ELAA INTERNATIONAL
PERSONAL DATA PROTECTION POLICY
Last updated: November 21, 2024
Personal Data Protection Policy
This personal data protection policy explains how ELAA INTERNATIONAL S.A.R.L collects, uses, shares, and protects your personal data in the course of its activities, including medical services, local and international assistance, consulting, and training, for clients located in Tunisia and internationally (Europe, United States, etc.).
We are committed to protecting your privacy in accordance with:
- Applicable Tunisian laws on personal data protection.
- The General Data Protection Regulation (GDPR) for our European clients.
- The Health Insurance Portability and Accountability Act (HIPAA) for activities involving medical data of American clients.
I. Guiding Principles
ELAA INTERNATIONAL S.A.R.L is committed to protecting the confidentiality and security of your personal data. Our data protection policy is based on the following principles:
- Data Minimization:
We only collect, process, and retain data strictly necessary for the determined, explicit, and legitimate purposes for which it is collected. We commit to:- Limiting the types of data collected: We only gather information relevant to providing our services and meeting your needs.
- Regularly assessing data necessity: We periodically reevaluate the data we retain to ensure it remains necessary for the intended purposes.
- Deleting unnecessary data: We delete or anonymize data as soon as it is no longer needed.
- Transparency:
We are transparent about how we collect, use, and share your data. We inform you of:- The purposes of processing: We clearly explain why we collect your data and how it will be used.
- The categories of data collected: We specify the types of personal data we collect (e.g., name, surname, email address, etc.).
- Data recipients: We indicate if your data is shared with third parties (e.g., our service providers).
- Your rights: We inform you of your data protection rights (access, rectification, erasure, etc.).
- Consent:
Your consent is freely given, specific, informed, and unambiguous. We will not process your personal data for purposes other than those for which you have given consent, unless authorized or required by law. We commit to:- Obtaining explicit consent: We request your consent clearly and unambiguously before processing your data.
- Allowing withdrawal of consent: You have the right to withdraw your consent at any time.
- Security and Confidentiality:
We implement appropriate technical and organizational measures to ensure a level of security tailored to protect your personal data against unauthorized or unlawful processing, accidental loss, alteration, or destruction. - Integrity and Availability:
We are committed to ensuring the integrity and availability of your data. - Accountability:
We are responsible for the processing of your personal data and commit to demonstrating compliance with applicable regulations.
II. Data Collected by ELAA INTERNATIONAL S.A.R.L
At ELAA INTERNATIONAL S.A.R.L, we prioritize privacy and the protection of your personal data. In line with our commitments and applicable regulations, we ensure that we collect only the necessary and relevant information to achieve the specific objectives related to our services.
Why do we limit data collection?
We ensure that each piece of data collected serves a clearly defined purpose, whether to provide our services, respond to your requests, or comply with our legal and contractual obligations. This approach guarantees responsible use of your personal information and minimizes risks to your privacy.
What are the consequences of not providing data?
The essential nature of certain data means that failing to provide it may prevent:
- Effective handling of your requests or services.
- Implementation of contracted services.
- ELAA INTERNATIONAL S.A.R.L‘s compliance with applicable regulations.
III. Types of Data Collected
The information we collect varies depending on your needs, the services requested, and the context of our interactions. It includes:
- Identity and Contact Data:
- Name, surname, date of birth.
- Postal address, phone number, email.
- ID number/document: ID card, passport, driver’s license, etc.
- Administrative and Contractual Data:
- Case or contract number.
- Contact details of relevant third parties (e.g., emergency contacts).
- Medical and Sensitive Data (subject to explicit consent):
In accordance with legal requirements and our data protection commitments, ELAA INTERNATIONAL S.A.R.L collects and processes only the medical and sensitive data strictly necessary to deliver the requested services. This data is collected with your explicit consent and in compliance with strict confidentiality standards.
Medical information that may be collected includes, but is not limited to:
- Diagnoses.
- Medical histories directly related to care.
- Medical reports.
- Hospitalization records.
- Clinical, biological, or radiological test results.
- Medical prescriptions or treatment protocols.
- Any other information essential for optimal service delivery.
This data is used exclusively for the purposes for which it was collected and is accessible only to authorized personnel bound by professional secrecy. You retain the right to withdraw your consent at any time, in accordance with applicable laws.
4. Technical and Usage Data:
- IP address, browser or device characteristics, and other information collected via our website or applications.
- Information related to the use of our platforms (pages visited, actions taken, etc.).
