ICAS Luxembourg S.à.r.l. supports organizations through the promotion of the health and wellbeing of their employees, whilst at the same time improving productivity and reducing absence. We have been an Employee Assistance Program (EAP) provider since 1987 and today, we are one of the major global players in the sector. We are committed to ensuring your privacy and personal information is protected.
What is Data Protection Law?
Data protection law gives individuals certain rights about the way in which their personal data is processed. If organizations do not comply with data protection law, they may be subject to sanctions and penalties imposed by the national data protection authorities and the courts. When ICAS Luxembourg S.à.r.l. processes personal data, this activity and the personal data in question are covered and regulated by data protection law. The General Data Protection Regulation (“GDPR”) (EU) 2016/679 (“GDPR”) is a regulation in European Union law on data protection and privacy for all individuals within the European Union. It addresses the export of personal data outside the EU.
What does this mean for ICAS Luxembourg S.à.r.l.?
ICAS Luxembourg S.à.r.l. must take proper steps to ensure that it processes personal data in a safe and lawful manner. ICAS Luxembourg S.à.r.l. has therefore developed policies and procedures to ensure appropriate governance and compliance with such data privacy laws, including GDPR. Such framework shall apply to all personal data processing activities conducted by ICAS Schweiz AG, and its subsidiaries in Luxembourg, France, Germany, Austria and Italy.
Data Protection Principles
Below is the summary of basic data protection principles that ICAS Luxembourg S.à.r.l. must observe when it processes personal data.
Principle 1 – lawfulness of processing, fairness and transparency
- ICAS Luxembourg S.à.r.l. will ensure that all processing is carried out in accordance with applicable laws.
- ICAS Luxembourg S.à.r.l. will inform and explain to individuals, at the time when their personal data is collected, how their personal data will be processed.
Principle 2 – purpose limitation
- ICAS Luxembourg S.à.r.l. will only obtain and process personal data for those purposes which are known to the individual or which are within their expectations and are relevant to ICAS Luxembourg S.à.r.l..
- ICAS Luxembourg S.à.r.l. will only process personal data for specified, explicit and legitimate purposes and not further process that information in a manner that is incompatible with those purposes unless such further processing is consistent with the applicable law of the country in which the personal data was collected.
How do we collect your personal information?
We collect personal information directly from you:
- using our EAP services generally and which may be telephonically, via e-mail through the web, mobile or web applications, any other internet based application or in person;
- when you contract with ICAS Luxembourg S.à.r.l. to provide services on our behalf or where we agree to provide services on your behalf;
- via cookies;
- through feedback forms;
- via our telephone calls with you;
- when you provide your details to us either online or offline;
- when you respond to any job advertisement or are employed by ICAS Luxembourg S.à.r.l..
Principle 3 – accuracy
- ICAS Luxembourg S.à.r.l. will keep personal data accurate and up to date.
Principle 4 – data minimization
- ICAS Luxembourg S.à.r.l. will ensure that data collected and processed is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
What personal information do we collect?
As the data controller, joint data controller and/or data processor, ICAS Luxembourg S.à.r.l. may collect and process the following information about you:
- Sensitive personal information o details of your current or former physical or mental health;
- details regarding criminal offences, including alleged offences, criminal proceedings, court judgments, outcomes and sentences;
- details concerning sexual life or sexual orientation, for example marital status.
Principle 5 – limited retention of personal data
- ICAS Luxembourg S.à.r.l. will only keep personal data for as long as is necessary for the purposes for which it is collected and further processed and to comply with our legal and regulatory obligations. The time we retain your personal information for, will differ depending on the nature of the personal information and what we do with it. In some cases, such as if there is a dispute or a legal action we may be required to keep personal information for longer.
- No personal data will be kept after case closure. The anonymized case information will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organizational measures required by the GDPR in order to safeguard the rights and freedoms of individuals.
Principle 6 – security and confidentiality
- ICAS Luxembourg S.à.r.l. will implement appropriate technical and organizational measures to ensure a level of security of personal data that is appropriate to the risk for the rights and freedoms of the individuals.
- ICAS Luxembourg S.à.r.l. will ensure that providers of services to ICAS Luxembourg S.à.r.l. also adopt appropriate and equivalent security measures.
- ICAS Luxembourg S.à.r.l. will comply with data security breach notification requirements as required under applicable law.
- ICAS Luxembourg S.à.r.l. will ensure that information is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
How do we use your personal information?
We use your personal information to provide you with the services you require based on your situation. So, if you have a problem, we make sure the right network of providers and specialists are in place. However, there are many other reasons why we use your personal information.
