Persónuvernd - 2020051637: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Iceland |DPA-BG-Color= |DPAlogo=LogoIS.png |DPA_Abbrevation=Persónuvernd |DPA_With_Country=Persónuvernd (Iceland) |Case_Number_Name=20200516...")
 
No edit summary
Line 48: Line 48:
}}
}}


The DPA decided that the processing of personal data by Sjúkratryggingar Íslands in connection with the collection of data by Sjúkratryggingar regarding an application for reimbursement of foreign medical expenses took place in accordance with the Act on Personal Data Protection and the Processing of Personal Data.
The Icelandic DPA (Persónuvernd) decided that the processing of personal data by Sjúkratryggingar Íslands in connection with the collection of data by Sjúkratryggingar regarding an application for reimbursement of foreign medical expenses took place in accordance with the Act on Personal Data Protection and the Processing of Personal Data.


== English Summary ==
==English Summary==


=== Facts ===
===Facts===
The DPA received a complaint over the request of Sjúkratryggingar Íslands (hereinafter Sjúkratryggingar) for a copy of the complainant's airline tickets for her application for reimbursement of foreign medical expenses. The complainant stated that Sjúkratryggingar's claim does not comply with the law.  
The DPA received a complaint over the request of Sjúkratryggingar Íslands (hereinafter Sjúkratryggingar) for a copy of the complainant's airline tickets for her application for reimbursement of foreign medical expenses. The complainant stated that Sjúkratryggingar's claim does not comply with the law.  


Sjúkratryggingar stated that the institution's authorization to process personal information in connection with the registered person's case is based on point 3. Paragraph 1 Article 9 Act no. 90/2018, where the processing is necessary to fulfill the legal obligation that rests on the institution according to Art. a laga nr. 112/2008 on health insurance and Regulation no. 484/2016 on health services applied for within the member state of the EEA Agreement but which can be provided in Iceland and on the role of a national contact person for cross-border health services.
Sjúkratryggingar stated that the institution's authorization to process personal information in connection with the registered person's case is based on point 3. Paragraph 1 Article 9 Act no. 90/2018, where the processing is necessary to fulfill the legal obligation that rests on the institution according to Art. a laga nr. 112/2008 on health insurance and Regulation no. 484/2016 on health services applied for within the member state of the EEA Agreement but which can be provided in Iceland and on the role of a national contact person for cross-border health services.


=== Dispute ===
===Dispute===
Is the processing of personal data by Sjúkratryggingar Íslands  legal?
Is the processing of personal data by Sjúkratryggingar Íslands  legal?


=== Holding ===
===Holding===
The DPA considered the acquisition of airline tickets for the purpose of demonstrating the length of the applicant's stay in a foreign country can be considered necessary in connection with the statutory implementation of Sjúkratryggingar's projects.
The DPA considered the acquisition of airline tickets for the purpose of demonstrating the length of the applicant's stay in a foreign country can be considered necessary in connection with the statutory implementation of Sjúkratryggingar's projects.


The DPA concluded that Sjúkratryggingar's collection of personal information about the complainant, which consisted of obtaining a copy of her flight tickets, can be based on the authorization in point 5. Article 9 Act no. 90/2018 and Article 6 of the GDPR.
The DPA concluded that Sjúkratryggingar's collection of personal information about the complainant, which consisted of obtaining a copy of her flight tickets, can be based on the authorization in point 5. Article 9 Act no. 90/2018 and Article 6 of the GDPR.


== Comment ==
==Comment==
''Share your comments here!''
''Share your comments here!''


== Further Resources ==
==Further Resources==
''Share blogs or news articles here!''
''Share blogs or news articles here!''


== English Machine Translation of the Decision ==
==English Machine Translation of the Decision==
The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.
The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.



