IP - 07121-1/2020/197

From GDPRhub
IP (Slovenia) - 07121-1/2020/197
LogoSI.png
Authority: IP (Slovenia)
Jurisdiction: Slovenia
Relevant Law: Article 58(3) GDPR
Article 49(1)(g) ZVOP
Article 2 ZInfP
Article 265 ZZavar
Article 268(2), (3), (7) and (12) ZZavar
Type: Advisory Opinion
Outcome: Other Outcome
Started:
Decided: 14.02.2020
Published:
Fine: None
Parties: anonymous
National Case Number/Name: 07121-1/2020/197
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Slovenian
Original Source: Informacijski Pooblascenec (in SL)
Initial Contributor: n/a

The Slovenian DPA (IP) issued a non-binding opinion regarding the processing of data in the context of a life insurance policy. It recalled several provisions of the Slovenian Insurance Act (ZZavar) and found that insurance companies may have a proper legal basis for the processing of personal data in specific databases if the companies fulfill the requirements provided for in ZZavar. It also noted that in the context of a non-binding opinion the IP cannot determine whether in a particular case these requirements are fulfilled.

English Summary

Facts and questions arising

The IP received a request for an advisory opinion regarding the processing of data in the context of a life insurance policy.

Holding

The IP found that pursuant to the Insurance Act the insurance companies and the Slovenian Insurance Association maintain individual databases of personal data referred to therein. Such a database could also be one of potential policyholders and insured persons in which the personal data provided for in this Act may be collected from a customer, taking into account the purpose of data processing. This personal data is therefore collected directly from the data subjects (customers). The insurer must therefore obtain the information from the customer, not itself.

The processing of personal data in this database is only allowed to the extent that is necessary for the purposes of processing defined in the law. Therefore, the insurance companies have a legal basis for obtaining and processing personal data to the extent and for the purposes defined in the law. However, the IP stressed that the principle of data minimisation must be respected, so that only personal data should be processed as is strictly necessary for the exercise of legitimate powers, tasks or obligations. Specific retention periods are also provided for in the same Act, after which the personal data included in the database must be erased, destroyed or irrevocably anonymized.

Further, the insurance companies have a duty to confidentiality according to the same Act.

Finally, the IP concluded that it is not possible, in the context of a non-binding opinion, to determine whether, in a particular case the stated conditions for processing all the information are fulfilled. This should be done by the operator. The IP can go through a specific assessment of the legality of processing in a particular case only by an inspection or administrative procedure.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the original. Please refer to the Slovenian original for more details.

The Information Commissioner (hereinafter: IP) has received your request for an opinion regarding the processing of data for the purpose of taking out a life insurance policy.

On the basis of the information you have provided to us, in accordance with Article 58 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Directive 95/46 / EC (hereinafter referred to as the General Data Protection Regulation), point 7 of the first paragraph of Article 49 of the Personal Data Protection Act (Official Gazette RS, No. 94/07-UPB1, hereinafter: ZVOP-1) and Article 2 of the Information Commissioner Act (Official Gazette RS, No. 113/05, hereinafter: ZInfP), we provide our non-binding opinion on your question.

IP initially emphasizes that it can provide non-binding opinions and explanations, but it cannot, outside of specific inspection or other administrative procedures, verify the appropriateness of the chosen legal basis or purposes or the extent of the processing of personal data in a particular case.

IP clarifies that Article 6 of the General Data Protection Regulation sets out different legal bases for the legitimate processing of personal data. Processing is thus lawful only to the extent that one of the following conditions is fulfilled for the specific purpose of the processing and specific personal data:

(a) the data subject has consented to the processing of his or her personal data for one or more specified purposes;

(b) processing is necessary for the performance of a contract to which the data subject is a contracting party or for the implementation of measures at the request of such individual before the conclusion of the contract;

(c) processing is necessary to fulfill the legal obligation imposed on the controller;

(d) processing is necessary to protect the vital interests of the data subject or other natural person;

(e) processing is necessary for the performance of a task in the public interest or in the exercise of public authority conferred on the controller;

(f) processing is necessary for the legitimate interests pursued by the controller or a third party, except where such interests are outweighed by the interests or fundamental rights and freedoms of the data subject, which requires the protection of personal data, in particular where the individual to which the personal data relate, the child.

