1.0 Introduction

We, VUMI^® Insurance Europe Limited with registered address: The Landmark, Level 1 Suite 2, Triq l- Iljun, Qormi, QRM 3800, Malta, take the protection of your personal data very seriously and strictly adhere to the rules laid out by data protection laws and the General Data Protection Regulation (EU) 2016/679 (EU-GDPR), applicable insurance legislation and health-related regulatory requirements.

This Privacy Notice gives you information on how we collect, use, disclose, store and protect your personal data when you:

• Apply for, purchase or hold a health insurance policy
• Submit a claim or request benefits
• Use our website or contact us
• Interact with healthcare providers in connection with our services

VUMI^® Insurance Europe Limited forms part of an international healthcare group with operational offices worldwide. For the purposes of European Union (EU) data protection law – (EU-GDPR), the relevant entity issuing the insurance policy acts as the data controller for processing data in connection with that policy.

Other group companies or partners may process personal data on our behalf as data processors or joint controllers, where this is necessary to support underwriting, policy administration, claims handling, customer support and IT services.

Appropriate contractual and organisational safeguards are in place to ensure that personal data is processed in compliance with EU-GDPR.

We have appointed a data protection officer (DPO) who oversees compliance with data protection laws. If you have any questions about this Privacy Notice, including any requests to exercise your legal rights, please contact the DPO and Compliance Team using the contact information in section 16 of this Privacy Notice.

2.0 Why we collect your personal information

We collect and process personal data for the purposes of operating as a health insurance undertaking, including:

Pre-contractual and underwriting purposes, including:

• Evaluating medical risk and pre-existing conditions
• Calculating premiums, excesses and exclusions
• Assessing eligibility for cover

Contractual purposes, including:

• Issuing and administering health insurance policies
• Managing policy changes and renewals
• Collecting premiums and processing payments

Claims management, including:

• Assessing entitlements
• Reviewing medical evidence/reports
• Paying claims and coordinating care

Regulatory and legal obligations, including:

• Anti-money laundering (AML) and counter-terrorist financing (CTF)
• Fraud detection, prevention and investigation
• Insurance supervisory, tax and accounting obligations

Operational purposes, including:

• Reinsurance and risk management
• Complaints handling and dispute resolution
• IT security, system monitoring and business continuity

Communications and service improvement, with :

• Responding to enquiries
• Improving products and customer experience

Marketing

• Where permitted by law and subject to your preferences

As part of our services, we may offer concierge-style medical support, which may include assistance with locating healthcare providers, coordinating access to medical services or facilitating communication with medical professionals in connection with insurance cover.

We do not provide medical diagnosis or clinical treatment. We process health and medical information solely for insurance, claims management and service coordination purposes, in accordance with applicable data protection and health laws.

3.0 Lawful basis of processing information

We only collect and use personal information about you when the law allows us to. Depending on the activity, our lawful bases include:

• Consent: Where required by law, including for certain marketing activities or optional processing.

• Contract: Where processing is necessary to enter into or perform a health insurance contract, including underwriting, policy administration and claims handling.

• Legal obligation: Where processing is required to comply with insurance regulation, AML/CTF legislation, tax law or other legal obligations.

• Legitimate interests: Where processing is necessary for our legitimate interests (including that of our partners or those of other third parties); provided these interests are not overridden by your rights and freedoms. The legitimate interests include fraud prevention, security, internal analytics, service improvement, facilitating service delivery and exercising or defending legal claims.

Where legitimate interests are relied upon, a balancing assessment is carried out and appropriate safeguards are applied.

4.0 What information we collect and where from

We may collect personal data directly from you, from healthcare providers, from intermediaries and from other sources permitted by law. This may include:

• Name, address, telephone number, email address
• Date of birth, nationality, identification details
• Policy and claims information
• Payment and financial details
• Medical and health-related information
• Information relating to dependants covered under a policy
• Technical data such as IP address and website usage information

4.1 Special category data

Due to the nature of health insurance, we process special category personal data, including:

• Health and medical information
• Medical reports, diagnoses and treatment details
• Information relating to physical or mental health conditions

We process special category data only where permitted under Article 9 of the EU-GDPR, primarily:

• Article 9(2)(h) – processing necessary for insurance purposes, healthcare or the management of health systems and services, pursuant to Union or Member State law
• Article 9(2)(f) – establishment, exercise and / or defence of legal claims
• Article 9(2)(a) – explicit consent, where required for optional processing

Appropriate safeguards are applied, including strict access controls, data minimisation and retention limits.

4.2 Third party collection of personal data

We may receive or collect your personal data from third parties such as:

• Healthcare providers and medical professionals
• Insurance intermediaries and brokers
• Reinsurance and co-insurers
• Fraud prevention agencies
• Public authorities where permitted by law

5.0 How long we keep information for

We will retain your personal data only for as long as necessary for the purposes for which they were collected and in accordance with legal and regulatory requirements.

Retention periods vary depending on whether data relates to:

• Policy administration
• Claims
• Medical evidence
• Legal or regulatory obligations and best practice

Further information about retention can be obtained by contacting us using the details in section 16 of this Privacy Notice – “additional information”.

6.0 Security of personal information

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, alteration or disclosure.

Access to health and medical data is strictly limited to authorised personnel who require it for legitimate purposes. All employees receive data protection and information security training.

Further information about the security that we implement can be obtained by contacting us using the details in section 16 of this Privacy Notice – “additional information.”

7.0 Children’s information

VUMI^® Insurance Europe Limited may process personal data relating to children and dependants where this is necessary to provide health insurance cover.

