| --></div></div><div class="page pr"><div class="row"><nav class="c3 sideNav"><ul><li> <a href="https://www.ip-rs.si/varstvo-osebnih-podatkov/iskalnik-po-odlocbah-in-mnenjih/mnenja-gdpr/">Opinions - GDPR</a></li><li> <a href="https://www.ip-rs.si/varstvo-osebnih-podatkov/iskalnik-po-odlocbah-in-mnenjih/odlocbe-in-mnenja-vop/">Decisions and opinions - Protection of personal data</a></li><li> <a href="https://www.ip-rs.si/varstvo-osebnih-podatkov/iskalnik-po-odlocbah-in-mnenjih/sodbe-upravnega-sodisca/">Judgments of the Administrative Court</a></li><li> <a href="https://www.ip-rs.si/varstvo-osebnih-podatkov/iskalnik-po-odlocbah-in-mnenjih/zahteve-za-oceno-ustavnosti/">Requirements for constitutional review</a></li><li> <a href="https://www.ip-rs.si/zakonodaja/pripombe-informacijskega-pooblascenca-na-predloge-predpisov/2020/">Comments of the Information Commissioner on draft regulations</a></li><li> <a href="https://www.ip-rs.si/varstvo-osebnih-podatkov/iskalnik-po-odlocbah-in-mnenjih/sodbe-mednarodnih-sodisc/">Judgments of international courts</a> </li></ul></nav><article class="c9"><!--TYPO3SEARCH_begin--><header class="pr"><nav class="breadcrumbs"> <a href="https://www.ip-rs.si/">Home</a> > Search engine according to GDPR</nav><h1> Search engine according to GDPR</h1> <i class="fa fa-font" id="zoomIn">+</i> <i class="fa fa-font" id="zoomOut">-</i><a href="javascript:window.print()"><i class="fa fa-print" id="print"></i></a> </header><!-- CONTENT ELEMENT, uid:2320/list [begin] --><div id="c2320" class="csc-frame csc-frame-default"><!-- Plugin inserted: [begin] --><div><div> <b>Date:</b> 09.12.2020</div><div> <b>Title:</b> Transmission of medical reports to the insurance company</div><div> <b>Number:</b> 07121-1 / 2020/2187</div><div> <b>Subject matter:</b> Legal basis, Obtaining OPs from collections, Insurance, Medical personal data</div><div> <b>Legal act:</b> Opinion</div></div><br><div><p class="bodytext"> <em>The Information Commissioner (hereinafter IP) has received your request for an opinion on the justification of providing sensitive personal data (medical records) of your subjects to the insurance company on the basis of a cooperation agreement in the field of specialist medical examinations. You state that the insurance company refers to Article 268 of the Insurance Act and Article 9 of the General Regulation on Data Protection. You point out that these are check-ups that you do because an individual has insured himself for faster access to health services with the specialist doctors who belong to him if he gets a referral. In a medical institution, e.g. with you, this inspection is ordered and paid for by the insurance company, and for this purpose the said contract is concluded.</em></p><p class="bodytext"></p><p class="bodytext"> <em>You state that the eighth paragraph of the Insurance Act in point 6 really explicitly allows the insurance company to obtain medical documentation from the health care provider, but you believe that the third paragraph of Article 268 of the Insurance Act limits this to cases where the scope is appropriate and necessary to achieve the purposes of processing. You estimate that this is not necessary for your participation. In your opinion, the insurance company should obtain written permission from the policyholder in advance in order to obtain his medical records directly from the medical institution for specific purposes, and that the insurance company should provide this permission to the medical institution when requesting medical records. In addition, you consider that it is necessary for the insurance company to justify in the contract in which cases this is absolutely necessary depending on the purpose of use.</em></p><p class="bodytext"></p><p class="bodytext"> <em>You suggest that IP give opinions specifically for:</em></p><ul><li> <em>insurance for faster access to a specialist,</em></li><li> <em>damage insurance - for the purpose of compensation,</em></li><li> <em>medical examination before taking out life insurance - for the purpose of proving that the insured does not take out insurance after having already received a poor diagnosis,</em></li></ul><p class="bodytext"></p><p class="bodytext"> On the basis of the information you have provided to us, in accordance with Article 58 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data Directive 95/46 / EC (General Regulation on Data Protection, hereinafter General Regulation), point 7 of the first paragraph of Article 49 of the Personal Data Protection Act (Official Gazette of the Republic of Slovenia, No. 94/07-UPB1, hereinafter ZVOP-1 ) and Article 2 of the Information Commissioner Act (Official Gazette of the Republic of Slovenia, No. 113/05, hereinafter ZInfP), we provide our non-binding opinion regarding your questions.</p><p class="bodytext"></p><p class="bodytext"> We emphasize at the outset that the IP cannot assess specific processing of personal data outside the inspection procedure or other administrative procedure. This means that the IP cannot decide in the context of issuing an opinion whether the conditions for the transfer of personal data are met in a particular case, but can only point out the relevant legal basis and the conditions that must be met for a particular transfer to be lawful. However, a concrete assessment can or must be performed exclusively by the personal data controller.