Travel Care privacy policy

If you have any questions or would like more information about what personal data we process about you, or would like to exercise your rights, please contact us at:

Viking Assistance Group AS
Drammensveien 133
0277 Oslo, Norway
Norway

Viking Travel Care:

Telephone number Travel Care call centre: +45 72 111999
E-mail: travelcare@vikingassistance.com

Our data protection officer can also be contacted at privacy@vikingassistance.com.

Personal data is any information that can be linked to a natural person or a small group of people ("data subjects"). Examples of what constitutes personal data are name, social security number, address, telephone number and e-mail address. Personal data may also include special categories of personal data (often referred to as "sensitive"), such as information about a person's state of health, religious beliefs, ethnic origin or information about a person's sexual relations or orientation.

By processing of personal data, we mean the collection, storage, collation, erasure and any other use of personal data.

This privacy policy covers our processing of personal data about the following categories of persons:

• Contact persons at suppliers and business partners
• Persons who receive health care through the use of Viking's health service

If you are a member of Viking Redning, please read more information about how we process your personal data as a member here . For information about what personal data we process about visitors to our website, please refer to our general privacy policy here. What information is processed depends on which cookies you have accepted when you visit our website. You can read more about our use of cookies in our cookie policy here.

Case Processing

When we provide health care to you or close relatives under relevant insurance agreements, we process the following categories of personal data about you or your close relatives:

• Information about you and your contact information. For example, name, national identity number, address, telephone number, information about your employer, eID or information associated with your electronic signature and e-mail address.
• Incident information. Information about acute illnesses, accidents and other incidents that result in you needingassistance from us.
• Location. For example, information about your location if we provide you with assistance while travelling or this is necessary to find suitable healthcare where you are.
• Insurance information. Policy number and other information we need to assist you or others covered by your insurance. This may include information about the date of the trip, the purpose of the trip and what services and products you have contracted for. If we have a co-operation agreement with your insurance company, we receive information about your customer relationship and your insurance information from the insurance company. For this retrieval of information from the insurance company, we are the data processor for the insurance company.
• Health information. Information about illnesses, injuries and other health information that is relevant for us to be able to assist you and offer relevant treatment. Such health information includes, but is not limited to, information about injuries, health history, previous and current diagnoses, and similar information that is relevant to your health care.
• Information from your interaction with us. This may include audio logs and recordings of conversations with our call centre, any consents you have given us, information you provide when completing our customer satisfaction surveys and information you provide in enquiries and messages to us.
• Information about travelling companions. In certain situations, it is necessary for us to process information about travelling companions, for example in order to book a return journey, rental car or other alternative transport.
• Payment information. Your bank and/or credit card information used in connection with your payments to us.

If you are a contact person at suppliers or business partners, we process your data because it is necessary for purposes related to Viking's legitimate interests in interacting with our suppliers or business partners. You can find more information about the processing of the personal data of contact persons in our general privacy policy here.

We process your personal data or that of your close relatives or fellow travellers because it is necessary:

• To assess insurance coverage. We process your personal data to administer the agreement you have with your insurance company, employer or others, to assess and confirm that you are entitled to insurance cover or assistance. In this connection, it may be necessary to establish contact with the insurance company, healthcare professionals or others involved in order to obtain information relevant to assessing coverage.
• To provide you with assistance and help in connection with illness, injury or incident while travelling or while you are stationed abroad. We process your personal data in order to recommend relevant treatment centres abroad. This processing makes it possible to make medical assessments of medical treatment, monitor courses of treatment, and arrange medical repatriation or medical evacuations. We also process your personal data to be able to provide assistance in connection with transport and luggage-related incidents during travel, as well as organise other types of transport or hotel stays.
• For billing purposes. Payment and other purchase documentation is also processed for purposes related to, but not limited to, internal reporting and compliance with our bookkeeping obligations. Your personal data may also be processed for the purpose of claiming reimbursement from state actors or other actors (e.g. other insurance companies or airlines) where relevant.
• For quality assurance, training and analysis purposes. Your personal data may be processed for quality assurance, training and analysis purposes, as well as to improve and streamline our services and processes. We use pseudonymisation and aggregation of personal data for these purposes to the greatest extent possible.
• For our legal obligations. In cases where we are the data controller and subject to independent obligations under insurance regulations, we also process personal data to fulfil applicable legal obligations.
• For complaints handling. We may process your personal data to handle complaints, enquiries and other relevant requests.

When we are the data controller, we use the following processing basis to process your personal data:

• When you use our services and products, we process your personal data (as further described above) because it is necessary for the fulfilment of your contract for healthcare, cf. GDPR art. 6(1)(b). This includes information that enables us to identify you. In emergency situations, the basis for our processing may also be that it is necessary to protect your vital interests, cf. GDPR art. 6(1)(d).
• When we process health data about you, it is based on your consent, cf. GDPR art. 9(2)(a) or, if it is not possible to obtain your consent, to protect your vital interests, cf. GDPR art. 9(2)(c). We may also disclose your health data to others in connection with your insurance relationship. We will ask for your consent for such transfers of personal data unless it is not possible to obtain your consent and the transfer is necessary to protect your interests.
• Any personal data about you that is included in purchase or other bookkeeping documentation, such as payment information, will be processed on the basis of our obligations under applicable regulations, such as bookkeeping legislation or tax legislation, cf. GDPR art. 6(1)(c).

We will also process your personal data where we have a legitimate interest in doing so, cf. GDPR art. 6(1)(f). This will, for example, be relevant when we process your consent form to be able to document the basis for our processing, where a legal claim arises we will process relevant documentation to handle this and we will also process personal data to verify the identity of and process personal data of your fellow travellers and family members. If we have requested your consent to the processing of personal data, you can withdraw it at any time. Without your consent to the processing of health data, we will not be able to provide you with assistance while travelling if you need health care.

