Privacy Policy

We (ESIS, Inc.) administer the COVAX No-Fault Compensation Program for AMC Eligible Economies (the “Program”). Under the Program, we need to collect certain personal data about the patient, their authorized representative (if applicable), and any healthcare professional providing supporting evidence. The personal data we collect is set out in the Application Form and Supporting Evidence Form, and may also be supplemented by additional information we collect from healthcare professionals who have treated the patient, as well as third party sanctions and anti-fraud databases.

We use the personal data we collect in order to consider whether a claim is eligible for payment under the Program, to communicate with the patient or their representative, and to process any payment made on a claim (if eligible). Where necessary, the personal data may be shared with third parties including our service providers, reinsurers, and government health and law enforcement agencies.

You may have certain rights in respect of the personal data we process. More information about these, as well as other conditions that apply to our use of your personal data, can be found in our full Privacy Policy below.

ESIS, INC. PRIVACY POLICY
FOR
COVAX NO-FAULT COMPENSATION PROGRAM FOR AMC ELIGIBLE ECONOMIES

February 10, 2021

  1. Who are we and what is the purpose of this Privacy Policy
    1. ESIS, Inc. (“we”, “us”, “our”), a subsidiary of Chubb Limited, with its registered office at 436 Walnut Street, Philadelphia, PA 19106, United States of America, administers the COVAX No-Fault Compensation Program for AMC Eligible Economies (the “Program”), in accordance with the terms of the Protocol for COVAX No-Fault Compensation Program for AMC Eligible Economies (the “Protocol”).
    2. This Privacy Policy explains how and why we use Personal Data in the context of the Program, and explains certain rights in relation to your Personal Data (for example, access to or erasure of your Personal Data). For the purposes of this Privacy Policy, “Personal Data” means any information relating to an identified or identifiable person, unless otherwise defined under applicable law. Any capitalized terms not defined in this Policy have the meaning given to them in the Protocol, or in any of the Application documents mentioned below.
  2. Who does this Policy apply to?
    1. This Privacy Policy applies to Patients who apply for compensation under the Program and, if relevant, to any person who makes an authorized Application on behalf of a Patient, as well as to any Registered Healthcare Professional who submits their Personal Data in connection with an Application, either as part of a Supporting Evidence Form or at a later date (“you”, “your”). If an Applicant is claiming a birth defect, we will also collect Personal Data about the Patient’s mother.
    2. To make an Application under the Program, you must submit an Application form in the specified format (the “Application Form”), accompanied by Supporting Evidence in the specified format (the “Supporting Evidence Form”). Applications can be submitted through the web portal at covaxclaims.com (the “Web Portal”), by email at covaxclaims@esis.com, or by post. This Privacy Policy should be read alongside the Program’s Protocol and other forms. Please read this Privacy Policy carefully before submitting an Application for the Program.
    3. As set out in the Application Form, by submitting your Application, you consent (on your own behalf and, where applicable, on behalf of the Patient) to our collection, use and processing of your Personal Data as set out in this Privacy Policy. This is without prejudice to our ability to rely on alternative bases for processing Personal Data, where required or permitted by applicable law (see Section 4 below).
    4. Where the Patient is a child, we will be relying on consent given by the Patient’s duly authorized representative, as per Sections [10] and [11] of the Application Form.
  3. Contact Us
    1. If you have any questions, please do not hesitate to contact us by email at covaxclaims@esis.com, or by regular mail to one of the Program’s Regional Centers. We will be happy to answer them. You can also contact us by calling the Program’s Global Telephone Hotline or any of the direct telephone numbers for the Program’s Regional Centers, available under the “Contact Us” page of the Program’s website at covaxclaims.com.
  4. Why do we collect and use your Personal Data?
    1. The information collected through the submission of your Application enables us to administer and manage the Program, which includes the following activities:
      • reception and registration of Applications for compensation under the Program;
      • verification of your identity, including conducting sanctions checks;
      • distribution and acknowledgement of receipt and registration of Application Forms, including the Supporting Evidence Form;
      • review of Applications, including the Application Form and the Supporting Evidence Form;
      • assessment of Receivable Claims;
      • approval or denial, as the case may be, of payment for compensation;
      • processing of appeals or other proceedings arising from or in connection with the Application for compensation under the Program;
      • response to questions and provision of information;
      • for any purpose required by applicable laws.
    2. Except as set out in Section 4.3, our processing of Personal Data is based on the consent you or your authorized representative provide when making the Application. You can withdraw your consent at any time but please note that such withdrawal:
      • does not call into question the lawfulness of any processing carried out prior to such withdrawal and based on your consent;
      • may result in you no longer being able to benefit from the Program.
    3. Where permitted or required by applicable law, we may base our processing of Personal Data on alternative grounds, such as establishing or defending legal claims, enforcing the terms of the Protocol, administering insurance, or complying with legal requirements.
