|
|
Line 70: |
Line 70: |
| ==English Machine Translation of the Decision== | | ==English Machine Translation of the Decision== |
| The decision below is a machine translation of the Slovenian original. Please refer to the Slovenian original for more details. | | The decision below is a machine translation of the Slovenian original. Please refer to the Slovenian original for more details. |
|
| |
| <pre>
| |
|
| |
| Search engine according to GDPR
| |
| +
| |
| -
| |
| Date: December 9th, 2020
| |
| Title: Transmission of medical reports to the insurance company
| |
| Number: 07121-1 / 2020/2187
| |
| Subject matter: Legal basis, Obtaining OPs from collections, Insurance, Medical personal data
| |
| Legal act: Opinion
| |
|
| |
| The Information Commissioner (hereinafter IP) has received your request for an opinion on the justification of providing sensitive personal data (medical records) of your subjects to the insurance company on the basis of a cooperation agreement in the field of specialist medical examinations. You state that the insurance company refers to Article 268 of the Insurance Act and Article 9 of the General Regulation on Data Protection. You point out that these are check-ups that you do because an individual has insured themselves for faster access to health services from the specialist doctors who belong to them if they receive a referral. In a medical institution, e.g. with you, this inspection is ordered and paid for by the insurance company, and for this purpose the said contract is concluded.
| |
|
| |
|
| |
| You state that the eighth paragraph of the Insurance Act in point 6 really explicitly allows the insurance company to obtain medical documentation from the health care provider, but you believe that the third paragraph of Article 268 of the Insurance Act limits this to cases where the scope is appropriate and necessary to achieve the purposes of processing. You estimate that this is not necessary for your participation. In your opinion, the insurance company should obtain written permission from the insured in advance in order to be able to obtain his medical records directly from the medical institution for specific purposes, and that the insurance company should provide this permission to the medical institution when requesting medical records. In addition, you consider that it is necessary for the insurance company to justify in the contract in which cases this is absolutely necessary depending on the purpose of use.
| |
|
| |
|
| |
| You suggest that IP give opinions specifically for:
| |
|
| |
| insurance for faster access to a specialist,
| |
| damage insurance - for the purpose of compensation,
| |
| medical examination before taking out life insurance - for the purpose of proving that the insured does not take out insurance after having already received a poor diagnosis,
| |
|
| |
|
| |
| On the basis of the information you have provided to us, in accordance with Article 58 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data Directive 95/46 / EC (General Regulation on Data Protection, hereinafter General Regulation), point 7 of the first paragraph of Article 49 of the Personal Data Protection Act (Official Gazette of the Republic of Slovenia, No. 94/07-UPB1, hereinafter ZVOP-1 ) and Article 2 of the Information Commissioner Act (Official Gazette of the Republic of Slovenia, No. 113/05, hereinafter ZInfP), we provide our non-binding opinion regarding your questions.
| |
|
| |
|
| |
| We emphasize at the outset that the IP cannot assess specific processing of personal data outside the inspection procedure or other administrative procedure. This means that the IP cannot decide in the context of issuing an opinion whether the conditions for the transfer of personal data are met in a particular case, but can only point out the relevant legal basis and the conditions that must be met for a particular transfer to be lawful. However, a concrete assessment can or must be performed exclusively by the personal data controller.
| |
|
| |
|
| |
| IP clarifies that the controller must have a for any processing of personal data, ie, inter alia, for their disclosure through the transmission, dissemination or other provision of access legal and appropriate legal basis . These are set out in Article 6 (1) of the General Regulation, and in the case of the processing of specific types of personal data, including health data, another of the conditions set out in Article 9 (2) of the General Regulation must be met. In accordance with point (c) of Article 6 (1) of the General Regulation, processing is lawful if it is necessary to fulfill a legal obligation to which the controller is subject. However, under Article 9 (2) (h) of the General Regulation, the prohibition on processing specific types of personal data does not apply in principle if the processing is necessary for the purposes of preventive or occupational medicine, assessment of the employee's working capacity, medical diagnosis, provision of medical or social care or treatment. management of health or social care systems and services under Union law or the law of a Member State or under a contract with a healthcare professional and subject to the conditions and safeguards referred to in paragraph 3.
| |
|
| |
|
| |
| IP emphasizes that it is sufficient for the lawfulness of the processing that one of the separate legal bases set out in Article 6 (1) in conjunction with Article 9 (2) of the General Regulation is met. This means that if the controller processes personal data e.g. by law, he is not obliged to obtain consent for this information.
| |
|
| |
|
| |
| The legal basis for the transmission of personal data to an insurance company in terms of the above provisions of the General Decree is given in Article 286 of the Insurance Act (Official Gazette of the Republic of Slovenia, nos. 93/15, 9/19 and 102/20; hereinafter ZZavar-1).