Revision as of 09:31, 3 March 2021

Persónuvernd - 2020051637
LogoIS.png
Authority: Persónuvernd (Iceland)
Jurisdiction: Iceland
Relevant Law: Article 6 GDPR
Type: Complaint
Outcome: Rejected
Started:
Decided:
Published:
Fine: None
Parties: n/a
National Case Number/Name: 2020051637
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Icelandic
Original Source: Personuvernd (in IS)
Initial Contributor: n/a

The Icelandic DPA (Persónuvernd) decided that the processing of personal data by Sjúkratryggingar Íslands in connection with the collection of data by Sjúkratryggingar regarding an application for reimbursement of foreign medical expenses took place in accordance with the Act on Personal Data Protection and the Processing of Personal Data.

English Summary

Facts

The DPA received a complaint over the request of Sjúkratryggingar Íslands (hereinafter Sjúkratryggingar) for a copy of the complainant's airline tickets for her application for reimbursement of foreign medical expenses. The complainant stated that Sjúkratryggingar's claim does not comply with the law.

Sjúkratryggingar stated that the institution's authorization to process personal information in connection with the registered person's case is based on point 3. Paragraph 1 Article 9 Act no. 90/2018, where the processing is necessary to fulfill the legal obligation that rests on the institution according to Art. a laga nr. 112/2008 on health insurance and Regulation no. 484/2016 on health services applied for within the member state of the EEA Agreement but which can be provided in Iceland and on the role of a national contact person for cross-border health services.

Dispute

Is the processing of personal data by Sjúkratryggingar Íslands legal?

Holding

The DPA considered the acquisition of airline tickets for the purpose of demonstrating the length of the applicant's stay in a foreign country can be considered necessary in connection with the statutory implementation of Sjúkratryggingar's projects.

The DPA concluded that Sjúkratryggingar's collection of personal information about the complainant, which consisted of obtaining a copy of her flight tickets, can be based on the authorization in point 5. Article 9 Act no. 90/2018 and Article 6 of the GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.

Sjúkratryggingar Íslands
Case no. 2020051637
19.2.2021
The Data Protection Authority has ruled in a case where a complaint was made about the processing of personal information by Sjúkratryggingar Íslands in connection with the collection of data by Sjúkratryggingar regarding an application for reimbursement of foreign medical expenses. The ruling concludes that the processing and use of personal data is in accordance with the Act on Personal Data Protection and the Processing of Personal Data.

Ruling

On 4 February 2021, the Data Protection Authority issued a ruling in case no. 2020051637:

I.
Procedure

1.
Complaint and procedure
On 14 May 2020, the Data Protection Authority received a complaint from [A] (hereinafter referred to as the complainant), dated 12 May 2020, over the request of Sjúkratryggingar Íslands (hereinafter Sjúkratryggingar) for a copy of the complainant's tickets for her application for reimbursement of foreign medical expenses.

By letter dated On 2 October 2020, Sjúkratryggingar was invited to submit explanations regarding the complaint. The answer was by letter dated. November 18, 2020.

By letter dated On 23 November 2020, the complainant was given an opportunity to comment on the views of Sjúkratryggingar. Comments were received by letter of the day. December 1, 2020.

All the above documents have been taken into account in resolving the case, although not all of them are specifically described in the following ruling.

2.
The complainant's views
The complainant states that Sjúkratryggingar's claim for a copy of airline tickets due to an application for reimbursement of medical expenses abroad does not comply with the law. She also says that the flight tickets are neither proof nor confirmation that she has arrived in Iceland, where flight tickets can be changed and canceled. All documents on her case, including acknowledgment and confirmation that she had to seek medication and medical assistance abroad, are available from Sjúkratryggingar and she has informed the staff of the institution that it is not necessary to require her to copy a flight ticket for the application for refund. The complainant also doubts that Sjúkratryggingar can claim that the person applying for reimbursement of medical expenses abroad must have come to Iceland to receive the reimbursement.

