balancing of risks
Supplementary insurance policies and other insurance policies
An overview of the supplementary insurance policies and other insurance policies can be found here.
You can calculate premiums on our website. We process the following personal data in the premium calculator:
- personal information
- contact information
- account information
- health-related data
By entering your data into the premium calculator, you agree that we can contact you by telephone or via another medium in order to provide you with a quote.
Your personal data is not sent to us until you have completed in full the electronic contact form with your personal data and have then continued the process. Detailed information on data processing in relation to insurance applications and contract conclusion can be found on the application form and in the customer information for your insurance as well as in the enclosed data protection information sheet.
On our myÖKK customer portal (web version and app), we process the following personal data required to process the insurance transaction:
- personal information
- marital status
- insurance number
- social insurance number
- contact information
- account details
- language
- settings (document delivery method, push notifications, biometric login (yes/no)), profile information (e-mail address, telephone number, user name and password)
- insurance cover (incl. deductible and accident cover)
- invoices
- reimbursement claims
- premium calculations
- benefit statements
- tax statement
- general messages
To avoid misuse, a double opt-in registration process is used to register users. This means you receive an e-mail containing a link that you must click on to confirm your registration.
You have the option to delete your customer account at any time. After terminating your policy or in case of death, the profile is continued for three months and then deleted.
It is possible to access the myÖKK customer portal via the web version or the app.
When downloading the app, certain information is sent to the app store you use (e.g. Google Play or the Apple App Store); in particular, your user name, e-mail address, customer number for your account, the time of download, payment information and the individual device numbers can be processed. Your data is processed exclusively by the respective app store; we have no influence over this.
When you use the app, we automatically gather certain data that is necessary to use the app. This includes the login information and the time the app was accessed.
If you apply for a position with us, we process the personal data that we receive from you as part of the application process. This includes the following:
- your personal information
- education/training
- work experience
- skills
- notes on previous employment
- availability/notice periods
- standard correspondence data such as mailing address, e-mail address and telephone number
If, during the application process, we enquire about your gender in the form of your preferred title, the only reason we do so is to ensure we address you in the right way.
We also process all the documents you send us in relation to your application, such as your letter of motivation, CV, references, certificates, diplomas and any other documents you send us. You can also send us additional information on a voluntary basis.
This data is only saved, evaluated and processed within the scope of your application. Under certain circumstances, the data may be processed by various departments within ÖKK. Your data will be treated in strict confidence at all times and only be made accessible to the people required as part of the recruitment process. We may also use your personal data for statistical purposes (e.g. reporting). In this case, however, it will not be possible to identify any given individual.
As part of the application process, we use a service provider to process the application; this provider ensures that all personal data is processed securely and confidentially. In this regard, you must set up a user account and enter your e-mail address and password. If you do not log in to your user account for more than six months, we will permanently delete it together with any data saved in it.
Data from applications will remain in the system for four months after the application in case of any queries. After that, your content data (but not your user account) will be automatically anonymised. Your application data will be stored separately from the other user data and will not be merged with it.
If your application is successful and you become employed at ÖKK, some of your personal data may be used again as part of the onboarding process to the extent that is necessary for the onboarding process to be completed.
We use your contact data for the following purposes:
- to maintain contact with you
- to inform you about certain products, offers and events that may be of interest to you
- for statistical purposes
Newsletter
On our website, you have the opportunity to subscribe to a newsletter. Our newsletter contains information about our products, offers, promotions and our company. If you have subscribed to our newsletter, we use your e-mail address to inform you about us and our offering. The disclosure of further data is voluntary. You register for the newsletter via a double opt-in process. This means that after registering and clicking on the corresponding checkbox, you receive an e-mail containing a link that you have to click on to confirm your registration.
The newsletter contains a web beacon (an image file the size of a pixel), which sends a request to the server of the mailing company when the newsletter is opened. As part of this request, technical information is collected, including information about your browser and system as well as your IP address and the time the request was sent. This information is used to make technical improvements to the service by using the technical data or the target groups and their reading behaviour by using their location (which can be determined based on the IP address) or the time the newsletter was accessed. The data collected is also used to determine whether the newsletter is opened, when it was opened and which links were clicked. While for technical reasons this information can be attributed to the individual newsletter recipient, it is neither our nor the mailing company’s intention to observe individual users. The purpose of these evaluations is more to identify the reading habits of our users and adapt our content to them or to send different content to recipients depending on their interests.
