Privacy notice
We are committed to protecting and using your personal information responsibly.
If you have any questions about our privacy notice, please email [email protected]
Privacy notice sections
Who this notice is for
This privacy notice is for:
- anyone who buys, uses or contacts us about our products and services (such as our health or dental insurance customers)
- residents in our care homes
- patients of our health clinics or the Cromwell Hospital
- people who work with Bupa, such as intermediaries or suppliers (but not our employees or healthcare professionals)
- patients of our dental practices, which include Bupa Dental Care, Grosvenor House Orthodontic Practice, Total Orthodontics and Platinum practices in the UK, and ORTHO and Smiles Dental practices in the Republic of Ireland.
Bupa Blua Health app
We have a different privacy notice for the Bupa Blua Health app, our digital GP service.
Go to Blua Health privacy notice
Bupa Be.Me
We have a different privacy notice for our health assessment services.
Go to Bupa Be.Me privacy notice
Healthcare professionals
We have a different privacy notice for our healthcare professionals such as our consultants and clinicians.
If this applies to you, please contact us for a copy.
About us
Who we are
We're a healthcare organisation that offers a wide range of services to support our customers health. When we say Bupa in this notice, we mean all our businesses within Bupa UK, the Republic of Ireland, Bupa Global and Bupa Group.
- Bupa UK means our Care Services, Cromwell Hospital, Dental Practices, Health Clinics and UK Insurance businesses. It provides health insurance as well as health and dental care, care homes and the Cromwell Hospital services to UK based customers
- In the Republic of Ireland we operate our Smiles Dental and ORTHO dental practices
- Bupa Global provides international private medical insurance to customers globally.
- Bupa Group sets policy and standards for Bupa's businesses globally.
See here the list of legal entities in Bupa UK and the Republic of Ireland or find out which entities make up Bupa Global.
Who processes your personal information?
Which business looks after and uses your information as a data controller depends on which services you’re using or interacting with. A data controller is the business that looks after your data and decides how it is used.
The information we process, and the reasons why, may vary across our products and services. We explain any differences in this privacy notice.
How we collect your personal information
From you
We collect your personal information from you when you get in touch with us:
- by phone, where we may record or monitor phone calls for quality assurance and to make sure we’re keeping to legal rules, codes of practice and internal policies
- by email
- through our websites, including webchats and virtual assistants
- through our apps
- by using our products and services
- by post
- by completing an application or other form(s)
- by entering competitions
- through social media
- face to face, for example during treatment
Third parties
We also collect information about you from third parties. Find out more about how we collect and share your personal information with third parties.
What personal information we collect
Basic personal data
Name, membership or registration number or patient ID, age and date of birth.
Contact
Username, address, email address and phone numbers.
Residency
The country you live in and national identifiers such as national insurance or passport number.
Communications
Details of any contact we’ve had with you, including phone calls and written complaints.
Financial details
Payments and bank account details.
Employment details
Your role and the company you work for, if your employer pays for your insurance, scheme or treatment.
Criminal convictions and offences
Your criminal offences and convictions are collected when carrying out anti-fraud or anti-money-laundering checks, or other background screening checks to prevent crime.
Behavioral and usage information
How you use and access our digital services.
Technical information
The devices and technology you use and website browser settings.
Special category information
Information about your physical or mental health, including genetic or biometric information. We may get this information from:
- application forms
- notes and reports about your health and any treatment and care you’ve received or need
- notes from calls and other communications you’ve had with us
- referrals from your existing insurance provider
- quotes
- records of medical services and treatment you’ve received
How we use the personal information we collect
Under data protection laws, we can only process your information if we have a legal reason (known as a ‘lawful ground’) for doing so.
You can find out how we use your personal information, including the lawful grounds, under data protection laws that we rely on to process your information. You can find out what the different types of information mean under ‘what personal information we collect’.
