DSB (Austria) - 2020-0.225.643

From GDPRhub
Revision as of 14:04, 3 November 2020 by 85.158.226.32 (talk) (Outcome = complaint dismissed, not rejected.)
DSB - 2020-0.225.643
LogoAT.png
Authority: DSB (Austria)
Jurisdiction: Austria
Relevant Law:
DSG 2000 §§1 (1), (2), 4 (no. 2), 9 (no. 3) (Austrian Data Protection Act)
DSG §§ 24, (5), 69 (4), (5) (Austrian Data Protection Act)
VersVG §§ 11a (1) (no. 3), (2) (no. 2), 34 (1), (2) (Austrian Insurance Law)
Type: Complaint
Outcome: Complaint dismissed
Started:
Decided: 12.06.2020
Published:
Fine: None
Parties: n/a
National Case Number/Name: 2020-0.225.643
European Case Law Identifier: ECLI:AT:DSB:2020:2020.0.225.643
Appeal: n/a
Original Language(s): German
Original Source: Rechtsinformationssystem des Bundes (in DE)
Initial Contributor: n/a

The DSB helds that, there is therefore no violation of the right to secrecy, as the transmission of health data can be based on § 11a (1) item 3 and (2) item 2 VersVG and the complainant has an obligation to provide information and evidence to the respondent on the basis of the clear order in § 34 VersVG.

English Summary

Facts

As a civil servant, the complainant has a supplementary insurance policy with the defendant, which was set up by the Land of Upper Austria as a group insurance scheme. The defendant requires the original pharmacy receipts to be provided in order to provide the service. These vouchers state the names of the medicines purchased.

The insurance company required the complainant to submit original pharmacy receipts. The submitted proof of customer sales from the pharmacy was not sufficient. In order to benefit from an insurance policy, he was forced to disclose health-related data, which would be subject to confidentiality. These pharmacy receipts list the names of the medicines purchased. He considers that the insurance company has no interest in knowing what medicines the customer needs. This is subject to the confidentiality obligation of both the doctor and the pharmacy.

Dispute

The subject of the complaint is whether the defendant infringed the complainant's right to confidentiality by requiring the original invoices of a pharmacy, and not merely the pharmacy's proof of customer sales, in order to pay an insurance benefit to the complainant.


Holding

In substantive terms, however, the matter is to be assessed in accordance with the provisions of Sections 1 to 9 of the DSG 2000 and the VersVG applicable until the end of 24 May 2018, the date of the alleged breach of the right to confidentiality, because at that time the DSGVO and the necessary amendments to the VersVG by Federal Law Gazette I No. 16/2018 were not yet applicable.

Under Section 9 No. 3 DSG 2000, the use of sensitive data is permissible, inter alia, if the authorisation or obligation to use it arises from statutory provisions, provided that these serve to safeguard an important public interest. The complainant has an obligation to provide information and evidence to the respondent on the basis of the clear order in § 34 VersVG.

In this case, the transmission of health data can be based on § 11a (1) item 3 and (2) item 2 VersVG.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

Decision-making authority

Data Protection Authority
Decision date

12.06.2020
Business figures

2020-0.225.643
Appeal to the BVwG/VwGH/VfGH

This decision is final.

Text

GZ: 2020-0.225.643 of 12 June 2020 (procedure number: DSB-D124.2138)

Note Processor: Names and companies, legal forms and product names, addresses (including URLs, IP and e-mail addresses), file numbers (and similar), etc., as well as their initials and abbreviations may be abbreviated and/or changed for reasons of pseudonymisation. Obvious spelling, grammar and punctuation errors have been corrected].

DECISION

SPEECH

The data protection authority decides on the data protection complaint of Mag. Erwin A*** (complainant) of 6 May 2018 against N***-Versicherung AG (respondent) for violation of the right to secrecy as follows:

- The complaint is dismissed as unfounded.

Legal basis: §§ 1 to 9 DSG 2000, BGBl. I No. 165/1999 as amended by BGBl. I No. 132/2015, as well as § 24 para. 5 of the Data Protection Act (DSG), BGBl. I No. 165/1999 as amended; §§ 11a and 34 of the Insurance Contract Act (VersVG), BGBl. No. 2/1959 as amended by BGBl. I No. 112/2016.