3.
The views of Sjúkratryggingar Íslands
Sjúkratryggingar states that the institution's authorization to process personal information in connection with the registered person's case is based on point 3. Paragraph 1 Article 9 Act no. 90/2018, where the processing is necessary to fulfill the legal obligation that rests on the institution according to Art. a laga nr. 112/2008 on health insurance and Regulation no. 484/2016 on health services applied for within the member state of the EEA Agreement but which can be provided in Iceland and on the role of a national contact person for cross-border health services. The basis for Sjúkratryggingar's co-payment according to Article 23. a laga nr. 112/2008 is that an individual is covered by health insurance in this country and has been so for at least the last six months before compensation is requested from health insurance, cf. Article 10 of the Act. According to the provision, Sjúkratryggingar determined e.g. whether an individual is considered health insured in this country. Consequently, the institution requests the necessary documents to be able to make that decision and to assess the rights of individuals according to Art. Act no. 112/2008. The institution should investigate whether there was a temporary stay when the cost (entitlement payment) was incurred, ie. whether an individual has been abroad temporarily and whether he / she has been a permanent resident of this country. In the second paragraph. Article 34 Act no. 112/2008 states that applicants are obliged to provide the institution with all necessary information in order to be able to make a decision on the right to benefits, the amount and payment of benefits and their review. The institution should investigate whether there was a temporary stay when the cost (entitlement payment) was incurred, ie. whether an individual has been abroad temporarily and whether he / she has been a permanent resident of this country. In the second paragraph. Article 34 Act no. 112/2008 states that applicants are obliged to provide the institution with all necessary information in order to be able to make a decision on the right to benefits, the amount and payment of benefits and their review. The institution should investigate whether there was a temporary stay when the cost (entitlement payment) was incurred, ie. whether an individual has been abroad temporarily and whether he / she has been a permanent resident of this country. In the second paragraph. Article 34 Act no. 112/2008 states that applicants are obliged to provide the institution with all necessary information in order to be able to make a decision on the right to benefits, the amount and payment of benefits and their review.

In order for the institution to be able to confirm that the conditions in question are met, it is a requirement that applications for reimbursement of foreign medical expenses be accompanied by a ticket confirming the period of stay, and thus that the stay was temporary and that the residence was in Iceland. The documents in question are suitable for informing the case. Therefore, on the application form, it is requested that airline tickets accompany the application for reimbursement of medical expenses incurred abroad. It is stated that the decision is not based on the applicant having arrived in Iceland for a refund to take place, as referred to in the complaint, but on requesting flight tickets to confirm the period of stay in the foreign country.

Sjúkratryggingar's reply letter also states that the practice of always requesting a copy of airline tickets in the aforementioned circumstances was taken up at the beginning of 2020. Previously, they were only requested when deemed necessary, such as if there was a suspicion of that the stay abroad had been longer than permitted by law or that there had been a residence abroad. Unfortunately, it was common for incorrect information to be provided in applications for length of stay, which would have led to Sjúkratryggingar often reimbursing costs that were not reimbursed due to the conditions of Article 10. Act no. 112/2008.

With regard to education for the data subjects about the processing, it is referred to that information about the processing in question, ie. acquisition of airline tickets, can be found on the application form together with further information about the processing. Further information on the processing of personal information can be found in Sjúkratryggingar's privacy policy, which is published on the institution's website. In light of the way things have been handled in the collection of the information in question and its processing, Sjúkratryggingar believes that the institution's educational obligation has been fulfilled in the case.

II.
Assumptions and conclusion

1.
Scope - Responsible party
Scope of Act no. 90/2018, on personal data protection and the processing of personal data, and Regulation (EU) 2016/679, cf. Paragraph 1 Article 4 of the Act, and thereby the authority of the Data Protection Authority, cf. Paragraph 1 Article 39 of the Act, covers the processing of personal data that is partly or wholly automatic and the processing by other methods than automatic of personal data that are or are to become part of a file.

Personal information includes information about a person who is personally identifiable or personally identifiable, and an individual is considered personally identifiable if it is possible to identify him or her, directly or indirectly, with reference to his or her identity or one or more factors that are characteristic of him or her, cf. 2. tölul. Article 3 of the Act and point 1. Article 4 of the Regulation.

Processing refers to an action or series of actions where personal information is processed, whether the processing is automatic or not, cf. Number 4 Article 3 of the Act and point 2. Article 4 of the Regulation.

This case concerns the Health Insurance's acquisition of copies of the complainant's tickets. In this respect and in the light of the above provisions, this case concerns the processing of personal information which falls within the competence of the Data Protection Authority.