5. Data Specific to Particular Situations:
- Information required to respond to a quote request.
- Data collected in the context of assistance.
IV. Recording of Telephone Conversations
As part of its commitment to service quality and the protection of all concerned parties, ELAA INTERNATIONAL S.A.R.L may record or monitor certain telephone calls to its services.
Recordings are strictly accessible to authorized personnel, including employees from the training, quality, and legal departments, and are used only for the intended purposes. They are retained for a maximum of one year. In the event of a dispute or legal proceedings, this period may be extended until the resolution of the matter, including the exhaustion of legal remedies.
In accordance with applicable laws, you have the right to object to the recording of your calls, unless such recordings are necessary to comply with a legal or contractual obligation. You may also request information about the use of recordings concerning you by contacting our Data Protection Officer at: data.protection@elaa-international.com.
These recordings are made in strict compliance with applicable regulations and serve specific purposes related to improving service quality and protecting our legitimate interests, unless you expressly object. The data collected is treated confidentially and used for the following purposes:
- Continuous service improvement:
- Employee training and support: Analysis of interactions to identify best practices and areas for improvement.
- Customer satisfaction monitoring: Evaluation of customer satisfaction to adapt our offerings and processes.
- Security and compliance:
- Fraud and risk prevention: Detection and prevention of fraudulent or illegal activities.
- Legal and regulatory obligations: Retention of recordings to respond to requests from competent authorities.
- Dispute and complaint management:
- Evidence collection: Retention of recordings as evidence in case of disputes or complaints.
- Complaint resolution: Analysis of complaints to identify causes and implement corrective actions.
- Protection of individuals:
- Prevention of inappropriate behavior: Detection and prevention of abusive, harassing, or discriminatory conduct.
- Employee protection: Recording of exchanges to ensure employee safety in delicate situations.
V. Purposes of Processing
We collect and process your personal data to provide our services optimally and in compliance with applicable regulations. Specifically, your data is used for the following purposes:
- Execution of our services and delivery of requested services.
- Customer and contractual relationship management: Client follow-up, billing, collections, etc.
- Compliance with legal and regulatory obligations: We are required to retain certain data to comply with applicable laws.
- Continuous service improvement: Customer satisfaction analysis, etc.
- Information system security and fraud prevention.
VI. Legal Bases for Processing
Committed to protecting your personal data, ELAA INTERNATIONAL S.A.R.L processes your data in accordance with applicable regulations and the following principles:
- Performance of a pre-contractual obligation, contract, or requested service: Before concluding a contract or agreement for a service, certain data may be processed to organize or finalize the terms. Similarly, data processing is essential for the execution of a contract to which you are a party or for the provision of a specific service you have requested.
- Legal obligation: Processing is necessary to comply with a legal obligation to which ELAA INTERNATIONAL is subject.
- Legitimate interests: Processing is necessary for the legitimate interests pursued by ELAA INTERNATIONAL or a third party, provided these interests do not override your fundamental rights and freedoms (e.g., fraud prevention, service improvement, risk management).
- Consent: In some cases, we may seek your explicit consent. This consent is freely given and can be withdrawn at any time.
ELAA INTERNATIONAL S.A.R.L is committed to complying with the following regulations:
- Tunisian laws on personal data protection.
- General Data Protection Regulation (GDPR).
- Health Insurance Portability and Accountability Act (HIPAA).
VII. Data Sharing
- The data collected by ELAA INTERNATIONAL S.A.R.L is intended for internal use and is strictly regulated. We share your personal information only in the following cases, always respecting legal requirements and our confidentiality commitments:
- With third-party providers for the execution of requested services:
We may share your data with professionals or entities involved in service delivery, such as:- Doctors.
- Healthcare professionals: nurses, physiotherapists, etc.
- Medical laboratories.
- Radiology centers.
- Clinics, hospitals.
- Ambulance or transport companies.
- Airlines, air carriers.
- Towing or other logistics providers.
- With the client, requester, or payer of services:
In the context of service execution, we may share your data with third parties responsible for the request or payment, such as:- Your insurance company.
- Your assistance company.
- Your employer or other contracting entity.
- To comply with legal obligations:
We may be required to share your data with judicial, regulatory, or administrative authorities in response to an official request or to comply with applicable laws.
- With third-party providers for the execution of requested services:
- Principles Governing Data Sharing:
- Limited to what is strictly necessary: Shared information is restricted to what is required for service execution or legal compliance.
- Enhanced confidentiality: Data is accessible only to duly authorized individuals, subject to confidentiality or professional secrecy obligations.