</p><p class="bodytext"></p><p class="bodytext"> IP clarifies that the controller must have a <strong>legal and appropriate legal basis</strong> for any processing of personal data, ie, inter alia, for their disclosure through the transmission, dissemination or other provision of access. These are set out in Article 6 (1) of the General Regulation, and in the case of the processing of specific types of personal data, including health data, another of the conditions set out in Article 9 (2) of the General Regulation must be met. In accordance with point (c) of Article 6 (1) of the General Regulation, processing is lawful if it is necessary to fulfill a legal obligation to which the controller is subject. However, under Article 9 (2) (h) of the General Regulation, the prohibition on the processing of specific types of personal data does not apply in principle if the processing is necessary for the purposes of preventive or occupational medicine, assessment of the employee's working capacity, medical diagnosis, provision of medical or social care or treatment. management of health or social care systems and services under Union law or the law of a Member State or under a contract with a healthcare professional and subject to the conditions and safeguards referred to in paragraph 3.</p><p class="bodytext"></p><p class="bodytext"> IP emphasizes that it is sufficient for the lawfulness of the processing that one of the separate legal bases set out in Article 6 (1) in conjunction with Article 9 (2) of the General Regulation is met. This means that if the controller processes personal data e.g. by law, he is not obliged to obtain consent for this information.</p><p class="bodytext"></p><p class="bodytext"> The legal basis for the transmission of personal data to an insurance company in terms of the above provisions of the General Decree is given in <strong>Article 286 of the Insurance Act</strong> (Official Gazette of the Republic of Slovenia, nos. 93/15, 9/19 and 102/20; hereinafter ZZavar-1).</p><p class="bodytext"></p><p class="bodytext"> The insurance company is entitled to obtain relevant medical documentation relating to the insured or the beneficiary from the insurance, if this documentation is necessary for concluding and implementing insurance contracts, recovery of unpaid liabilities from insurance contracts, settlement of claims, enforcement of claims and other rights and obligations, including the investigation of suspicious cases of unduly paid compensation or insurance benefits arising from insurance under this Act, and verification of political exposure of persons under the Act governing the prevention of money laundering and terrorist financing (third paragraph of Article 268 ZZavar-1).</p><p class="bodytext"></p><p class="bodytext"> The sixth paragraph of Article 268 of ZZavar-1 states that the insurance company may collect the following personal data, taking into account the purpose of data processing:</p><p class="bodytext"></p><ul><li> personal name, sex, date and place of birth, permanent and temporary residence or permanent and temporary address abroad, address for service, date of death, tax number, type and number of personal document of the insured and injured party for whom insurance coverage and compensation is established or insurance;</li><li> on previous insurance cases to the extent referred to in the previous paragraph and <strong>information on the relevant health condition of the insured and the injured party, including the provision of medical services, previous injuries and medical condition, type of bodily injuries, duration of treatment and consequences for the injured party and policyholder</strong> ;</li><li> income of the insured and the injured party and employment;</li><li> retirement (regular and disability), retraining and disability rates of the insured and the injured party;</li><li> costs for medical care, medicines and medical devices of the insured and the injured party;</li><li> entitlement to cover the difference to the full value of health services under the law governing health insurance from the budget of the Republic of Slovenia;</li><li> driving license data;</li><li> historical data on the history of the subject of insurance.</li></ul><p class="bodytext"></p><p class="bodytext"> As a rule, the documentation is provided in the form of a copy by the insured or the beneficiary, but the insurance company can also obtain it directly from the healthcare provider (point 6 of the eighth paragraph of Article 268 of ZZavar-1).</p><p class="bodytext"></p><p class="bodytext"> The insurance company is therefore entitled, inter alia, to the documentation required for:</p><ul><li> taking out insurance, e.g. in the case of a medical examination before taking out life insurance,</li><li> deciding on an insurance claim, e.g. in the case of a claim for damages based on damage insurance,</li><li> to perform an insurance contract, e.g. in certain circumstances, perhaps also to conclude an insurance case under insurance for faster access to a specialist.</li></ul><p class="bodytext"></p><p class="bodytext"> As you correctly pointed out in the request, the third paragraph of Article 268 of ZZavar-1 is limited to cases when the scope of the submitted data is appropriate and necessary for the realization of the purposes of processing. This is in line with the general principle of <strong>minimum data</strong> , according to which personal data must be relevant, relevant and limited to what is necessary for the purposes for which they are processed (Article 5 (1) (c) of the General Regulation). However, IP cannot comment on the question of whether it is necessary and appropriate in a specific case for the insurance company to require you, as a co-contractor, to submit the medical records of the examinees on the basis of a cooperation agreement in the field of performing specialist medical examinations.