You can unsubscribe from the newsletter at any time and revoke the consent you have granted us. To do so, click on the relevant button (link) in the newsletter. You can find the link to unsubscribe from the newsletter at the bottom of each newsletter.
Events and sponsoring
If you take part in competitions, events, sponsorship campaigns and similar activities, we collect the following personal data:
- name/address
- telephone number
- e-mail address
- date of birth
We use competitions, sponsorship campaigns and similar activities in particular to acquire potential new customers.
As a customer or if you have given us your contact data (e.g. for a competition), you will receive from us a newsletter with information about our companies, products, offers and events.
It may be the case that we pass on your personal data to our partners, e.g. to notify you if you win. Taking part and therefore having your data collected is of course voluntary. Detailed information can be found in the respective terms and conditions of participation.
Satisfaction surveys and evaluation of services
Every so often, we carry out surveys on our products and services in order to improve the customer experience and identify customers’ needs. After a consultation, for example, we send out an e-mail asking you to evaluate your experience. We also take part in the AmPuls study. The data protection provisions of AmPuls apply for the study.
In certain areas of ÖKK premises, which are clearly marked, we carry out video surveillance This is done for the security of our employees and for evidence purposes. If there is a suspicion that criminal acts have been committed, we can make the recordings available to law enforcement authorities in line with legal requirements.
7. What are cookies and when are they used?
On our website and in order to use further digital offerings, we use cookies and similar technologies (hereinafter, all these will be referred to as “cookies”). We may also use cookies and similar technology (e.g. pixel tags and finger prints) to identify visitors to our website, analyse their behaviour and determine preferences. A cookie is a small file which is sent between the server and your system and allows us to recognise a certain system or browser. This allows the portal to “note” certain entries and settings (e.g. login, language, font size and other display preferences) over a certain period and so you do not need to specify these every time you visit and navigate around the portal.
There are various types of cookies (technologies with comparable functionalities, such as fingerprinting, fall into this category):
- Necessary cookies: Some cookies are necessary for the functioning of the website as such or for certain functions. They ensure, for example, that you can switch between pages without information that you have entered in a form being lost. They also ensure that you remain logged in. These cookies are only temporary (“session cookies”). If you block them, it is possible that the website will no longer work. Other cookies are required so that the server can save the choices and entries you have made across a session (i.e. visiting the website) if you make use of this function (e.g. selected language, approval granted, function for automated login).
- Performance cookies: These cookies are used to collect information about how a website is used, e.g. how visitors arrived on the website, which pages a visitor opens most frequently, how visitors navigate around the website during their visit and whether they received any error messages. We can also use these cookies to gather certain statistical and analytical information, e.g. how many visitors come to our website. These cookies are used to monitor the degree of activities on the website and improve the performance of the website.
- Marketing or targeting cookies These cookies allow us or a third-party provider to place personalised adverts on our website or the website of third parties. They can also be used to evaluate how effectively the advert leads people to make a purchase.
Both the technical data we collect and the cookies do not usually contain any personal data. However, personal data that we or the mandated third-party provider save about you (e.g. if you have a user account with us or these providers) can be linked with the technical data / the information saved in the cookies and obtained from them, and therefore could be used to identify you.
Most internet browsers are set up to accept cookies by default. If you do not want this, you can set up your browser so that it notifies you when cookies are placed and you can then accept them in individual cases or generally reject them. You can also activate the automatic deletion of cookies upon closing the browser. You can also delete cookies that have already been placed at any time via an internet browser or other software programme. The process for checking and deleting cookies depends on the browser you use.
You can reject the use of cookies by selecting the relevant settings in your browser. Please note, however, that this may impact the possibilities for using our website, including how to manage, reject and delete them, can be found here.
The following links provide information about how to deal with cookies for the most common browsers:
8. How are marketing and analysis services used?
We use the following services of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, or if you are usually resident in the European Economic Area (EEA) or Switzerland, Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (in short: Google).
