The General Data Protection Regulation (GDPR) at Cigna

The introduction of the General Data Protection Regulation (GDPR) changes data protection law in Europe and mandates enhancements to existing data protection measures. We understand that you have chosen to work with us, in part, because of the protection we provide to you and your employees’ highly sensitive personal data. With this in mind, we are pleased to clarify our position on data protection and privacy matters.

Please note that this communication does not constitute legal advice and you should seek your own independent legal advice in relation to the matters covered by it.


The GDPR applies to:

  • Entities which are established in Europe; and
  • Entities which are established outside Europe but which process personal data in the context of one of their establishments in Europe.

When these entities collect and use personal data, they must comply with requirements of the GDPR. The GDPR also applies to entities established outside Europe if those entities offer goods or services to individuals within Europe, or monitor the behaviors of individuals in Europe.

A significant number of the products and services that the Cigna corporate group offers are impacted by the GDPR. For example, where a Cigna group company which is established in Europe offers an insurance product to a client which is also established in Europe, both the Cigna group company providing the product and its client must comply with the GDPR.

A large proportion of our products and services are not affected by the GDPR. Despite the GDPR's broad reach, Cigna group companies established outside Europe offer many 'domestic' products and services to their clients established in the same, or other non-European jurisdictions. For example, a Cigna group company established in the United States may contract with a client also established in the United States to provide insurance services to individuals based in the United States. In these circumstances, the GDPR is unlikely to apply to the processing of personal data by the Cigna group company in providing its services.

Some of the products and services provided by Cigna group companies established outside Europe to clients also established outside Europe involve the provision of insurance to individuals temporarily resident in Europe (these individuals are often referred to as 'ex-pats'). While we acknowledge that the ex-pats insured may be located within Europe, we do not consider that, in this context, the Cigna group company providing the insurance product offers goods or services to the ex-pat in Europe. Our view is that the product is offered on the basis of the ex-pat's primary location outside Europe. As a result and in general, the GDPR is not applicable to our processing of personal data to provide these products.

Based on the GDPR's applicability criteria, we do not consider that the services we provide to you fall within its scope.

Where we are not subject to the GDPR, we still comply with the data protection and privacy laws applicable in the jurisdictions in which we operate and take robust steps to protect the personal data we process. For example, the Cigna corporate group has adopted global standards for the technical and organisational measures we use to protect personal data. The security measures we put in place account for a number of factors including the state of the art, the nature, scope, context and purposes of our processing, and the risk our processing poses to individuals. The technical safeguards we apply are also aligned with industry standards.