We use and co-operate with several third parties. Where required, we have entered into data processing agreements with them, which require the companies in question to ensure that personal data is stored securely, that it does not fall into the hands of unauthorised persons, and that it is not used for purposes other than those we designate. We will never sell your personal data to a third party. We use various service providers such as to provide us with IT services and other administrative services. Such service providers are Viking's data processors, and we enter into data processing agreements with them in line with the requirements of theData ProtectionLegislation.

Depending on the case, your information may also be disclosed to:

• Hospitals, doctors' offices, healthcare professionals and similar organisations that need to receive information about your state of health in connection with our provision of medical assistance and payment of medical treatment costs. Viking co-operates with a large network of clinics, doctors' offices, healthcare professionals and other providers who carry out the necessary medical assistance. Viking does not have direct contracts with all of these, but is contractually covered by a network agreement entered into with a strategic partner that manages a network of medical treatment providers. This partner as well as all the providers are independent data controllers and have a statutory duty of confidentiality to ensure the confidential processing of your personal data.
• Insurance companies in connection with your insurance case. This may include information about injuries, health status, theft, accidents, repairs, suspected insurance fraud and other relevant information. This also applies to the administration of your claim, which may include medical or health information. Insurance companies are responsible for their own processing of personal data in connection with your insurance claim.
• Police or other supervisory authorities that require disclosure of personal data in line with applicable regulations.
• Third parties where it is necessary to safeguard your interests and security. This may include sharing information with emergency services or medical personnel in the event of an accident, as well as car rental companies, airlines and hotels to organise transport or accommodation. We may also share your personal data with public authorities to, for example, seek reimbursement of medical expenses incurred.

If you are located in a country outside the EU/EEA, it is possible that your personal data will be transferred to parties located in other countries so that we can fulfil the purposes set out in this privacy policy, for example if you need urgent medical assistance while travelling. The level of protection for personal data in such countries may be somewhat lower than in the EU/EEA. Where possible in the circumstances, Viking will adopt EU standard data protection clauses and ensure that adequate safeguards are in place to ensure that your personal data is and remains protected.

We will delete or anonymise personal data when it is no longer necessary for the purpose for which it was collected, as well as in accordance with the following deletion procedures:

• The personal data related to case management or delivery of our products and services will be processed until the relevant case is closed, and then anonymised after 10 years. For insurance cases we process on behalf of insurance companies, separate storage requirements apply, and we refer to the insurance companies' privacy policy in this regard.
• If we store audio recordings, these will be stored for a maximum of 3 months. For audio recordings stored on behalf of insurance companies, the retention period specified in the relevant company's privacy policy applies.
• Depending on the nature of the documentation, invoice information will be stored for either 3 years and 6 months or 5 years in accordance with the Bookkeeping Act.

If there is a need to handle a complaint or a legal claim, personal data may be processed for an extended period.

As a general rule, information about the deceased is not covered by Data Protection Legislation and is not treated as personal data. However, in some cases it may be necessary for us to collect and process information about the deceased, for example in connection with transport or other services related to the handling of deaths. This may include name, date of birth, cause of death and place of death. Such information is only used when necessary to provide services and is handled in a secure and confidential manner. If information about relatives or other living persons is processed at the same time, we ensure that this is done in accordance with applicable Data Protection Legislation.

Where we process your personal data, you have a number of rights under the Data Protection Legislation that you may exercise.

You have the right to gain access to the personal data we process about you, including the right to receive a copy of this data. If you believe that the information we have registered about you is incorrect, you have the right to request that it be corrected. You have the right to request that your data be deleted from our systems, and we are obliged to comply with this under specific conditions. If you object to our processing of your data, but do not want it to be deleted for the sake of ongoing processes, you can request a restriction of processing. In such cases, our processing will be limited to necessary storage only. Where our processing of your data is based on legitimate interests (see section "What is the Legal Basis for our Processing of Personal Data?"), you have the right to object to the processing. If you object, we will stop the processing in question, unless there are compelling legitimate grounds for continuing the processing. Where our processing of your data is based on your consent or our agreement with you, you have the right to receive this data in a structured, commonly used and machine-readable format, either to yourself or directly to another third party.

Please note that the rights described above are subject to exceptions and conditions, and that not all rights will be relevant to all of our relationships. You can read more about your rights on the website of the Norwegian Data Protection Authority, here.

If you wish to exercise any of your rights in relation to us, please contact us as set out in the "Contact Information" section above. Please note that we may need to ask you to identify yourself, as we may need to ensure that you are who you say you are. We will respond within 30 days or let you know if we need more time.

Viking does not use automated decisions that have a legal effect or other similarly significant effect on you or your privacy rights.

The Norwegian Data Protection Authority (Datatilsynet) is responsible for monitoring the data protection regulations and supervising Norwegian companies' processing of personal data. You can contact us at any time if you have complaints related to our processing of your personal data. You can also complain to the Norwegian Data Protection Authority or a supervisory authority in the EU/EEA country where you live or work, or where the alleged offence has taken place.

Contact information for the Norwegian Data Protection Authority can be found on their website, here. On the website, you will also find further information about our obligations under the applicable data protection legislation.

The current version of the Data Protection Act is available on Lovdata. The Data Protection Act and GDPR can be found here.

From time to time, we may revise this privacy policy, for example as a result of changes to our processing of personal data or as a result of changes to data protection legislation. When the privacy policy changes, an updated version will be published on our website. This privacy policy is valid from the date stated in the introduction.