The person responsible for the processing of personal information complies with Act no. 90/2018 is named the responsible party. According to point 6. Article 3 of the Act refers to an individual, legal entity, government authority or other party who decides alone or in collaboration with other purposes and methods of processing personal information, cf. 7. tölul. Article 4 of the Regulation. As such, Sjúkratryggingar Íslands is considered to be responsible for the processing in question.

2.
Legality of processing and conclusion
All processing of personal data must be subject to one of the authorization provisions of Article 9. Act no. 90/2018, Coll. Article 6 Regulation (EU) 2016/679. It may be mentioned that personal information may be processed if it is necessary to fulfill a legal obligation that rests with the responsible party, cf. 3. tölul. Article 9 of the Act and point c of the first paragraph. Article 6 of the Regulation, and if the processing is necessary due to work carried out in the public interest or in the exercise of public authority exercised by the responsible party, cf. 5. tölul. Article 9 of the Act and item e of the first paragraph. Article 6 of the Regulation.

In addition to the authorization according to the above, the processing of personal information must always be in accordance with all the principles of the first paragraph. Article 8 Act no. 90/2018, Coll. Paragraph 1 Article 5 of the Regulation. Among other things, it is stipulated that personal information is processed in a lawful, fair and transparent manner towards the data subject, cf. 1. tölul. Paragraph 1 Article 8; that they are obtained for clearly stated, legitimate and objective purposes, cf. 2. tölul. Paragraph 1 Article 8; that they are sufficient, relevant and not in excess of what is necessary in view of the purpose of the processing, cf. 3. tölul. Paragraph 1 Article 8, and that they are reliable and updated as needed, cf. Number 4 Paragraph 1 Article 8

In assessing the authorization for the processing of personal data, the provisions of other applicable laws must also be taken into account at any given time. The Data Protection Authority considers that Sjúkratryggingar can be considered to be liable in accordance with Article 23. a laga nr. 112/2008 obligation to verify that an individual has been covered by health insurance in this country, cf. Article 10 of the Act, when he requests reimbursement for medical expenses incurred abroad.

In point 5. Paragraph 1 Article 9 Act no. 90/2018 refers, among other things, to the fact that the processing of personal information is necessary for the exercise of public authority by the responsible party. In the explanatory notes to the provision in the explanatory memorandum to the bill, reference is made to the fact that it covers, among other things, the processing of information on behalf of the government related to the exercise of public authority. This primarily means making government decisions, but at the same time other processing that is considered to be administrative, such as public service activities, would normally be covered by it.

The provisions of point 5. Paragraph 1 Article 9 of the Act is a comparable provision to item e of the first paragraph. Article 6 Regulation (EU) 2016/679. According to para. Article 6 of the Regulation requires that a basis for processing be laid down, which is based on point e of para. of the provision, in law. The purpose of the processing shall be determined on the legal basis or, in the case of the processing referred to in point (e) of paragraph 1, be necessary for the implementation of a project carried out in the public interest or for the exercise of official authority by the responsible party.

With regard to the explanations of Sjúkratryggingar and the cited provisions of Act no. 112/2008, the Data Protection Authority considers that it can be agreed that the acquisition of airline tickets for the purpose of demonstrating the length of the applicant's stay in a foreign country can be considered necessary in connection with the statutory implementation of Sjúkratryggingar's projects.

In view of the above, it is the conclusion of the Data Protection Authority that Sjúkratryggingar's collection of personal information about the complainant, which consisted of obtaining a copy of her flight tickets, can be based on the authorization in point 5. Article 9 Act no. 90/2018, on personal protection and the processing of personal information, cf. also point e of the first paragraph. Article 6 Regulation (EU) 2016/679. It is also not clear that the processing violated the principles of the first paragraph. Article 8 of the Act, cf. Paragraph 1 Article 5 of the Regulation.


Ú r s k u r ð a r o r ð:
Sjúkratryggingar Íslands' collection of personal information about [A] was in accordance with Act no. 90/2018, on personal data protection and processing, and Regulation (EU) 2016/679.


Privacy, February 4, 2021


Helga Þórisdóttir Helga Sigríður Þórhallsdóttir