- Google reCAPTCHA
- Google Maps
- Google Ads
Google usually uses cookies. The cookies used by Google allow us to analyse the use of our website. The information provided from the cookies about your use of our website (incl. your IP address) is sent to and stored on a Google server in Ireland or the US.
According to its own information, Google may process personal data for marketing products in any country in which Google or its sub-processors have premises. Information about the locations of Google’s data centres can be found on the website.
Sub-processors may be used for Google Ads. More information on Sub-processors can be found on the website.
Google guarantees that it has in place an adequate level of data protection that meets the EU standard contractual clauses. More information can be found here.
More information about the processing of personal data by Google and on privacy settings can be found in the Privacy Policy – Privacy & Terms – Google and the data protection settings of Google.
Captcha is an abbreviation for “completely automated public Turing test to tell computers and humans apart”. This is a test used to tell humans apart from machines/robot programmes (“bots”).
reCAPTCHA is a captcha service of Google, which aims to determine whether a certain action on the internet is being carried out by a human or a computer programme. reCAPTCHA is used as part of the double opt-in when registering for the newsletter and for web forms.
More information on data processing and notes on the data protection via reCAPTCHA can be found on the website.
We use Google Maps on our website. This allows us to display interactive maps directly on our website and lets you conveniently use the map function.
By using Google Maps, information about your use of our website (incl. your IP address) is sent to and stored on a Google server in Ireland or the US. Under certain circumstances, Google saves this data as a user profile so that it can tailor its services, adverts and market research in line with your needs. If you are logged in to Google, your data will assigned directly to your account. If you do not want this to happen, you must log out of your Google account beforehand. If you do not agree to your data being processed, it is possible to deactivate Google Maps and so prevent data being sent directly to Google. To do so, you must deactivate the JavaScript function in your browser. Please note, however, that in this case you will be unable to use Google Maps and other functions on our website, or only be able to use them on a restricted basis.
Your personal data is processed on the basis of our legitimate interests (i.e. our interest in the analysis, optimisation and commercial operation of our offering).
We use the online advertising programme Google Ads, which is part of Google Marketing Services, a service of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, or if you are usually resident in the European Economic Area (EEA) or Switzerland, Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”).
This involves Google Ads placing a cookie on your end device (a “conversion cookie”) if you navigate to our website via a Google advert. These cookies expire after 30 days, do not contain any personal data and therefore cannot be used to personally identify you. If you visit certain pages on our website and the cookie has not yet expired, we and Google are able to recognise that you have clicked on the advert and have been transmitted to our website. Every Google Ads customer receives a different cookie. This means that cookies cannot be tracked across the websites of Ads customers. The information obtained via the conversion cookies is used to provide conversion statistics for Ads customers who have opted for conversion tracking. We do not receive any information that could be used to personally identify you.
The information collected via the cookie about your use of our website is usually sent to and stored on a Google server in Ireland or the US. Based on the information collected, your browser is assigned categories that could be of interest to you. These categories are then used to show adverts that could be of interest to you.
By using Google Ads, we are able to reach users who have already used our website. This allows us to present our adverts to a target audience that has already shown an interest in our products or services.
It is possible for you to refuse targeted advertising from Google. To do so, in each browser you use, you must navigate to the website, where you can change the relevant settings. More information on the terms and conditions of use and data protection in relation to Google AdWords can be found on their website.
The myÖKK app is available via the relevant app platforms. A valid account with the respective app platform and a corresponding end device is required to install and make full use of the app. Please take note of the relevant privacy policies with regard to data protection within the stores and the associated areas.
- Apple App Store: Apple Privacy Policy
- Google Play Store: Google Privacy Policy
Google Firebase
We use Google Firebase in the myÖKK app. Google Firebase is part of the Google Cloud Platform and offers app developers various services for developing, quality control and improving apps. When using the service from Google Firebase, Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland service, as a data processor, we process your data for the purpose of analysing your use of the myÖKK app and improving the service stability and usability of the app for our users. With Firebase, information about the use of our application, is collected, transmitted to Google and stored in a computer centre within the European Union. However, we cannot rule out the possibility of usage data being transmitted to Google LLC in the US or by Google to subcontractors in third countries.
