Data protection

Our partners and customers entrust us with sensitive data. As a result, data-protection-compliant handling of data and protection against unauthorised access is not just a statutory obligation for us, but the basis for trust. Acting prudently and with integrity with regard to data protection and data security is part of Helsana’s corporate culture.

In a quest to ensure that all employees act in a legally compliant manner at all times, everyone has to complete an e-learning session on data protection when they join the company and repeat it at regular intervals. The data protection specialist department also organises up to 15 specialist data protection training courses a year to raise employee awareness and provide them with information on current legal developments. The data protection principles and specific applications are set out in internal management documents for employees.

In addition, an inventory is kept of all data processing operations, with data protection concepts that are checked on a regular basis to ensure that they are legally compliant in describing these operations. Corrective measures are taken in response to all compliance-related findings.

Our measures are bearing fruit: awareness of data protection is very high at Helsana. Employees actively report suspected cases of data misuse (data breaches), which generally turn out to be minor but are subjected to a qualified review and can also result in measures. This means that the risk of data leaks for our insured persons, partners and employees is consistently at a very low level. This is confirmed by the annual certification of the data protection management system (DSMS) of the physical and electronic data collection point by an inspection body. In the 2023 reporting year, there was one significant incident relating to the protection of personal data due to human error by one of our service providers (contract data processor). The process defined for cases like these, which is set out in an internal instruction for dealing with compliance-related findings, included the ad hoc establishment of a task force, the implementation of immediate measures, including prompt information for the customers affected, and, where necessary, longer-term measures and principles to close the case. This process proved to be effective in the case in question, enabling the persons concerned and the supervisory authorities to be contacted immediately and the finding to be rectified promptly. The case was reported to the supervisory authorities, who did not raise any objections to Helsana’s handling of the incident.