- Basic personal details
- Contact
- Communications
- Residency
- Financial details
- Employment details
- Special category information
- Behavioural and usage information
- Technical
- It’s necessary to provide the services set out in a contract
- It’s required or allowed by law
- We have a legitimate interest to:
- deliver our products and services
- tailor the delivery of our products and services to your specific needs and interests
For special category information
- It’s necessary for health or social care purposes such as:
- preventive or occupational medicine
- assessing your working capacity as an employee
- medical diagnosis
- providing healthcare or treatment
- providing social care
- managing healthcare or social care systems or services
- With your consent (if required)
- When it’s in your vital interests
- Basic personal details
- Contact
- Communications
- Residency
- Financial details
- Employment details
- Special category information
- Behavioural and usage information
- Technical
- It’s necessary to provide the services set out in a contract
- It’s required or allowed by law
- We have a legitimate interest to:
- manage our relationship with you, our business and third parties
- deliver our products and services
- tailor the delivery of our products and services to your specific needs and interests
- communicate with our customers and business partners
- process insurance claims and collect money owed to us
For special category information
- It’s necessary for health or social care purposes such as:
- advising on, arranging, providing or managing an insurance contract
- dealing with a claim made under an insurance contract
- relating to rights and responsibilities relating to or in an insurance contract or insurance law
- With your consent (if required)
- When it’s in your vital interests
- Basic personal details
- Contact
- Communications
- Residency
- Financial details
- Employment details
- Criminal convictions and offences
- Behavioural and usage information
- Location
- It’s required or allowed by law
- We have a legitimate interest to:
- manage our relationship with you, our business and third parties
- resolve issues and answer questions about our products and services
- investigate and respond to complaints
- monitor how well we are meeting our clinical and non-clinical performance expectations
- protect the public against dishonesty, malpractice or other seriously improper behaviour
- manage a claim where a third party may be at fault
- With your consent (if required)
- Basic personal details
- Contact
- Residency
- Employment details
- Behavioural and usage information
- Technical
- It’s required or allowed by law
- We have a legitimate interest to:
- confirm that you’re an employee of your employer when they are paying for the product or service you’re using
- confirm you’re an employee of a business we’re purchasing products or services from
- identify you when you access our digital services and websites
- identify if you were redirected to our websites through an advert or referral link
- identify if you’re under the age of 16
- identify fraud and fraudulent activity
- We have a legitimate interest to:
- market to our customers and prospective customers if they’ve shown an interest in us
- request feedback from customers and people we work with
- follow your contact preferences, marketing, cookies and other tracking such as in-app, profiling and automated decision making.
- operate cookies on our websites and undertake other tracking to personalise our marketing activities
- develop and run tailored advertising
- With your consent (if required)
When we need your consent to process your personal information
We’ll only ask you for consent to process your personal information if there’s no other legal reason to process it, or we think it’s appropriate to do so.
We always tell you when we need it
We’ll tell you when we need your consent and ask you for it. If we can’t provide a product or service without your consent, we’ll make this clear when we ask for it. For example, we can’t process health insurance claims without health information.
You can always change your mind
If you later withdraw your consent, we’ll be unable to provide you with any product or service that relies on us having your consent to process your personal information.
When we use anonymised information
Anonymised information is where all names and other information that could identify you, for example a membership or registration number or IP address, has been removed. We use it for example:
- to support clinical research
- for research and statistical purposes
- to help us train our people
- to undertake analytics that help us understand more about our business and make decisions. You’ll find more on this in the analytics section of this privacy notice.
When we use anonymised information, we will:
- only share it with legitimate third parties
- always limit the ways and reasons it is processed
- never sell it
Collecting and sharing your personal information
Sometimes we need to collect your information from, or share it with other people or organisations. When we share your information, we only share the information needed, and as little of it as possible, for a specific purpose. For example, if you need treatment, we’ll share relevant medical details with your treatment provider.
We have processes in place to make sure that your information is protected when we share it with third parties. If you’re sharing someone else’s personal information with us, please make sure they’ve seen this privacy notice and are comfortable with you giving us their information.