Where consent is required, we take reasonable steps to verify that it has been provided by a person with parental responsibility, in accordance with applicable EU Member State laws.

8.0 Your individual rights

In this Section, we have summarised the rights that you have under EU-GDPR. Some of the rights are complex, and not all the details have been included in our summaries. Accordingly, you should read the relevant laws and guidance from the regulatory authorities for a full explanation of these rights.  

Your principal rights under EU-GDPR are:

• Right to Object
• Right of Access
• Right to be informed
• Right to Rectification
• Right to Erasure – subject to legal limitations
• Right to Restrict Processing
• Right to Data Portability

The right to object

You can exercise this right if:

• Processing relies on legitimate interest.
• Processing is for scientific or historical research.
• Processing includes automated decision making and profiling.
• Processing is for direct marketing purposes.

The right of access

• You or any third party acting on your behalf with your authority may request a copy of the personal data we hold about you without charge.
• We will ask to verify your identity or request evidence from the third party that they are acting on your behalf before releasing any personal data we hold about you.

The right to be informed

• We are required, to provide clear and transparent information to you about how we process your personal data. This Privacy Notice addresses this right.

The right of rectification

• If you believe the personal data we hold about you is incorrect or incomplete you have the right to correct this and you may exercise this right along with the right to restrict processing until these corrections are made.

The right to erasure

• If there is no legal basis or legitimate reason for processing your personal data, you may request that we erase it.
• However, it is not an absolute right – as it is subject to certain legal limitations.

The right to restrict processing

• You may ask us to restrict the processing of your personal data. This means we will still hold it but not process it. This is a conditional right which may only be exercised when:
  • Processing is unlawful.
  • We no longer need the personal data, but it is required for a legal process.
  • You have exercised your right to object to processing and require processing to be halted while a decision on the request to object is made.
  • If you are exercising your right to rectification.

The right to data portability

• You can request that your personal data is transferred to another controller or processor in a machine-readable format if:
  • Processing is based on consent.
  • Processing is by automated means (i.e. not paper based).
  • Processing is necessary for the fulfilment of a contractual obligation.

If you have any question about these rights, please contact us using the details in section 16 of this Privacy Notice – “additional information.”

9.0 Consent

Where you have given consent for processing, or explicit consent in relation to the processing of special category data, you have the right to withdraw this consent at any time, and this will not affect the lawfulness of processing carried out before its withdrawal.

10.0 Failure to provide personal information

If you do not provide personal data required for underwriting, policy administration or claims handling, we may be unable to provide insurance cover or process claims.

11.0 Cookies

We use cookies and other tracking technologies on our website and in emails. Please see our separate Cookies Notice for further details.

12.0 Automated decision making

Your personal data is not used in any automated decision making (a decision made solely by automated means without any human involvement) or profiling (automated processing of personal data to evaluate certain conditions about an individual).

13.0 Transfers to third parties

VUMI^® Insurance Europe Limited may share or disclose your personal data to third parties and recipients, to help us deliver our services/products. These include:

• Healthcare providers, hospitals, clinics, medical practitioners, diagnostic services and medical assessors
• Claims handlers and third-party administrators
• Companies within our group where necessary for administrative purposes and to provide services to you
• Third parties that support us to provide products and services (e.g., IT support, cloud-based software services, providers of telecommunications equipment)
• Reinsurers
• Fraud prevention bodies
• Regulator and public authorities
• Payment service providers
• Professional advisors (e.g., lawyers, auditors)

All third parties /recipients are contractually bound to protect your Personal Data appropriately.

14.0 Transfers outside of the EU/EEA

Due to the international nature of our health insurance products and worldwide cover, personal data – including health and medical information – may be transferred to healthcare providers, claims handlers, reinsurers or service partners located outside the European Union(EU)/European Economic Area(EEA).

Where such transfers occur, we ensure that appropriate safeguards are implemented in accordance with Chapter V EU-GDPR, which may include:

• Adequacy decisions issued by the European Commission
• EU Standard Contractual Clauses (SCCs), together with supplementary safeguards where required
• Binding Corporate Rules (BCRs) for intra-group transfers, where approved by a supervisory authority
• Transfer risk assessments and enhanced security measures for health data
• In exceptional and limited circumstances – derogations under Article 49 of the EU-GDPR

We take particular care to ensure that international transfers of health data are limited to what is necessary and are protected by robust technical and organisational measures.

For more information about transfers and safeguarding measures, please contact us using the information in section 16 of this Privacy Notice –“additional information”.

15.0 Right to complaint

If you think that our collection or use of personal data is unfair, misleading or inappropriate, or have any other concern about how we process your personal data, please raise this with us in the first instance at dpo-europe@vumigroup.com:

If you feel that we have not adequately addressed your complaint, you are also entitled to contact the relevant supervisory authority.

However, you can make a complaint to the Office of the Information and Data Protection Commissioner (IDPC):

By Post: Office of the Information and Data Protection Commissioner, Floor 2, Airways House, Tri Il-Kbira, Tas-Sliema SLM 1549, Malta

By Website: Click Here

By Email: Click Here

Online: via the IDPC complaint form Here

By Phone: + 356 2328 7100

16.0 Additional information

Your trust is important to us. That is why we are always available to talk with you at any time and answer any questions concerning how your data is processed. If you have any questions that could not be answered by this Privacy Notice or if you wish to receive more in-depth information about any topic within it, please contact our DPO and Compliance Team via email at dpo-europe@vumigroup.com.

17.0 Review and Amendments

We will keep this Privacy Notice under regular review. This Notice was last updated on 10/02/26

We reserve the right to update this Privacy Notice at any time, and we will provide you with a new Privacy Notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.