EXPLANATIONS

A. Arguments of the parties and procedure

1 In his submission of 6 May 2018, the complainant submitted that he had supplementary insurance with the defendant. The insurance company required him to submit original pharmacy receipts. The submitted proof of customer sales from the pharmacy was not sufficient. In order to benefit from an insurance policy, he was forced to disclose health-related data, which would be subject to confidentiality. These pharmacy receipts list the names of the medicines purchased. He considers that the insurance company has no interest in knowing what medicines the customer needs. This is subject to the confidentiality obligation of both the doctor and the pharmacy. In his view, the insurance company should be satisfied with the pharmacy's proof of customer sales, which clearly shows how many prescription medicines were purchased in an insurance year. He had already communicated this on 20 February 2018 in the course of a submission in the control and ombudsman procedure. The data protection authority had informed him that there was no possible infringement of the law due to a manifestly non-transfer of data and that the data protection authority could not take action in this case. This meant that he had to disclose the data in order for a breach of data protection to occur in the first place. The complainant had therefore contacted the author of the above-mentioned communication from the data protection authority by telephone in order to ask whether the ex lege guaranteed data protection in Austria would only apply once a breach of data protection had occurred. Ultimately, the complainant had been given to understand that he actually had to disclose these data in order for a breach of data protection to occur and for the data protection authority to be able to prosecute it. The complainant considered this to be a provocation by the authorities. He had nevertheless complied with this and sent the original supporting documents containing sensitive data to the defendant. This was the breach of data protection.

Sensitive data would require the explicit consent of the person concerned. For effective consent to be given, the Data Protection Act requires that the will of the person concerned be freely given, specific, unambiguous and given after prior information. It was for the respondent to demonstrate that such consent had been properly given. The respondent had not complied with his written request to provide evidence of such consent to request, collect or process data. There is neither a necessity for this requested data transfer nor consent to it, let alone the right to demand it, let alone to enforce it (no authorisation or obligation).

By letter of 5 March 2020, received on 10 March 2020, the complainant submitted that he had already lodged a complaint with the Austrian data protection authority on 6 May 2018. To date - more than one and a half years later - he has not received any reply or settlement. Data protection was apparently not taken seriously in Austria.

In a letter of 25 March 2020, the defendant summarised that the complainant's complaint was identical in substance to the complaint of 20 February 2018 regarding CPC: DSB-D216.669/0003-DSB/2018 and did not contain any substantiated new objections. In both submissions, the complainant complained that the defendant insisted on the transmission of the original pharmacy invoices for the provision of services.

It should be noted that the proceedings concerning the joint venture: DSB-D216.669/0003-DSB/2018 were closed on 20 February 2018 and the defendant was informed of this by letter of 17 April 2018. The defendant referred to the opinion of 16 March 2018 and added the following additional information:

As already stated in the statement of March 2018, the General Terms and Conditions of Insurance (AVB) constitute the most important legal basis alongside the provisions of the Insurance Contract Act (VersVG). They would constitute a description and limitation of the insurance cover.

The data from the original invoices in question are processed for the purpose of assessing and fulfilling claims arising from the insurance contract with the person concerned.

The General Conditions of Insurance for Medical Expenses and Hospital Daily Allowance Insurance (AVB 1999) applicable here are the conditions applicable to all tariffs, the scope of benefits of which is, however, limited by the tariff actually concluded. Under those conditions, the cost of medicines prescribed in the context of medical treatment and obtained from a pharmacy is reimbursed. According to point 7.1 of the GIP, payment is made on the basis of original invoices, which are balanced and show, inter alia, the person actually receiving the treatment, a description of the services provided and the dates of the treatment.

A prescription fee confirmation from a pharmacy does not meet the criteria of the GPI 1999 and therefore cannot be accepted as a replacement for an original invoice. Apart from that, the confirmation of prescription fees does not contain all the information necessary for the verification of the insured event, such as: the name of the service (medicine). Thus, the assessment of claims under an insurance contract cannot be based on the prescription fee confirmation.

Furthermore, according to § 34 VersVG, the policyholder is obliged to provide the insurer with all information necessary to determine the insured event or the extent of the insurer's obligation to pay benefits. According to this provision, the insurer can demand evidence to the extent that the policyholder can reasonably be expected to obtain it. In this context, it should be pointed out in particular that the presentation of these original invoices is provided for in the AVB 1999.

The processing of personal health data was also carried out in accordance with § 11a para. 1 no. 3 VersVG, according to which the insurer may process personal health data in connection with insurance relationships in which the state of health of the insured or an injured party is significant, to the extent that this is indispensable for the assessment and fulfilment of claims arising from an insurance contract.

These personal health data are determined in accordance with §11a para. 2 no. 2 VersVG, according to which the insurer may only determine personal health data for the purposes mentioned in para. 1 on the basis of documents provided by the policyholder or the injured party. For this reason, too, it was necessary for the complainant to make the documents available.