We’ve set out below the types of third parties we collect and share information with, and our reasons for doing so. We may also disclose your personal information to other third parties if we’re required or permitted to do so by law.
Description
- Our affiliated companies, listed at Bupa Legal Notices and Bupa Global Legal Notices
What we do
- We collect information from them
- We share information with them
Our reasons
- Deliver our products and services to you
- Send you communications about products and services that might interest you
- Undertake statistical research and analysis to understand more about our products and services and how to improve them
- Understand and improve clinical outcomes for our customers
- Product and service development
- Fraud prevention and detection
- Reporting on business activity and success
- Enabling us to deliver a seamless experience across our businesses, and give you easy access to our products and services across our businesses
Description
- You’ve given us consent to speak to a third party on your behalf, for example a family member, solicitor or a person acting through a Power of Attorney.
What we do
- We collect information from them
- We share information with them
Our reasons
- Deliver our products and services to you
- Manage our relationship with you
- Set you up as a customer
- Meet our regulatory obligations or comply with legal requests or legal claims
- Manage complaints, claims or individual rights requests
Description
- You’re under a group insurance scheme or health trust, or they’re paying for our services
- You’re working with us in a professional capacity as a business partner
What we do
- We collect information from them
- We share information with them
Our reasons
- Product or service administration
- Transfer to a new service provider
- Set you up as a business partner
- Manage our relationship with your employer
- Process and validate invoices, and make or receive payments
Description
- Doctors, clinicians and other healthcare professionals
- Hospitals and clinics
- Dental laboratories
- Medical laboratories
- Individuals or organisations who pay for your care
- NHS GP Connect: a secure NHS Digital service that allows authorised health and social care workers (such as Bupa GPs and Care Home nurses) to access a patient's NHS GP record to support their direct care.
What we do
- We collect information from them
- We share information with them
- Consult your NHS GP record
Our reasons
- So you can give or have treatment
- Process and validate invoices, and make or receive payments
- To investigate complaints, claims and possible fraudulent activity
- To make patient information available to appropriate healthcare professionals when they need it (e:g: prescribed medications) to make informed clinical decisions: This leads to improvements in both care and outcomes:
Description
Professional associations our consultants belong to or are regulated by, including:
- Care Quality Commission
- General Medical Council
- General Dental Council
- The Health and Care Professions Council
- Responsible Officer
- Any others that are relevant to you
What we do
- We collect information from them
- We share information with them
Our reasons
- For safeguarding purposes
- Investigate complaints and clinical incidents
- Monitor quality and performance
Description
- Health insurance counter-fraud groups
- Financial crime screening services
What we do
- We collect information from them
- We share information with them
Our reasons
- Detect and prevent fraud
- Meet our regulatory and legal obligations
Description
- Debt collection agencies we engage to act on our behalf
What we do
- We collect information from them
- We share information with them
Our reasons
- Recover money owed to us
Description
- Potential buyers or sellers of businesses and assets we’re buying or selling
- Third parties that assume responsibility for Bupa
What we do
- We collect information from them
- We share information with them
Our reasons
- Enable the third party to take over our business activities
- Support the third party’s decision making and processes to buy our business
Description
- Solicitors, auditors, actuaries and tax advisors
- Translators and interpreters
What we do
- We share information with them
Our reasons
- Support us to manage our business and meet our regulatory obligations
- Gain advice on business decisions and strategy
Description
- Government and their agencies
- Law enforcement agencies, for example the police
- Authorities and regulators such as the Financial Conduct Authority (FCA) or Prudential Regulation Authority (PRA)
- Data protection supervisory authorities
- HM Courts and Tribunals Service
What we do
- We share information with them
Our reasons
- Comply with our legal and regulatory obligations
- Protect our rights
Description
- Electoral register
- Information about you on social media
- For our business partners, public sources that include professional information about you
What we do
- We collect information from them
Our reasons
- Validate and update our records
- Understand how our customers and business partners have reviewed or discussed us or our competitors online
Description
We put measures in place to ensure that our suppliers process your personal information fairly and in line with our expectations. We use the following types of suppliers:
- IT service providers: Cloud storage, databases and data repositories, practice management systems, customer relationship management systems (CRM), communication and phone software, back-up solutions, network security and monitoring solutions and other ‘software as a service’ providers
- Marketing, sales and business development: market and customer research consultants, social media platforms and marketing and digital marketing agencies, data set and contact list providers
- Customer service support: Outsourced support with customer communication and servicing, including translation
- Dental laboratories: manufacture products such as crowns, implants, etc: for our patients
What we do
- We share information with them
Our reasons
- Help us run our business
- Manage our relationship and communicate with you
- Provide our products and services to you
- Understand our customers and market to them
- Identify and communicate with people that might be interested in our products and services
- Grow our business and keep our customers
Description
- Main policyholder, if you are a dependant under an insurance policy
What we do
- We collect information from them
- We share information with them
Our reasons
- Manage our relationship with you and the policyholder
- Issue invoices, requests and take payment
Description
- Insurance brokers
- Your agents
- Other intermediaries
What we do
- We collect information from them
- We share information with them
Our reasons
- Confirm you’re entitles to claim discounts on our products and services
- Manage our relationship with you through your broker or agent
- Discuss purchase, renewal and availability of our products and services through your broker and agent
- Set you up as a customer or business partner
Description
- Local authorities and other public sector bodies
- Commissioners and embassies
- HM Courts and Tribunals Service
What we do
- We share information with them
Our reasons
- Enable the third party to pay for the services we’re providing to you
- Comply with our legal and regulatory obligations
- Manage legal claims
Description
- Those providing your treatment such as consultants, clinicians, doctors, therapists and other healthcare professionals
- Hospitals, clinics and other healthcare providers
What we do
- We collect information from them
- We share information with them
Our reasons
- Provide you with your treatment
- When those providing treatment are involved in legal proceedings, such as for negligence or malpractice
- Manage, investigate and report on negligence or malpractice, and for legal claims
Description
- Cancer registry
What we do
- We share information with them
Our reasons
- Aid monitoring cancer rate
- Improve cancer care
- Aid cancer research
Description
- NHS Cervical Screening recall system
What we do
- We share information with them
Our reasons
- Make sure the screening is safe and in accordance with national service specifications
Description
- Health Protection Agency for infectious diseases such as tuberculosis and meningitis
What we do
- We share information with them
Our reasons
- Protect public health
Description
- Your consultant will be the data controller for any information they collect, use or store outside our systems, or in a way that isn’t in line with our instructions (this means they’ll be responsible for how your personal information is used)
- We recommend you speak to your treating consultant if you have any questions about how they handle your information
What we do
- We collect information from them
- We share information with them
Our reasons
- So you can have treatment
- Manage our relationship with consultants
- Process and validate invoices, and make or receive payments
Description
- If you’re referred or you’re transferring from or to a different provider
- The NHS and your general practitioner (GP)
What we do
- We collect information from them
- We share information with them
Our reasons
- Set you up as a customer
- Support you to transfer to the new provider
- Keep records up to date
- Ensure continuity of care
Description
- Our partners offer support and add-on services, such as patient finance and dental subscription plans
- In some cases, the partner may be the data controller of the personal information they hold about you (this means they’ll be responsible for how your personal information is used). We’ll confirm this when you choose to use the product or service
What we do
- We collect information from them
- We share information with them
Our reasons
- Offer you products and services that may interest you
- Enable you to purchase or take up offers on additional products and services offered by our partners
Transferring your personal information abroad
Sometimes we need to transfer your personal information outside of the UK and EEA (the EU member states plus Norway, Liechtenstein and Iceland). For example:
- a supplier based in India administers some of our health insurance policies
- a Bupa company based in Egypt administers some of Bupa Global’s international private health insurance.
Here’s how we keep your personal information safe when we do this:
Protection by local law
Certain countries are considered safe by regulators since they have adequate data protection laws. We can freely transfer your personal information where needed.