It should be borne in mind that the last indent cannot be used for processing by public authorities in the performance of their tasks.

Pursuant to the Insurance Act (ZZavar-1; Official Gazette of the Republic of Slovenia, Nos. 93/15, 9/19), the insurance companies and the Slovenian Insurance Association maintain individual databases of personal data referred to in the second paragraph of Article 268. One of these collections is also a database of potential policyholders and insured persons, in which, in accordance with the seventh paragraph of Article 268 of the ZZavar-1, the following personal data may be collected from a customer, taking into account the purpose of data processing:

personal name, gender, date and place of birth, permanent or temporary residence or permanent and temporary address abroad, address for service, date of death, tax number, type and number of the identity document of the potential insurer or insured person. In the case of health insurance, information on the insured person's health insurance number may also be collected;

name of insurance company, policy number, duration of insurance and insurance coverage;

information relating to the potential subject of the collateral;

insurance companies providing supplementary voluntary health insurance may collect, in addition to the information referred to in the first indent, the unique personal identification number of a citizen in order to facilitate the exercise of the rights of insured persons;

information that insurance undertakings are obliged to obtain and process under the law governing the prevention of money laundering and terrorist financing;

information defining personal or financial position, lifestyle or habits, existing or desired insurance coverage, insurance motive, financial knowledge, experience or financial literacy of the policyholder, information on the ability to cover losses, investment objectives and the level of risk tolerance or information on other personal circumstances mediated by the policyholder and appropriate and necessary for determining needs and requirements, assessing suitability and adequacy, issuing a personal recommendation to the policyholder, or providing advice to the insurance company on the basis of a fair and personal analysis;

information on the health status of the insured person, including the provision of health services, prior injuries and health status, type of physical injury, duration of insurance and consequences for the insured person.

These personal data are therefore collected directly from the data subject (customers). Pursuant to the third paragraph of Article 268 of the ZZavar-1, the processing of personal data in this database is only allowed to the extent necessary for the realization of the purposes of processing, that is, advising or identifying the needs and requirements of the parties in the context of negotiations for the conclusion of an insurance contract, concluding an insurance contract, determining the needs and requirements of clients and assessing the suitability and adequacy of an insurance service or product for a client, issuing a personal recommendation or consulting the insurance company on the basis of a fair and personal analysis, as defined by ZZavar-1. The second paragraph of the third paragraph of Article 268 of ZZavar-1 also clearly stipulates that data for this purpose is obtained from the customer. The insurer must therefore obtain the information from the customer, not itself.

According to the presented legislation, insurance companies therefore have a legal basis for obtaining and processing personal data to the extent and for the purposes as stipulated by ZZavar-1. Insurers can thus obtain from the client the personal information above that they need to deal with a particular case, taking into account the purposes of each collection. In doing so, the principle of minimum data should be respected, which states that, provided that there is a legal basis, the personal data being processed must be relevant, relevant and limited to what is necessary for the purposes for which they are processed. This principle implies that only personal data should be processed as is strictly necessary for the exercise of legitimate powers, tasks or obligations, ie in the specific case of life insurance.

The IP also draws attention to the provision of the twelfth paragraph of Article 268 of ZZavar-1, which stipulates that data from the database of potential insurers and insured persons shall be stored up to the moment of conclusion of the insurance contract or not more than three months from the conclusion of negotiations for the conclusion of the insurance contract, but not more than six months from the date of their acquisition. No later than the first day of the month following the expiration of the retention period, the data from the databases referred to in the second paragraph of this Article shall be erased, destroyed or irrevocably anonymized, and the documentation destroyed so that its contents can no longer be identified or can no longer be reused.

Article 265 of ZZavar-1 also stipulates the obligation for an insurance company to protect as confidential all information, facts and circumstances about an individual insurer, insured person or other beneficiary of insurance that he has collected in the course of business with him or in some other way. When it comes to the protection of personal data at the same time, the law governing the protection of personal data is subject to the processing and protection of personal data.

IP concludes that it is not possible, in the context of a non-binding opinion, to determine whether, in a particular case, for the specific purpose and data, the stated conditions for processing all the information you provide in your request are fulfilled. This is the job of the operator. However, a specific assessment of the legality of processing in a particular case can only be made by the IP through an inspection or administrative procedure.