The complainant's argumentation could therefore not be accepted, since the defendant's action fully complied with the legal provisions and since this was indispensable for the assessment and fulfilment of claims arising from an insurance contract and for determining the extent of the insurer's obligation to provide benefits.

In a letter of 6 April 2020, the complainant submitted in summary that the defendant justified its action on the basis of the VersVG and claimed that it was entitled to request and process personal health data - for the purpose of establishing the insured event and the extent of the insurer's obligation to provide benefits - to the extent that this was indispensable for the assessment and fulfilment of claims arising from an insurance contract.

According to the complainant's legal view, personal health data are not necessary for this purpose at all, especially since the insurance company has in any event a guarantee that a net invoice issued by a pharmacy for a medicine will in any event relate to a medicine prescribed by a doctor, since it will in any event only reimburse prescription medicines prescribed by doctors. This implies that personal health data are in no way necessary, let alone "indispensable", for the assessment and fulfilment of claims arising from an insurance contract. Moreover, the restriction "insofar" clearly indicates that a condition applies, which the insurer admits but grossly disregards.

It was noted in this context that, as a consequence - and also due to the processing error of the data protection authority - the complainant had been obliged to disclose sensitive personal health data also in 2019 and 2020.

Nor could there be a conflict of norms between the VersVG and the DSG, since the Data Protection Act was in any event the higher-ranking norm. Thus, there was no sufficient legal basis for the respondent to demand pharmacy receipts or invoices from pharmacies which would provide any sensitive personal health data. This is not least to be seen in the extension of medical confidentiality, since pharmacists also have a duty of confidentiality which is being undermined.

To put it plainly, it was simply not the respondent's business if someone was suffering from severe depression and needed permanent specialist medical treatment for it, which the EUR 85 annual maximum rate did not even come close to covering anyway.

B. Object of complaint

It follows from the complainant's arguments that the subject of the complaint is whether the defendant infringed the complainant's right to confidentiality by requiring the original invoices of a pharmacy, and not merely the pharmacy's proof of customer sales, in order to pay an insurance benefit to the complainant.

C. Findings of the facts

As a civil servant, the complainant has a supplementary insurance policy with the defendant, which was set up by the Land of Upper Austria as a group insurance scheme. The defendant requires the original pharmacy receipts to be provided in order to provide the service. These vouchers state the names of the medicines purchased.

By letter of 20 February 2018, the complainant essentially submitted, in the context of a control and ombudsman procedure under Paragraph 30 of the DSG 2000, that the insurance company (the defendant) required him to submit the original pharmacy receipts. The submitted proof of customer sales from the pharmacy was not sufficient. On those pharmacy receipts, the name of the medicines purchased is stated, which is of no interest to the insurance company. This procedure was recorded in the minutes of the proceedings at GZ: DSB-D216.669.

By letter of 20 March 2018, the data protection authority sent the complainant an opinion of the respondent, informing him that this opinion stated that "original invoices based on the insurance contract concluded between the parties to the contract must be submitted for the provision of services. In this context, it should be noted that there is no possible infringement of the law by an apparent failure to disclose the data and that the Data Protection Authority cannot act in this case.

The proceedings were informally closed by letter dated 17 April 2018.

By letter of 6 May 2018, the complainant lodged a new complaint after the original invoices had been submitted by him.

Due to an internal error, this complaint was not recorded in the minutes. It was only due to the urgency of the complainant on 10 March 2020 that the complaint was dealt with as regards its substance.

Assessment of evidence: The findings are based on the parties' submissions and the contents of the file or the file GZ: DSB-D216.669.

D. From a legal point of view, the following follows:

This complaint is to be decided on in accordance with the new legal situation (DSG as amended by Federal Law Gazette I No. 24/2018) under section 24(5) of the DSG.

In substantive terms, however, the matter is to be assessed in accordance with the provisions of Sections 1 to 9 of the DSG 2000 and the VersVG applicable until the end of 24 May 2018, the date of the alleged breach of the right to confidentiality, because at that time the DSGVO and the necessary amendments to the VersVG by Federal Law Gazette I No. 16/2018 were not yet applicable.

There is no question that data have already been transferred in the present proceedings. The complainant alleges that the submission of a confirmation of prescription fees is sufficient for the payment of the insurance benefit and that his right to confidentiality is infringed by the submission of the original invoices, since the defendants thereby gain knowledge of the medicines prescribed for him - and indirectly of his state of health.