We cannot identify any one specific user. As such, data is not personalised and no link can be made with your user data. More information on how your data is protected in Firebase and the data processing agreements concluded with Google can be found here: Data protection and security in Firebase.
Below we would like to inform you of the Firebase functions we use in the myÖKK app.
Firebase Cloud Messaging
We use Firebase Cloud Messaging to send you the latest information via push notifications. Push notifications are messages that are displayed without having to open the app on your device.
During installation, your end device will be assigned a pseudonymised reference ID (Firebase Installation ID), which is the target for the push notifications. After uninstalling the app, this ID continues to be used for a certain period of time before being permanently deleted. If you reinstall the app, your end device is assigned a new ID.
You can (de)activate this function yourself in the settings of your end device at any time. If you deactivate the function, you will not receive any push notifications.
The legal basis for processing the data is our legitimate interest. Our legitimate interest is in being able to send you information about documents received or data processed. For more information on Firebase Cloud Messaging, please refer to the privacy information for Google Firebase: Data processing information.
Firebase Crashlytics
We use Firebase Crashlytics to verify errors that occur in our app and to quickly resolve them.
If the app crashes, certain information about the crash, such as the time, device type, operating system and other technical data (e.g. installation UUID and crash traces), is sent from your mobile device to Crashlytics. These crash reports do not contain your IP address or any other personal identifying information.
The legal basis for processing the data is our legitimate interest. Our legitimate interest is in being able to continually improve the app, so that we can offer an error-free, functional application.
For more information on Firebase Crashlytics, in particular on the duration of data processing, please refer to the privacy information for Google Firebase: Data processing information.
Google Analytics für Firebase
If you grant your consent, the myÖKK app processes anonymised usage data with the help of the Google Analytics for Firebase service. This data is not linked to your account data, meaning we cannot use it to identify you.
The following usage data is processed in order to improve and continually optimise the myÖKK app and is stored for a period of 14 months:
- Data on the frequency of use gives us information on the general acceptance of the app and whether developments lead to a more frequent or longer period of use.
- Information on session durations/time spent in the app helps us to identify usability errors and optimise content.
- Information on the interfaces used and content viewed allows us to improve frequently used features and optimise availability.
- Screenflows and the usage flows for individual screens help us better understand the use cases and objectives of our users and to speed up frequently used processes in the app.
- For many analyses, we use the demographic characteristics provided by Google to better understand our target audience.
The legal basis for processing the data is your consent. You can revoke your consent to us processing your data at any time here.
If you do not grant your consent, this has no direct impact on the functionality of the app; however, it is more difficult for us to further develop the app without statistical data. For more information on Google Analytics for Firebase, please refer to the privacy information for Google Firebase: Data processing information.
We use fusedeck, Capture Media AG (Löwenstrasse 3, 8001 Zürich, Schweiz) our own tracking solution, to measure the success and reach of our website in terms of engagement and events. The tracking is anonymous, meaning it is impossible to make a connection to certain people.
We also use fusedeck to enter form data on our website. This data is entered on a personalised basis. For these forms, information on data protection is displayed accordingly.
More information on the type, amount and purpose of data processing, including “Opt-out” options, can be found here.
9. What is automated decision-making and when is it used?
In certain situations, for reasons of efficiency and uniformity in decision-making processes, it can be necessary that we automate processes for making discretionary decisions with legal effect or potentially significant disadvantages (“automated individual decisions”). This does affect “if-then” decisions (e.g. if the computer does not let you access your user account after checking your password), but discretionary decisions (e.g. the decision to conclude a contract).
In this case, we will notify you accordingly and take the measures required under the applicable law. If you do not agree with the outcome of such a decision, you will be able to discuss this with a responsible person who will check the decision.
10. What is automated decision-making and when is it used?
In certain cases, for reasons of efficiency, it can be necessary that we automate processes for making discretionary decisions with legal effect or potentially significant disadvantages (“automated individual decisions”). On request, we will give the person affected the opportunity to give their opinion. The affected person can demand that the automated individual decision be reviewed by an actual person.
11. When is social media used?
We maintain pages and online presences on social networks and other platforms operated by third parties and process data on you in this regard. This involves receiving data from you (e.g. when you communicate with us or comment on our content) and the platforms (e.g. statistics).