Under data protection laws we need a reason to use and process your personal information and this is called a legal basis. We have set out below the main reasons why we process your personal information and the applicable circumstances when we will do so. When the personal information we process about you is classed as sensitive personal information (such as details about your health, sexual orientation or criminal offences) we must have an additional legal ground for such processing.
- Processing is necessary for us to provide you with the services you require, such as assessing your need and setting you up as a user of the services and communicating with you.
- Where we have a legal or regulatory obligation to use such personal information, for example, when our regulators, and our data protection regulator, the Data Protection Officer (DPO) wish us to maintain certain records of any dealings with you.
- Where we need to use your personal information to establish, exercise or defend our legal rights, for example when we are faced with any legal claims or where we want to pursue any legal claims ourselves.
- Where we need to use your personal information for reasons of substantial public interest, such as investigating fraudulent or criminal activities.
- In certain instances, you may elect to use our EAP services anonymously. However, where necessary we will ask for your consent in relation to processing your sensitive personal information (such as health data) such as where you are in a safety critical role. This will be made clear when you provide your personal information. We will ask for your consent and explain why it is necessary. Without your consent in these circumstances, we may not be able to provide you with you may not be able to benefit from some of our services.
- Where you provide sensitive personal information about a third party we will ask you to confirm that the third party has provided his or her consent.
- Where we have appropriate legitimate business need to use your personal information such as maintaining our business records, developing and improving our products and services, all whilst ensuring that such business need does not interfere with your rights and freedoms and does not cause you any harm.
- Where we need to use your sensitive personal information such as health data because it is necessary for your vital interests, this being a life or death matter.
Principle 7 – rights of individuals
- ICAS Luxembourg S.à.r.l. will adhere to the data subject rights procedure and will respond to any requests from individuals to access their personal data in accordance with applicable law.
- ICAS Luxembourg S.à.r.l. will also deal with requests to rectify or erase inaccurate or incomplete personal data, or to cease processing personal data in accordance with the data subject rights procedure.
|The right to access your personal information||You are entitled to a copy of the personal information we hold about you and certain details of how we use it. There will not usually be a charge for dealing with these requests. Your personal information will usually be provided to you in writing, unless otherwise requested, or where you have made the request by electronic means, in which case the information will be provided to you by electronic means where possible.|
|The right to rectification||We take reasonable steps to ensure that the personal information we hold about you is accurate and complete. However, if you do not believe this is the case, please contact us and you can ask us to update or amend it.|
|The right to erasure||In certain circumstances, you have the right to ask us to erase your personal information, for example where the personal information we collected is no longer necessary for the original purpose or where you withdraw your consent. However, this will need to be balanced against other factors, for example according to the type of personal information we hold about you and why we have collected it, there may be some legal and regulatory obligations which mean we cannot comply with your request. Please note that if you withdraw your consent we may not be able to provide you with the services you have requested.|
|Right to restriction of processing||In certain circumstances, you are entitled to ask us to stop using your personal information, for example where you think that the personal information we hold about you may be inaccurate or where you think that we no longer need to process your personal information.|
|Right to data portability||In certain circumstances, you have the right to ask that we transfer any personal information that you have provided to us to another third party of your choice. Once
transferred, the other party will be responsible for looking after your personal information.
|Right to object to direct marketing||You can ask us to stop sending you marketing messages at any time.|
|Right not to be subject to automated-decision making||None of our decisions are made automatically.|
|The right to withdraw consent||For certain uses of your personal information, we will ask for your consent. Where we do this, you have the right to withdraw your consent to further use of your personal information. Please note in some cases we may not be able to deliver the services you require if you withdraw your consent.|
|The right to lodge a complaint||You have a right to complain to the DPO at any time if you object to the way in which we use your personal information.
You can make any of the requests set out above using the contact details contained in the policy. Please note that in some cases we may not be able to comply with your request for reasons such as our own obligations to comply with other legal or regulatory requirements. However, we will always respond to any request you make and if we can’t comply with your request, we will tell you why.
In some circumstances exercising some of these rights (including the right to erasure, the right to restriction of processing and the right to withdraw consent) will mean we are unable to continue providing you the services you have selected and may therefore result in the cancellation thereof.
Please contact our Data Protection Officer (email@example.com) should you wish to make a Data Subject Request. Kindly note that we will require proof of identification (passport or identity card) in case of a request for access to your personal data to confirm that you are the Data Subject.
Principle 8 – ensuring adequate protection for trans-border transfers
- ICAS Luxembourg S.à.r.l. will not transfer personal data to third parties outside European Economic Area (“EEA”) without ensuring adequate protection.
Who do we share your personal information with?