The UK government and the European Commission have lists of which countries they consider to have adequate protection for personal information.
Protection by other safeguards
We can also transfer personal information to countries that have not been assessed as adequate if we use appropriate safeguards. The main safeguards we use are:
- regulator-approved Standard Contractual Clauses
- additional contractual, organisational, and technical measures (as required following a risk assessment of the transfer)
Transfers within the Bupa group are covered by an agreement that contractually obliges each company to ensure an adequate and consistent level of protection.
How long we keep your information for
We keep your personal information in line with set periods:
For UK Insurance and Bupa Global, we typically keep personal information for seven years after you stop being our customer or business partner (such as brokers or intermediaries) in line with our legal obligations and business needs.
For Clinics, Cromwell and Care Services, we typically keep personal information for 20 years to comply with the law and NHS guidance.
For Dental services, we have a clinical duty to keep dental records for 11 years from the date of your last appointment or until your 26th birthday, whichever is later.
Some countries have different retention rules due to local laws. If you’d like to know more about how long we keep your information for, please get in touch.
How we calculate how long we keep your information for
How long we keep your information depends on several factors:
- how long you’ve been a customer with us, the types of products or services you have with us, any relevant events and when you’ll stop being our customer
- how long it’s reasonable to keep records to show we’ve met the obligations we have to you and by law
- any periods set by law or recommended by regulators, professional bodies or associations
- any time limits for making a legal claim
- any relevant proceedings that apply
We often have to keep your personal information to comply with a legal obligation, and this means that if you ask us to delete your personal information before the retention period has expired, we’ll be unable to do so.
Cookies, AI, analytics, and profiling
Here you’ll find information on certain technologies we use to process your personal information:
Cookies and other similar technologies
What are these technologies?
When you use our websites and apps, we and third-party companies use cookies and similar technologies such as pixel tags to collect information.
A cookie is a text file containing small amounts of information which a server may download to your computer, mobile or tablet when you visit a website or use an app.
A pixel tag (sometimes called a web beacon) is an invisible image with a line of code placed in an email or on a web page.
For simplicity, we refer to all such technologies as 'cookies'.
How do we use them?
There are different types of cookies to do different things, for example:
- letting you navigate between different pages on a website efficiently
- remembering preferences you’ve given
- helping us identify ways to improve your overall experience of using our websites and apps
Some cookies are used to show you advertising tailored to your interests, or to count the number of site visits and find out which are the most popular pages.
Managing cookies and tracking technologies
You can use our cookies management tool to see and control what cookies we use, how they are categorised and how long they last.
You can also control, block, or delete cookies through your web browser settings, usually found under ‘settings’ on your chosen browser.
Analytics
Analytics is a process to analyse data, statistics and other information, either automatically by a computer or manually by a person.
Anonymous analytics
As part of our day-to-day business, we produce management information reports. These are typically aggregated which means the information is grouped together and not looked at on an individual basis, and often they do not contain personal information. For example, we produce reports showing business performance split by day, business area or customer type.
Analytics using personal information
We sometimes conduct analytics that cannot be performed without personal information. This type of analytics involves analysing personal information and other data. The goal is to make recommendations about changes to the business or improvements to the services we offer our customers.
For example, we may analyse how our customers access our apps so we can understand how popular they are and identify where we can make improvements. This will involve us capturing your personal information, such as your member or registration number or email address used to access the app.
As part of these analyses, we sometimes carry out profiling activities.
For example, if we want to know how many customers may be interested in our dental practices in a particular area, we will conduct analysis based on postcode.
Profiling and automated decision making
Like many businesses, we evaluate information about you and use technology to give you automatic responses and decisions. This is known as profiling and automated decision making. We use these processes for:
- business activities, to give you a quicker, more consistent and fair service
- marketing, to give you information we think will interest you
Business activities
Running our business and delivering our products and services
Profiling and automated decision making can help us identify how our products and services can be improved, as well as how we can achieve better outcomes for our customers and business partners. For example, we may profile you so we can give you relevant information and notices within our apps.