  5. How do we obtain your Personal Data?
    1. In most cases, we will collect your Personal Data when you (or your authorized representative) submit an Application for compensation. The Supporting Evidence Form) will be completed by one or more Registered Healthcare Professionals, and we may need to seek additional information from such Registered Healthcare Professionals. Unless expressly indicated, the provision of all Personal Data in connection with the Application or appeals under the Program is necessary in order to consider your Application under the Program.
    2. We further collect Personal Data through the use of cookies and similar technologies when you navigate the Web Portal. Please see our Cookie Policy for further details.
    3. We may also use third party databases to obtain additional Personal Data about you where this is relevant to assessing your claim. In particular, we carry out sanction screening by using a third party database to check your identity against published sanctions lists. We may also run checks designed to identify potentially fraudulent claims by using third party fraud databases.
  6. What types of Personal Data do we collect?
    1. We collect various categories of Personal Data about the Patient, as listed on the Application Form. This includes basic identity and contact information, as well as national identifiers. It also includes detailed information about the Patient’s history with the Vaccine and the injury which they are claiming to have suffered.
    2. As set out on the Application Form, we also need contact and identity information about any representative authorized to represent a Patient (if applicable), as well as the identity of and professional information about any Registered Healthcare Professionals submitting information in or with a Supporting Evidence Form.
    3. As part of verifying your identity, we will conduct appropriate checks, including sanction screening against lists published by government, regional or other bodies. Those checks may reveal additional data if you are included on a relevant list. After receiving the Application Form, we may need to request supplementary medical information from you or from Registered Healthcare Professionals that have completed the Supporting Evidence Form and/or have treated you, in order to fully analyze your Application. Finally, if we decide to make a payment for compensation under the Program, we may need to request further information (such as bank account information) in order to process that payment.
  7. Who do we disclose your Personal Data to?
    1. For the purposes described in Section 2.1 of this Privacy Policy, we may share your Personal Data with service providers who will process your Personal Data on our behalf to assist us in the management and administration of the Program. All such service providers will be bound by contractual obligations to protect your Personal Data.
    2. These service providers include (but may not be limited to):
      1. Crawford & Company International Inc., who will facilitate:
        • on-the-ground assistance in administrating the Program;
        • assessment of Receivable Claims;
        • payment of claims if awarded and securing release of the funds;
        • issuance of compensation denial letters; and
        • further claims adjusting activities for the Program.
      2. NAVEX Global, who help us to provide a global telephone hotline
      3. Soteria, who help to host the website covaxclaims.com and Soteria’s sub-processors who will provide translation services of the Applications into English of an Applicant’s answers to the Application Form, but only where (a) the Applicants completes and submits the Application directly on the Program’s website, and (b) the Applicant’s answers to the online Application Form are provided in French or Spanish.
    3. We may also share your Personal Data with third parties other than our service providers, such as:
      1. the members of the Review Panel, the members of the Appeals Panel and/or any other persons representing and/or advising any of them;
      2. members of the Chubb group of companies, of which ESIS forms part, strictly to the extent necessary for the purposes listed in Section 4.1;
      3. if applicable, any companies reinsuring risk under the Program;
      4. any local health services, government agencies and intergovernmental organizations as may be required from time to time for the purposes of the risk profiling of vaccines or public health measures or interventions or any other reasonably proportionate activity which may from time to time be required in connection with the Application or any appeals or other proceedings arising from or relating thereto, or by applicable law;
      5. any law enforcement or governmental organizations as may be required from time to time for the purposes of detecting, preventing or prosecuting criminal activity;
      6. courts, other governmental organizations, legal advisers or other parties to a dispute where necessary to enforce the Protocol or to otherwise establish, exercise or defend our legal rights; and
      7. any third party insurance company to whom administration of the Program is transferred.
    4. We do not sell your Personal Data to third parties. We do not share or otherwise make available your Personal Data to third parties, except as otherwise provided in this Privacy Policy, or required by applicable laws.
    5. Please note that when using the Web Portal, this Privacy Policy does not cover how your Personal Data is processed by third parties when we link to their websites. We encourage you to read the privacy policies of other websites you visit.
  8. Where will your Personal Data be processed?