Principle 9 – safeguarding the use of sensitive personal data
- ICAS Luxembourg S.à.r.l. will only process sensitive personal data where an individual elects to disclose same, alternatively where ICAS Luxembourg S.à.r.l. has a legitimate basis for doing so, consistent with the applicable law of the country in which the personal data was collected.
- Additional security measures and safeguards will be implemented to ensure that this sensitive personal data remains confidential and that it is deleted as soon as is reasonably possible.
Legally Binding Effect of This Policy
ICAS Luxembourg S.à.r.l. and its employees that process personal data must comply with, and respect, this Policy when processing personal data as a controller and / or processor, irrespective of the country in which they are located.
ICAS Luxembourg S.à.r.l. reserves the right to change, modify or update this Policy at any time. Please review it frequently for any update.
The data subject may, at any time, prevent the setting of cookies through our website by means of a corresponding setting of the Internet browser used, and may thus permanently deny the setting of cookies.
Furthermore, already set cookies may be deleted at any time via an Internet browser or other software programs. This is possible in all popular Internet browsers. If the data subject deactivates the setting of cookies in the Internet browser used, not all functions of our website may be entirely usable.
Collection of general data and information
The website of the ICAS Luxembourg S.à.r.l. collects a series of general data and information when a data subject or automated system calls up the website. This general data and information are stored in the server log files. Collected may be (1) the browser types and versions used, (2) the operating system used by the accessing system, (3) the website from which an accessing system reaches our website (so-called referrers), (4) the sub-websites, (5) the date and time of access to the Internet site, (6) an Internet protocol address (IP address), (7) the Internet service provider of the accessing system, and (8) any other similar data and information that may be used in the event of attacks on our information technology systems.
When using these general data and information, the ICAS Luxembourg S.à.r.l. does not draw any conclusions about the data subject. Rather, this information is needed to (1) deliver the content of our website correctly, (2) optimize the content of our website as well as its advertisement, (3) ensure the long-term viability of our information technology systems and website technology, and (4) provide law enforcement authorities with the information necessary for criminal prosecution in case of a cyber-attack. Therefore, the ICAS Luxembourg S.à.r.l. analyzes anonymously collected data and information statistically, with the aim of increasing the data protection and data security of our enterprise, and to ensure an optimal level of protection for the personal data we process. The anonymous data of the server log files are stored separately from all personal data provided by a data subject.
Contact possibility via the website
The website of the ICAS Luxembourg S.à.r.l. contains information that enables a quick electronic contact to our enterprise, as well as direct communication with us, which also includes a general address of the so-called electronic mail (e-mail address). If a data subject contacts the controller by e-mail or via a contact form, the personal data transmitted by the data subject are automatically stored. Such personal data transmitted on a voluntary basis by a data subject to the data controller are stored for the purpose of processing or contacting the data subject. There is no transfer of this personal data to third parties.
Data protection provisions about the application and use of Google Analytics (with anonymization function)
On this website, the controller has integrated the component of Google Analytics (with the anonymizer function). Google Analytics is a web analytics service. Web analytics is the collection, gathering, and analysis of data about the behavior of visitors to websites. A web analysis service collects, inter alia, data about the website from which a person has come (the so-called referrer), which sub-pages were visited, or how often and for what duration a sub-page was viewed. Web analytics are mainly used for the optimization of a website and in order to carry out a cost-benefit analysis of Internet advertising.
The operator of the Google Analytics component is Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, United States.
For the web analytics through Google Analytics the controller uses the application “_gat. _anonymizeIp”. By means of this application the IP address of the Internet connection of the data subject is abridged by Google and anonymised when accessing our websites from a Member State of the European Union or another Contracting State to the Agreement on the European Economic Area.
The purpose of the Google Analytics component is to analyze the traffic on our website. Google uses the collected data and information, inter alia, to evaluate the use of our website and to provide online reports, which show the activities on our websites, and to provide other services concerning the use of our Internet site for us.
Google Analytics places a cookie on the information technology system of the data subject. The definition of cookies is explained above. With the setting of the cookie, Google is enabled to analyze the use of our website.
The data subject may, as stated above, prevent the setting of cookies through our website at any time by means of a corresponding adjustment of the web browser used and thus permanently deny the setting of cookies. Such an adjustment to the Internet browser used would also prevent Google Analytics from setting a cookie on the information technology system of the data subject. In addition, cookies already in use by Google Analytics may be deleted at any time via a web browser or other software programs.
Further information and the applicable data protection provisions of Google may be retrieved under https://www.google.com/intl/en/policies/privacy/ and under http://www.google.com/analytics/terms/us.html. Google Analytics is further explained under the following Link https://www.google.com/analytics/.