We may share some of your information including your name, date of birth, sex and the country you live in with third party companies who carry out fraud checks. This will allow us to identify matches and carry out further checks to detect and prevent fraud.
Even if you aren’t at risk of fraud or suspected of committing fraud, using a range of people’s information allows us to have a better and more accurate anti-fraud process.
We use technologies that automatically pre-authorise your treatment. This is more efficient for our customers, business partners and healthcare professionals. We need to use profiling to create a reliable system and this involves automatic decision making. We typically make sure an adviser reviews any problems with treatment approval to guarantee a fair outcome to our customers.
We use profiling and automated decision making to help us decide what level of cover we can offer you. We’ll use technology to review your medical information and find out if you have any previous or existing health conditions which aren’t covered by your health policy or scheme.
We may use software to help us calculate the price of products and services based on what we know about you and other customers.
Our software may:
- analyse your previous claims and compare it with the information we hold to find out how likely you are to claim in future
- use data such as your age, where you live and details about your health, for example existing health conditions and whether or not you smoke, to calculate prices for products
- evaluate your payment and previous claims, information you’ve given us about yourself, and other information we’ve received from third parties to automatically:
- provide you with a renewal quote
- decide what incentives we can offer you
- choose the marketing messages you’ll receive
We use AI and machine learning technologies to do this automatically. The technology gives us more accurate and tailored information.
We use AI and machine learning technologies to do this automatically. The technology gives us more accurate and tailored information. You can find more information about this under AI and machine learning below.
Marketing
Conducting and improving our marketing activities
We use profiling for marketing purposes. This helps us understand what offers, incentives and information may interest you and other people. We take the following steps:
1 ‐ We collect your information
We collect information directly from you and through automated means both as part of your onboarding as a customer or business partner and during our relationship with you. We also collect information about you from third parties, such as your employer or insurance brokers.
2 ‐ We create data sets
We combine your information with other people’s information. This helps us understand our customers and business partners on a less individual level. We also segment the information into different categories, for example by type of customer. This gives us a more accurate picture of the marketing that might interest you and others.
3 ‐ We make predictions and gather insights about you and others
Profiling helps us evaluate information about you and others to improve our marketing activities. We undertake manual profiling, meaning our team will manually review a set of data and filter it by different categories. For example, we may predict that our female customers in a given age range will be interested in a female health initiative, or that if you’re already engaging with some of our digital products you may be interested in other useful digital features to improve your experience.
We also use AI and machine learning technologies to run the process automatically. The technology gives us more accurate information, such as predicting how likely you are to stop using our products and services. You can find more information about this under AI and machine learning below.
4 ‐ We market our products and services to you and others
We share personalised marketing communications by email and phone and within our apps and other digital services, displaying content that we think will be relevant to you. We also use the results of this to find other people with similar traits who might be interested in our products and services.
We use a combination of social media platforms and digital capabilities, such as customer relationship management tools, to send marketing, show our adverts and create personalised marketing campaigns using the results of our profiling and automated decision making.
Your rights about profiling and automated decision making
Right to object to profiling related marketing
If you object, we’ll stop these activities.
Right to object to a purely automated decision about you
If you object, a member of our team will manually review the decision that was made about you.
Artificial intelligence and machine learning
What are these technologies?
Artificial intelligence (AI) is where computers are programmed to think and act like humans This includes doing things such as learning, problem solving and decision making.
Machine learning is a subset of AI that involves training machines to learn and improve from experience without being explicitly programmed. This is typically done by providing large amounts of data to the machine and allowing it to learn patterns and make predictions based on that data.
How do we use AI and machine learning?
Some of the ways we use AI
- Customer service. AI and machine learning can be used to improve customer service by providing personalised recommendations and assistance. For example, chatbots powered by AI can help customers claim or answer questions about their policies. This improves response times and our efficiency.
- Risk assessment and pricing
- Fraud detection
- Training our model (the AI algorithm) that creates predictions for marketing and business activities
How do we use AI and machine learning responsibly?