    1. Your Personal Data is collected from you in your place of origin or residence within the AMC Eligible Economies and transferred to us, in the United States of America, for processing. Where it is necessary for us to transfer your Personal Data to other members of our group of companies (as anticipated by Section 7.3 (b) of this Privacy Policy), that transfer will be governed by our intra-group data transfer agreement, which imposes common contractual standards (including, where required by law, the EU Commission’s standard contractual clauses) to protect your data, wherever it is processed.
    2. The service providers listed in Section 7.2 are based in the United States of America and the United Kingdom. Our contracts with these service providers impose obligations on them to protect your Personal Data to the same standard regardless of where it is processed, and also impose any specific safeguards required by data protection laws (such as the EU Commission’s standard contractual clauses). You should be aware that, although we impose contractual obligations that require your Personal Data to be protected to the same standard wherever it is processed, data protection laws in countries where your Personal Data may be processed may not be equivalent to those in your home jurisdiction. You understand that the transfer of your Personal Data to these countries is necessary in order for us to assess your Application under the Program, and, where required by applicable laws, you hereby consent to its transfer.
    3. Where required by applicable laws, we will put in place additional safeguards to protect your Personal Data as it is transferred internationally. You may have the right to see a copy of these safeguards by contacting us using the information set out in Section 3 above.
  9. How do we secure your Personal Data?
    1. We attach great importance to the security of your Personal Data and we undertake to use commercially reasonable means to prevent any exposure or disclosure of your Personal Data. In particular, we implement and maintain appropriate measures (including administrative, physical, technical and organizational measures) to deal with unauthorized disclosure or exposure of your Personal Data. However, no method of communication over the Internet or method of electronic storage guarantees 100% security. Therefore, although we strive to use commercially acceptable technical and organizational means to protect your Personal Data, we cannot guarantee its absolute security.
  10. Your Rights with Regards to Your Personal Data
    1. You may have certain rights in respect of your Personal Data such as access to your Personal Data, as set out in Section 10.2 below, depending on applicable law. You can exercise these rights by submitting a request as explained in Section 3 above. If you contact us, we will handle your request in accordance with any applicable laws. In any case where we do not have a legal requirement to address your request, we will still endeavor to honor your request but this will be on a reasonable and voluntary basis.
    2. You may have in particular the following rights in respect of your Personal Data, depending on applicable law:
      • Right to access, update and delete your Personal Data.
      • Right of rectification if your Persona Data is inaccurate or incomplete.
      • Right to object to the processing of your Personal Data.
      • Right to limit the processing of your Personal Data.
      • Right to portability of your Personal Data, i.e. the right obtain a copy of your Personal Data in a structured, commonly used and machine-readable format.
      • Right to withdraw your consent at any time when the processing of your Personal Data is based on consent.
      • Right to complain to any competent data protection authority about the collection and use of your Personal Data, it being specified that we ask that you attempt to address any complaints with us in the first instance.
    3. We may ask you to prove your identity before responding to a request based on the above rights or otherwise related to your Personal Data. We may also rely on certain exemptions from the above rights, but will explain to you where we have done so. If your request is manifestly unfounded or excessive, we may refuse to comply with it, or we may charge you a reasonable fee for complying with it.
  11. Retention of Your Personal Data
    1. We will retain your personal data for as long as is reasonably necessary for the purposes listed in Section 4 of this Policy. In some circumstances we may retain your Personal Data for longer periods of time, for instance where we are required to do so in accordance with legal, regulator, tax or accounting requirements.
    2. In specific circumstances we may also retain your Personal Data for longer periods of time so that we have an accurate record of your dealings with us in the event of any complaints or challenges, or if we reasonably believe there is a prospect of litigation relating to your Personal Data or dealings.
    3. We maintain a data retention policy which we apply to records in our care. Where your personal data is no longer required we will ensure it is either securely deleted or stored in a way which means it will no longer be used by the business.
    4. We reserve the right to store data in an anonymized form after deletion of your Personal Data.
  12. Changes to this Privacy Policy
    1. We may change this Privacy Policy at any time, without prior notice. In such an event, you will be notified by a notice on the home page of our Web Portal. By continuing to access or use our Web Portal and if you submit an Application after the effective date of such change, you understand that your Personal Data will be processed in accordance with the updated Privacy Policy. If you do not agree to these changes, please do not submit the Application Form, including the Supporting Evidence Form.
    2. If we make material changes to our Privacy Policy whilst processing your Application, we will endeavor to inform you of those changes through our normal channels of communication with you.
    3. The new version of the Privacy Policy will be effective on the day of its publication, the date mentioned at the top of this Privacy Policy corresponding to the effective date.