| |
|
| |
|
| |
| The insurance company is entitled to obtain relevant medical documentation relating to the insured or the beneficiary from the insurance, if this documentation is necessary for concluding and implementing insurance contracts, recovery of unpaid liabilities from insurance contracts, settlement of claims, enforcement of claims and other rights and obligations, including the investigation of suspicious cases of unduly paid compensation or insurance benefits arising from insurance under this Act, and verification of political exposure of persons under the Act governing the prevention of money laundering and terrorist financing (third paragraph of Article 268 ZZavar-1).
| |
|
| |
|
| |
| The sixth paragraph of Article 268 of ZZavar-1 states that the insurance company may collect the following personal data, taking into account the purpose of data processing:
| |
|
| |
|
| |
| personal name, sex, date and place of birth, permanent and temporary residence or permanent and temporary address abroad, address for service, date of death, tax number, type and number of personal document of the insured and injured party for whom insurance coverage and compensation is established or insurance;
| |
| on previous insurance cases to the extent referred to in the previous paragraph and information on the relevant health status of the insured and the injured party, including the provision of medical services, previous injuries and medical condition, type of bodily injuries, duration of treatment and consequences for the injured party and policyholder ;
| |
| income of the insured and the injured party and employment;
| |
| retirement (regular and disability), retraining and disability rates of the insured and the injured party;
| |
| costs for medical care, medicines and medical devices of the insured and the injured party;
| |
| entitlement to cover the difference to the full value of health services under the law governing health insurance from the budget of the Republic of Slovenia;
| |
| driving license data;
| |
| historical data on the history of the subject of insurance.
| |
|
| |
|
| |
| As a rule, the documentation is provided in the form of a copy by the insured or the beneficiary, but the insurance company can also obtain it directly from the healthcare provider (point 6 of the eighth paragraph of Article 268 of ZZavar-1).
| |
|
| |
|
| |
| The insurance company is therefore entitled, inter alia, to the documentation required for:
| |
|
| |
| taking out insurance, e.g. in the case of a medical examination before taking out life insurance,
| |
| deciding on an insurance claim, e.g. in the case of a claim for damages based on damage insurance,
| |
| to perform an insurance contract, e.g. in certain circumstances, perhaps also to conclude an insurance case under insurance for faster access to a specialist.
| |
|
| |
|
| |
| As you correctly pointed out in the request, the third paragraph of Article 268 of ZZavar-1 is limited to cases when the scope of the submitted data is appropriate and necessary for the realization of the purposes of processing. This is in line with the general principle of minimum data , according to which personal data must be relevant, relevant and limited to what is necessary for the purposes for which they are processed (Article 5 (1) (c) of the General Regulation). However, IP cannot comment on the question of whether it is necessary and appropriate in a specific case for the insurance company to require you, as a co-contractor, to submit the medical records of the examinees on the basis of a cooperation agreement in the field of performing specialist medical examinations.
| |
|
| |
|
| |
| Given that the statutory provision of Article 268 of ZZavar-1, which provides the insurance company with a basis for obtaining data, is relatively open, we suggest that you seek additional clarification regarding the legal basis and purpose of processing and a more detailed justification of the required medical reports. to the insurance company.
| |
|
| |
|
| |
| Greetings,
| |
|
| |
|
| |
| Mojca Prelesnik, B.Sc. dipl. right,
| |
|
| |
| Information Commissioner
| |
|
| |
|
| |
|
| |
| Prepared by:
| |
|
| |
| Tina Ivanc, B.Sc. dipl. prav.,
| |
| IP data protection consultant
| |
|
| |
|
| |
|
| |
| </pre>
| |
The Slovenian DPA issued an opinion on the case of an employee participation in the production of a company's video greeting card under article 6 (1) and 4 (11) of the GDPR.
English Summary
Facts
A company’s director decides to prepare and send by e-mail to the clients a video greeting card. The video should be recorded by the workers at home under mandatory participation. The authority was requested to decide upon the legality of the director’s decision and upon the lawfulness of the processing of the workers’ personal data.
Dispute
Can the employer process employee’s personal data under the legal base of consent of article 6 (1) GDPR?
Holding
The Slovenian DPA finds itself competent of deciding upon the legal basis and the conditions of a lawful processing. Article 6 (1) GDPR provides the conditions of lawful processing. Slovenia’s national legislation provides that employees’ personal data can be processed only if this is determined by law, or if it is necessary for the exercise of rights and obligations arising from the employment relationship or are related to the employment relationship. Due to the inequality of power in the employment relationship and for the protection of the employee, the processing is only possible in exceptional cases and provided that the individual can refuse consent. The consent of article 4 (11) GDPR will suffice only if it is voluntary, specific, informed and unambiguous. The participation at the greeting video is only possible under voluntary consent, which means only if the employee can refuse without negative consequences.
Share your comments here!
English Machine Translation of the Decision
The decision below is a machine translation of the Slovenian original. Please refer to the Slovenian original for more details.