We are committed to using AI responsibly by following five key principles:
- privacy and security
- fairness
- transparency
- safety
- accountability
Your choices and rights
Information on how to control your personal information and the rights you have under the law.
Opting-out from marketing
You can ask us to stop sending you email marketing by using the ‘unsubscribe’ link in the message we send you.
For all other types of marketing, you can opt out (ask us not to send it) or change your preferences:
UK Insurance, Clinics, Cromwell Hospital and Care Service customers
Change your preferences in your My Bupa online account or app, or email [email protected]
Bupa Global customers
Opt out through the MembersWorld portal or email [email protected]
Bupa Dental Care and Smiles patients
Change your preferences in the Patient Portal or email [email protected]
You can’t unsubscribe from service communications. These are communications we need to send you for administrative or customer service reasons.
You also have the right to object to us profiling you for direct marketing purposes.
Your rights
You have rights under privacy law about to your personal information.
Right of access
You can ask us for a copy of the personal information we hold about you.
Right to rectification
You can ask us to correct or remove inaccurate information we hold about you.
Right to restriction of processing
You can ask us to use your information for restricted purposes only.
Right to portability
You can request that we transfer your information to you or to someone else in a format that can be read by computer.
Right to erasure
You can ask us to delete your information if there’s no good reason for us to keep it. If there’s a reason why we can’t do this, for example legally we need to keep it for a certain length of time, we’ll let you know.
Right to withdraw consent
You can withdraw any consent you’ve given us. We’ll let you know if we have to stop providing a product or service to you as a result. Any processing of your personal information that happened before you withdrew your consent will remain lawful.
Right to object
You can object to us processing your information when:
- we’re processing it or profiling you for direct marketing purposes
- we’re processing it for a legitimate interest (see ‘how we use the personal information we collect’ for when this applies)
- our processing is based on a task carried out in the public interest (such as prevention of crime)
However, we may be unable to action your objection if there’s an overriding reason or the processing is necessary for legal claims. We’ll tell you if this applies when you contact us.
You don’t always have the right to object. We’ll let you know if you can’t and explain our reasons for turning down your objection.
Rights in relation to profiling and automated decision
You can ask us not to make solely automated decisions about you or use profiling if this has a legal effect on you or an effect as significant as a legal effect.
You can also ask us to reconsider an automated decision and find out more how the decision was made. If you do, we’ll see if we can review the decision and let you know the outcome.
We may be unable to action with your request if:
- the automated decision making or profiling is necessary for us to enter into a contract
- we’re authorised by law to make an automated decision or undertake profiling
You also have a right to make a complaint to your local privacy supervisory authority
If you’d like to do this, please tell us first, so we have a chance to address your concerns.
If we don’t, you can complain to:
- the Information Commissioner’s Office, if you’re a customer based in the UK
- the supervisory authority of your country, if you’re an Irish or European Bupa Global customer
- if you’re based another country, we’ll let you know your relevant authority
How to exercise your rights
If you want to exercise your rights, please email:
- [email protected] for customers of our UK businesses
- [email protected], if you’re a Bupa Global customer
To help us manage your request, please tell us in your email which Bupa business you’re a customer of.
What to expect
1. Identification
We may ask you to confirm your identity and provide information that helps us understand your request better.
2. We’ll let you know if we can fulfil your request
Unless you’re exercising an absolute right, for example the right to object to the processing of personal information for direct marketing purposes, we may be unable to fulfil your request. We’ll let you know and explain why.
3. Our response
We’ll respond to requests about automated decisions in 21 days. For all other requests, we’ll tell you within one month what action we’ve taken, starting from the day we receive them.
How to get in touch or make a complaint
If you have any questions, comments or would like to complain about this notice, or any other questions about the way we process your information, please get in touch with our Data Protection Officer and privacy team.
Reach us by post
Address your letter to:
Bupa, Privacy Team,
1 Angel Court,
City of London, EC2R 7HJ,
United Kingdom