VIII. Data Retention and Deletion
ELAA INTERNATIONAL S.A.R.L ensures that your personal data is retained only for the strictly necessary period, based on the purposes for which it was collected, while respecting legal requirements and best practices in data protection.
- Retention Periods:
Your data is retained for the following reasons and durations:- Service execution: Data is retained for the duration necessary to deliver the requested services, including related administrative follow-ups.
- Legal obligations: Certain information must be retained for specific periods mandated by law (e.g., tax, accounting, or medical records).
- Deletion or Anonymization:
Once the retention period expires and in the absence of a legal or contractual need to retain the data, your data is:- Securely deleted: Information is permanently erased to prevent unauthorized access.
- Anonymized: In some cases, data is anonymized for statistical or service improvement purposes, without the possibility of identifying you.
IX. Security and Compliance
ELAA INTERNATIONAL S.A.R.L implements rigorous technical and organizational security measures to protect your personal data throughout its retention period. These measures aim to prevent unauthorized access, loss, alteration, or misuse of your information.
- Protection Measures in Place:
- Encryption of sensitive data: Your sensitive information is protected by encryption technologies, making it unreadable to unauthorized third parties.
- Strict access control: Only authorized personnel, in line with their roles, can access data. Access is regularly reviewed and monitored to limit intrusion risks.
- Ongoing employee training: All staff receive regular training on cybersecurity, data management best practices, and data protection obligations.
- Proactive monitoring: We use monitoring tools and procedures to detect any breach attempts or suspicious activity, enabling rapid intervention.
- Limitations and Incident Response:
While we deploy all possible measures to secure your data, no system can be guaranteed as completely invulnerable. In the event of a confirmed breach affecting the confidentiality, integrity, or availability of your data:- We promptly notify the competent authorities, as required by law.
- We inform affected users, providing clear details about the incident, impacted data, and measures taken to mitigate consequences.
ELAA INTERNATIONAL S.A.R.L is committed to maintaining high security standards and continuously improving in response to technological advancements and emerging threats. For any questions regarding your data security, contact us at data.protection@elaa-international.com.
X. User Rights
In accordance with applicable laws, you have several rights regarding your personal data. These rights allow you to maintain control over your information and ensure its use aligns with your expectations and needs.
- Right of access: You have the right to request confirmation of whether your personal data is being processed and, if so, to obtain a copy of the data in our possession, along with information about its processing (purposes, recipients, retention period, etc.).
- Right to rectification: If you find that your information is inaccurate or incomplete, you may request its update or correction.
- Right to erasure: Also known as the right to be forgotten, this right allows you to request the deletion of your personal data, within the limits set by law. For example, this right cannot be exercised if the data must be retained for legal, contractual, or regulatory reasons.
- Right to data portability: You may request to receive your personal data in a structured, commonly used, and machine-readable format. You may also request its direct transmission to another provider, where technically feasible.
- Right to restriction of processing: You may request the temporary or permanent suspension of your data processing in certain situations, such as when contesting the accuracy of the data or if the processing is unlawful.
- Right to object: You have the right to object to the processing of your personal data when it is based on our legitimate interest or used for prospecting or profiling purposes, unless compelling legitimate grounds justify the processing.
These rights are designed to provide transparency and full control over your personal information. We are available for any questions or assistance regarding their exercise.
To exercise these rights, contact our Data Protection Officer (DPO) at: data.protection@elaa-international.com.
XI. Contact
Whether to exercise your rights (access, rectification, deletion, objection, etc.), report a potential breach, or obtain additional information about our privacy policy, we are here to assist you.
For any questions, requests, or concerns regarding the protection of your personal data, you may contact our Data Protection Officer (DPO), responsible for ensuring compliance with our personal data protection practices:
Data Protection Officer
ELAA INTERNATIONAL
Rue Tarek Ibn Zied, Trocadero, Centre Kraiem, 3ème étage
Sousse 4000, Tunisia
Email: data.protection@elaa-international.com.
We guarantee:
- Prompt and professional handling of your requests, within the timelines set by applicable regulations, typically within 30 days. In some cases, this period may be extended if the request is complex or requires additional verification.
- Clear and comprehensive responses to all your inquiries.
- Assistance in exercising your rights, including explanations of processes and measures implemented to protect your data.
For security and confidentiality reasons, we may request additional information to verify your identity before responding to certain requests.
XII. Policy Updates
This policy may be updated at any time to reflect regulatory or technological changes. The latest version will always be available on our website.