Data protection provisions about the application and use of Google-AdWords
On this website, the controller has integrated Google AdWords. Google AdWords is a service for Internet advertising that allows the advertiser to place ads in Google search engine results and the Google advertising network. Google AdWords allows an advertiser to pre-define specific keywords with the help of which an ad on Google’s search results only then displayed, when the user utilizes the search engine to retrieve a keyword-relevant search result. In the Google Advertising Network, the ads are distributed on relevant web pages using an automatic algorithm, taking into account the previously defined keywords.
The operating company of Google AdWords is Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, UNITED STATES.
The purpose of Google AdWords is the promotion of our website by the inclusion of relevant advertising on the websites of third parties and in the search engine results of the search engine Google and an insertion of third-party advertising on our website.
If a data subject reaches our website via a Google ad, a conversion cookie is filed on the information technology system of the data subject through Google. The definition of cookies is explained above. A conversion cookie loses its validity after 30 days and is not used to identify the data subject. If the cookie has not expired, the conversion cookie is used to check whether certain sub-pages, e.g, the shopping cart from an online shop system, were called up on our website. Through the conversion cookie, both Google and the controller can understand whether a person who reached an AdWords ad on our website generated sales, that is, executed or canceled a sale of goods.
The data and information collected through the use of the conversion cookie is used by Google to create visit statistics for our website. These visit statistics are used in order to determine the total number of users who have been served through AdWords ads to ascertain the success or failure of each AdWords ad and to optimize our AdWords ads in the future. Neither our company nor other Google AdWords advertisers receive information from Google that could identify the data subject.
The conversion cookie stores personal information, e.g. the Internet pages visited by the data subject. Each time we visit our Internet pages, personal data, including the IP address of the Internet access used by the data subject, is transmitted to Google in the United States of America. These personal data are stored by Google in the United States of America. Google may pass these personal data collected through the technical procedure to third parties.
The data subject may, at any time, prevent the setting of cookies by our website, as stated above, by means of a corresponding setting of the Internet browser used and thus permanently deny the setting of cookies.
Such a setting of the Internet browser used would also prevent Google from placing a conversion cookie on the information technology system of the data subject. In addition, a cookie set by Google AdWords may be deleted at any time via the Internet browser or other software programs.
The data subject has a possibility of objecting to the interest based advertisement of Google. Therefore, the data subject must access from each of the browsers in use the link www.google.de/settings/ads and set the desired settings.
Further information and the applicable data protection provisions of Google may be retrieved under https://www.google.com/intl/en/policies/privacy/.
Data protection provisions about the application and use of YouTube
On this website, the controller has integrated components of YouTube. YouTube is an Internet video portal that enables video publishers to set video clips and other users free of charge, which also provides free viewing, review and commenting on them. YouTube allows you to publish all kinds of videos, so you can access both full movies and TV broadcasts, as well as music videos, trailers, and videos made by users via the Internet portal.
The operating company of YouTube is YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, UNITED STATES. The YouTube, LLC is a subsidiary of Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, UNITED STATES.
With each call-up to one of the individual pages of this Internet site, which is operated by the controller and on which a YouTube component (YouTube video) was integrated, the Internet browser on the information technology system of the data subject is automatically prompted to download a display of the corresponding YouTube component. Further information about YouTube may be obtained under https://www.youtube.com/yt/about/en/. During the course of this technical procedure, YouTube and Google gain knowledge of what specific sub-page of our website was visited by the data subject.
If the data subject is logged in on YouTube, YouTube recognizes with each call-up to a sub-page that contains a YouTube video, which specific sub-page of our Internet site was visited by the data subject. This information is collected by YouTube and Google and assigned to the respective YouTube account of the data subject.
YouTube and Google will receive information through the YouTube component that the data subject has visited our website, if the data subject at the time of the call to our website is logged in on YouTube; this occurs regardless of whether the person clicks on a YouTube video or not. If such a transmission of this information to YouTube and Google is not desirable for the data subject, the delivery may be prevented if the data subject logs off from their own YouTube account before a call-up to our website is made.
YouTube’s data protection provisions, available at https://www.google.com/intl/en/policies/privacy/, provide information about the collection, processing and use of personal data by YouTube and Google.
Contact Details of DPO
If you have any questions regarding the provisions of this Policy, your rights under this Policy or any other data protection issues, you can contact ICAS Luxembourg S.à.r.l. Data Privacy Officer at the address below who will either deal with the matter or forward it to the appropriate person or department within ICAS Luxembourg S.à.r.l..
Data Protection Officer
ICAS Deutschland GmbH
D-60322 Frankfurt a.M.
To log a Data Subject Access Request, please use our online form.
Privacy settingsChange privacy settings