We use social plug-ins from various social networks on our website. Using these plug-ins, we can, for example, share content or recommend products. This includes the following:
- Facebook: Within our online offering, various functions and service content may be Facebook. This may include content such as images, videos or text as well as buttons that users can use to share content for this online offering within Facebook. Provided the user is a member of Facebook, Facebook can assign the accessing of the above content and function to their user profile there. The list and the appearance of the Facebook social plug-in can be found here. Service provider: Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. Parent company: Facebook Inc., 1601 Willow Avenue, Menlo Park, CA 94025, USA. Data protection statement. More information on opt-out possibilities and setting for adverts can be found here.
- Instagram: Within our online offering, various functions and service content may come from Instagram. This may include content such as images, videos or text as well as buttons that users can use to share content for this online offering within Instagram. Provided the user is a member of Instagram, Instagram can assign the accessing of the above content and function to their user profile there. Service provider: Meta Platforms, Inc., D/B/A Instagram, 1 Hacker Way Building 14, First Floor Menlo Park, CA 94025, USA. Data protection statement.
- LinkedIn: Within our online offering, various functions and service content may come from LinkedIn. This may include content such as images, videos or text as well as buttons that users can use to share content for this online offering within LinkedIn. Provided the user is a member of LinkedIn, LinkedIn can assign the accessing of the above content and function to their user profile there. Service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; Parent company: LinkedIn Corporation, 1000 W. Maude Avenue Sunnyvale, CA 94085, USA; Data protection guidelines; Cookie policy; Opt-out.
- YouTube: We incorporate videos from YouTube. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Data protection statement; Opt-out; Settings for displaying adverts.
Our website only incorporates these plug-ins as links.
If you visit our website and one of the social plug-ins on the website is activated, a direct connection will be established between your browser and the server of the corresponding social network. The content of the plug-in will be sent from the social network directly to the browser, which will then display it on the website. This means the network will receive the information that you have visited our website. If you are logged in to the social network, the network can also match this visit to your account. If you interact with the plug-in, the corresponding information will be sent from the browser directly to the social network and be saved there.
Even if you are not logged in to social networks when you visit our website, sites with active social plug-ins can send the data to the networks. An active plug-in will place a cookie with an identifier every time the website is accessed. As your browser automatically sends this cookie every time you connect to a server of the respective networks, the social networks could in principle create a profile of which websites the user linked to the identifier visits. As applicable, it would then be possible to again match this identifier to a person, for example when subsequently logging in to the social network.
12. When is data transmitted to third parties?
In principle, we save your personal data in Switzerland and only transmit it if you have expressly consented to us doing so, if we are legally obliged to or if this is necessary for us to exercise our rights, in particular to enforce any claims arising out of the contractual relationship.
Furthermore, we only transmit your personal data to third parties to the extent we are authorised to do so and is necessary and expedient within the context of using the website or for providing services.
Depending on the purpose of processing your personal data, we disclose your personal data to the following categories of recipients:
- other Group companies
- service providers which process personal data on our behalf and on our instruction (so-called “sub-processors”, for example in the areas of IT for the operation of our systems, hosting and support, claim settlement)
- service providers which support us in advising on and providing services
- service providers that assist us in coordinating customer calls or contacts
- customers, partners, suppliers, insurers, distribution partners and other business partners
- intermediaries, brokers and other contractual partners which support us in providing services
- within the framework of our legal obligations, authorities, social insurers, government offices or courts
- parties acquiring or interested in acquiring business units of the company or other parts of the Group
- courts, arbitration boards, law enforcement authorities, supervisory bodies, lawyers and other parties to potential or actual legal proceedings, if this is necessary to comply with applicable laws or to establish, exercise or defend rights or legal claims
We carefully select our partners and sub-processors and only entrust them with data if they give an adequate guarantee that they have suitable technical and organisational measures in place in accordance with the applicable legal requirements. Our sub-processors may only process personal data if they receive a documented instruction from us to do so. They are all subject to a confidentiality obligation and may only use your personal data to the extent necessary to fulfil the purpose for which your personal data was collected and provided there are no legal requirements to the contrary.
13. Is data disclosed abroad?
Depending on the case, we primarily process and save personal data in Switzerland and the European Economic Area (EEA) – for example, via sub-processors of our service providers or in proceedings in foreign courts or authorities – but potentially also in any country in the world.
