IP - 07121-1/2020/693

From GDPRhub
IP - 07121-1/2020/693
LogoSI.png
Authority: IP (Slovenia)
Jurisdiction: Slovenia
Relevant Law: Article 13 GDPR

Article 58 GDPR

Article 49(1)(g) of the Data Protection Act (ZVOP-1)

Article 2 of the Information Commissioner Act (ZInfP)

Article 268(6),(8) and (11) of the Insurance Act (ZZavar-1)

Type: Advisory opinion
Outcome: Non-binding
Decided: 23.4.2020
Published: n/a
Fine: none
Parties: anonymous
National Case Number: 07121-1/2020/693
European Case Law Identifier: n/a
Appeal: n/a
Original Language:

Slovenian

Original Source: Informacijski Pooblaščenec (SI)

The Slovenian DPA (IP) opined that an insurance company is entitled to ask personal data when it is necessary to justify an insurance claim but it could not assess if this would be necessary and proportionate for information dated five years ago.

English Summary[edit | edit source]

Facts[edit | edit source]

The IP was informed that an individual had filed a claim for compensation for damage caused by a car accident. The insurer now requires the injured party to have a photocopy of the medical record five years ago. You are wondering if the request is justified and in line with existing personal data protection legislation, especially since the insurance company does not explain why it requires that information. It merely states that they will not resolve the case until the required information has been received.

Holding[edit | edit source]

According to Article 268(6),(8) and (11) ZZavar-1. The insurer is entitled to obtain relevant medical records (including the entire medical records card) relating to the insured or beneficiary of the insurance, if such documentation is necessary for different insurance purposes.

The IP found that the insurance company is entitled to ask for the documentation necessary to decide on the insurance claim. However, the IP, when issuing an opinion, cannot address the question of whether it is necessary and proportionate for an insurer to request information for five years back.

The IP also found that the the insurance company is bound by the information obligation of Article 13 GDPR.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the original. Please refer to the Slovenian original for more details.

Date: 04/23/2020
Title: Request from an insurance company to provide a medical record
Number: 07121-1 / 2020/693
Subject matter: Information to the individual, Legal bases, Insurance, Health personal data
Legal act: Opinion

The Information Commissioner (hereinafter referred to as IP) has received an e-mail from you explaining that you have filed a claim for compensation for damage caused by a car accident. The insurer now requires the injured party to have a photocopy of the medical record five years ago. You are wondering if the request is justified and in line with existing personal data protection legislation, especially since the insurance company does not explain why it requires that information. It merely states that they will not resolve the case until the required information has been received.

On the basis of the information you have provided to us, in accordance with Article 58 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Directive 95/46 / EC (hereinafter: the General Data Protection Regulation), point 7 of the first paragraph of Article 49 of the Personal Data Protection Act (Official Gazette RS, No. 94/07-UPB1, hereinafter ZVOP-1), and Article 2 of the Information Commissioner Act (Official Gazette RS, No. 113/05, hereinafter ZInfP) provides our non-binding opinion on your question.

The insurer is entitled to obtain relevant medical records (including the entire medical records card) relating to the insured or beneficiary of the insurance, if such documentation is necessary for concluding the insurance, deciding on the insurance claim and liquidating the claim, claiming recourse claims, etc. The basis for this can be found in the sixth, eighth and eleventh paragraphs of Article 268 of the Insurance Act (Official Gazette RS, Nos. 93/15 and 9/19, hereinafter: ZZavar-1).

The sixth paragraph of Article 268 of ZZavar-1 thus states that the insurance company may collect the following personal data, taking into account the purpose of data processing:
personal name, gender, date and place of birth, permanent and temporary residence or permanent and temporary address abroad, address for service, date of death, tax number, type and number of the identity document of the insured person and the injured party for whom insurance coverage and compensation are determined, respectively insurance;
    previous insurance cases to the extent referred to in the previous paragraph and information on the relevant health status of the insured person and the injured party, including the provision of health services, previous injuries and health status, the type of physical injury, the duration of treatment and the consequences for the injured party and the insured person;
    income of the insured and the injured party and employment;
    retirements (regular and disability), retraining and disability rates of the insured and the injured party;
    costs for medical care, medicines and medical supplies of the insured and the injured party;
    eligibility to cover the difference to the full value of health services under the law governing health insurance from the budgetary funds of the Republic of Slovenia;
    driving license information;
    historical information about the history of the insurance object.

As a rule, the documentation in the form of a copy is provided by the insured or. beneficiary, but the insurance company can also obtain it directly from the health care provider (point 6 of the eighth paragraph of Article 268 of ZZavar-1), in this case from your personal doctor.

The insurance company is therefore entitled to the documentation necessary to decide on the insurance claim. However, in an optional opinion, IP cannot address the question of whether it is necessary and appropriate for an insurer to request information for five years back. Considering that the legal provision of Article 268 of ZZavar-1, which provides the insurance company with a basis for obtaining data, is of a relatively open nature, the necessity must first be assessed by the controller of personal data, that is, the insurance company.
Your question also touches on the issue of so-called. the manager's explanatory duties or the individual's right for the insurer to explain to him for what purposes he will use his personal information and provide other mandatory information. This right is governed by Article 13 of the General Regulation, which sets out the set of information that the controller of personal data must provide to an individual when personal data are obtained from the data subject, including the identity and contact details of the controller; the purposes and legal basis for the processing; users or categories of users of personal data and furthermore the period of retention of personal data; existence of individual rights; the existence of the right to withdraw consent; the right to lodge a complaint with the supervisory authority.

We advise you to read more about individual data protection rights on our website www.tiodločaš.si.

All IP reviews are published and available on our web site: www.ip-rs.si/vop/.

Likewise, all key areas covered by the General Data Protection Regulation are presented at: https://www.ip-rs.si/legislation/reforma-european-legislative-framework-for-security-personal-information/key -Securities-Regulations / where you can find many useful tips on the essential obligations of companies and other organizations to properly implement personal data protection measures.