The data which are the subject of the proceedings provide information about the complainant's health and are therefore sensitive data within the meaning of Paragraph 4(2) of the DSG 2000. Accordingly, the permissibility of the processing is governed exclusively by Paragraph 9 of the DSG 2000.

Under Section 9 No. 3 DSG 2000, the use of sensitive data is permissible, inter alia, if the authorisation or obligation to use it arises from statutory provisions, provided that these serve to safeguard an important public interest.

The processing of health data in the context of insurance law is governed by Section 11a of the VersVG, pursuant to paragraph 1 of which the insurer may process personal health data in connection with insurance relationships in which the state of health of the insured or an injured party is significant, insofar as this is indispensable for the administration of existing insurance contracts (no. 2) or for the assessment and fulfilment of claims arising from an insurance contract (no. 3).

Pursuant to § 11a para. 2 VersVG, insurers may only determine personal health data for the purposes mentioned in para. 1 in the following manner, namely, inter alia, by interviewing the person who is to be insured or who is already insured, or by interviewing the injured party (no. 1) or on the basis of documents provided by the policyholder or the injured party (no. 2).

§ Section 34 VersVG obliges the policyholder to provide information to the insurer if this is necessary to establish the insured event or the extent of the insurer's obligation to pay benefits. The insurer may demand documents to the extent that the policy holder can reasonably be expected to obtain them.

The obvious purpose of the obligation to provide information and evidence is to compensate the insurer's lack of information towards the policyholder. Naturally, the policyholder is more comprehensively informed than the insurer about the life circumstances affecting him. He should therefore provide the insurer with all information known to him and follow up on documents available to him. The policyholder must first notify the insurer of the occurrence of the insured event (§ 33 VersVG) and then, upon request, provide the insurer with further information and/or documents to verify his obligation to pay benefits within the meaning of § 34 VersVG. This is an obligation of the policyholder. The insurer may demand such information as it deems necessary if it may be significant for the reason and scope of its obligation to pay benefits (see the ruling of the Austrian Supreme Court of 5 November 2014, GZ 7 Ob 180/14t mwN).

It can also be seen from the OGH's case law on § 34 VersVG that the policyholder must provide all information necessary to establish the insured event. The insurer can demand the information that he considers necessary; however, he is obliged to prove that the requested information was necessary (see Grubmann, VersVG8 § 34 (status 1.7.2017, rdb.at) E 10 mwN).

The obligation to provide evidence within the meaning of § 34 (2) VersVG basically includes all documents which the policyholder has at his own disposal or which he can obtain from third parties (i.e. which already exist). The voucher obligation is a correlative to the obligation to provide information, so that the justification of the request for information is also the standard for the justification of the request for vouchers. Only in rare exceptional cases will it be unreasonable for the policyholder to present documents that are in his power of disposal (see again Grubmann, loc.cit., E 63 mwN).

2. applied to the present case, this means

The complainant has an obligation to provide information and evidence to the respondent on the basis of the clear order in § 34 VersVG.

In this case, the transmission of health data can be based on § 11a (1) item 3 and (2) item 2 VersVG.

The respondent, on the other hand, has the burden of proof that the requested documents are actually necessary to establish the insured event or the extent of the obligation to provide benefits.

It must therefore be examined whether the respondent was right to insist that the complainant provide it with the original invoices of the pharmacies and not merely sales receipts.

If this is the case, point 7.1 AVB 1999 can be seen as a concretisation of § 34 VersVG (see in this respect, with regard to the General Conditions for Legal Expenses Insurance - ARB 2000, again the already quoted ruling of the Supreme Court of 5 November 2014).

In its statement of 16 March 2018, the respondent already stated that a mere confirmation of prescription fees would not allow any possible erroneous double submissions to be identified and that therefore a correct processing by its employees in the interest of the community of insured persons as a whole could not be guaranteed.

The complainant has not substantiated his objection.

In this respect, it appears "conceivable" that the defendant needs the original invoices in order to assess the relevant facts, namely the exact scope of its obligation to provide benefits.

In conclusion, there is therefore no violation of the right to secrecy, which is why the decision had to be taken in accordance with the ruling.

In so far as the complainant complains that, in order to lodge a complaint with the data protection authority, he was forced to submit the original invoices and thus to disclose sensitive data, he must be replied that, instead of bringing proceedings before the data protection authority, he could have chosen not to submit original invoices and, if the defendant refused to pay its insurance benefits, to bring a civil action against it.
European Case Law Identifier

ECLI:AT:DSB:2020:2020.0.225.643