If we disclose your personal data to third parties abroad (i.e. outside of Switzerland / the European Economic Area (EEA)), the third party must comply with the same data protection regulations as we do. If the level of data protection in the country concerned is insufficient, but we have no alternative, we will ensure that your personal data is adequately protected.
We ensure this in particular by concluding the European Commission’s standard data protection clauses with the relevant companies and/or by putting in place other guarantees in line with the applicable data protection laws. Where this is not possible, we disclose data on the basis of how necessary this is in order to fulfil any contracts in place.
14. How long is the data retained?
We only process and save your personal data for the period necessary in order to achieve the specific purpose, or provided this is stipulated in the laws or provisions to which we are subject. If the purpose for retaining the data ceases to apply or if a statutory retention period expires, your data will be routinely blocked or deleted in line with the applicable legal provisions. Furthermore, we will delete your data if you request us to and we are not subject to any legal or other retention or security obligations with regard to this personal data.
If we save your data on the basis of a contractual relationship with you, this data will remain saved for as long as the contractual relationship exists and for no longer than the statute of limitations for potential claims on our part or that there are legal or contractual retention obligations in place.
15. Which measures are in place to ensure the data is secure?
ÖKK is committed to reliable data protection and a system of data security which is continually maintained and improved upon using state-of-the-art technology and organisational measures.
We put in place technical and organisational security measures to protect your data against manipulation, loss, destruction or access by unauthorised parties and to ensure your rights are protected and the applicable data protection provisions are adhered to.
The measures taken should ensure the confidentiality and integrity of your data and the availability and capacity of our systems and services when processing your data over the long term. They should also ensure that in the case of a physical or technical incident, the availability of your data and access to it can be restored as quickly as possible. Our security measures also include the encryption of your data. All information you enter online is sent via an encrypted communication channel. This means that your data can at no time be viewed by unauthorised third parties. Our data processing and security measures are continually adapted in line with technological developments.
ÖKK has been certified for a data collection point under Art. 59a of the Swiss Health Insurance Act (KVV) and as an IT service provider for data collection points under Art. 59a KVV by the Swiss Association for Quality and Management Systems (SQS) in accordance with the Ordinance on Data Protection Certification (VDSZ) The regulations, guidelines and directives drafted within the scope of this certification apply for all of ÖKK.
We also take the protection of our own, internal data very seriously. Our employees and the service providers we mandate are obliged to maintain confidentiality over the data and to comply with the applicable data protection provisions. Furthermore, they are only granted access to personal data to the extent necessary.
16. What are your rights?
You have the following rights with regard to your personal data:
- Right to information: You have the right to find out which personal data we process, what happens to it and how long it is retained.
- Right to block and correct data: You have the right to supplement, correct or block your personal data at any time.
- Right to deletion: You have the right to request that your data be deleted at any time.
- Right to issuance and transmission of your data: You have the right to request all your personal data from the party responsible for processing it and for it to be sent in full to another party responsible for processing it.
- Right to object: You have the right to object to your data being processed. We will respect this right unless there are legitimate reasons for it being processed.
- Right to revoke consent: If you have granted us your consent to process your personal data, you have the right to revoke this consent and have your personal data deleted.
In order to rule out any fraud, we must identify you (e.g. copy of ID if necessary).
Please note that there are various requirements, exceptions and restrictions to these rights (e.g. to protect third parties or commercial secrets, or on the basis of our professional secrecy obligation).
You can contact the party listed in section 1 for information on your rights. For all data disclosure requests, please us the web form.
You can also send any complaints to the Federal Data Protection and Information Commissioner (FDPIC) if you believe that the processing of your personal data is in breach of data protection laws.
17. Modifications
We always ensure that this data protection statement is kept up to date. We therefore reserve the right to periodically amend it and make any changes with regard to the collection, processing and use of your data. The latest version published on our website shall apply. To the extent the data protection statement is part of an agreement with you, if it is updated we will notify you of the changes by e-mail or by another appropriate means.
In case of any differences in interpretation between the different language versions of this data protection statement, the German version is binding.
ÖKK, October 2023 / Version 1.1