</p><p class="bodytext"></p><p class="bodytext"> Given that the statutory provision of Article 268 of ZZavar-1, which provides the insurance company with a basis for obtaining data, is relatively open, we suggest that you seek additional clarification regarding the legal basis and purpose of processing and a more detailed justification of the required medical reports. to the insurance company.</p><p class="bodytext"></p><p class="bodytext"></p><p class="bodytext"> Greetings,</p><p class="bodytext"></p><p class="bodytext"> Mojca Prelesnik, B.Sc. dipl. right,</p><p class="bodytext"> Information Commissioner</p><p class="bodytext"></p><p class="bodytext"></p><p class="bodytext"> Prepared by:</p><p class="bodytext"> Tina Ivanc, B.Sc. dipl. right,<br /> IP data protection consultant</p><p class="bodytext"></p><p class="bodytext"></p></div><div> <a href="javascript:history.back();">Back</a> </div><!-- Plugin inserted: [end] --></div><!-- CONTENT ELEMENT, uid:2320/list [end] --><!--TYPO3SEARCH_end--></article></div></div><footer><div class="row"><address class="c3"> <strong class="title">ABOUT US</strong><p class="bodytext"> <strong>Information Commissioner</strong></p><p class="bodytext"> <strong>Dunajska cesta 22</strong></p><p class="bodytext"> <strong>1000 Ljubljana, Slovenia</strong></p><p class="bodytext"></p><p class="bodytext"> <a href="https://www.ip-rs.si/fileadmin/user_upload/png/zemljevid_IPRS.PNG" title="Initiates file download">Map</a> (source: najdi.si)</p><p class="bodytext"> T: 01 230 97 30<br /> F: 01 230 97 78</p><p class="bodytext"> E-mail: <a href="javascript:linkTo_UnCryptMailto('iwehpk6cl:elWel9no:oe');">gp.ip (at) ip-rs.si</a><br /> Reporting violations: <a href="https://www.ip-rs.si/zakonodaja/reforma-evropskega-zakonodajnega-okvira-za-varstvo-osebnih-podatkov/kljucna-podrocja-uredbe/prijava-krsitev/" target="_blank">instructions and form</a></p></address><div class="c3"> <strong class="title">OFFICE HOURS</strong><p class="bodytext"> <strong>MON - FRI</strong></p><p class="bodytext"> 10.00 - 12.00 and 14.00 - 15.00</p><p class="bodytext"></p><p class="bodytext"> A personal visit is only possible with prior notice to the above e-mail address or telephone number.</p></div><div class="c3 h1"> <strong class="title">LINKS</strong><!-- CONTENT ELEMENT, uid:1350/html [begin] --><div id="c1350" class="csc-frame csc-frame-default"><!-- Raw HTML content: [begin] --><p> <a href="https://www.ip-rs.si/o-pooblascencu/informacije-javnega-znacaja/">Public information</a></p><p> <a href="https://www.ip-rs.si/publikacije/prirocniki-in-smernice/" title="In the guidelines, personal file managers can find answers to the most frequently asked questions in each area of personal data protection. The guidelines also provide quick guides, checklists, and examples of good and bad practice.">Manuals and guidelines</a></p><p> <a href="https://www.ip-rs.si/obrazci/varstvo-osebnih-podatkov/" title="Forms">Forms</a></p><p> <a href="https://www.ip-rs.si/o-pooblascencu/informacije-javnega-znacaja/o-spletni-strani/" title="About the website">Privacy policy</a></p><p> <a href="https://www.ip-rs.si/o-pooblascencu/informacije-javnega-znacaja/informacije-o-obdelavi-osebnih-podatkov/" title="About the website">Information on the processing of personal data</a></p><p> <a href="https://www.ip-rs.si/o-pooblascencu/informacije-javnega-znacaja/izjava-o-dostopnosti-spletne-strani/" target="_blank">Website Accessibility Statement</a></p><p> <a href="https://www.upravljavec.si" target="_blank">Support for small businesses</a></p><p> <a href="https://www.tiodlocas.si" target="_blank">Rights of individuals</a> </p><!-- Raw HTML content: [end] --></div><!-- CONTENT ELEMENT, uid:1350/html [end] --></div><div class="c3 pr"><div class="h1"><strong class="title"></strong><div class="cb-textpic" id="cb1351"><a name="c1351"></a><div class="cb-center cb-ic2 layout0"></div><p class="bodytext"> Telephone counseling in the field of personal data protection takes place within the project "Justice, Equality and Citizenship Program 2014-2020", funded by the European Union. </p><p class="bodytext"><img height="44" src="https://www.ip-rs.si/fileadmin/_processed_/d/7/csm_iDecide_Logo_breznapisa_nogastrani_e14a48342f.png" width="220" alt="IDecide project logo" /></p></div></div></div></div></footer></div><script src="https://www.ip-rs.si/typo3conf/ext/t3colorbox/Resources/Public/JavaScript/jquery.colorbox-1.5.13.min.js?1501572991" type="text/javascript"></script><script src="https://www.ip-rs.si/typo3conf/ext/pxa_survey/Resources/Public/JavaScript/Survey.js?1573637584" type="text/javascript"></script><script src="https://www.ip-rs.si/fileadmin/templates/js/scripts.min.js?1501510497" type="text/javascript"></script><script src="https://www.ip-rs.si/typo3conf/ext/pxa_survey/Resources/Public/JavaScript/pxa_survey.js?1573637584" type="text/javascript"></script><script src="https://www.ip-rs.si/typo3temp/assets/js/2619955b93.js?1597648248" type="text/javascript"></script></body></html>
| |
