Data protection

As an insurance agent, Tervisekindlustusagent mediates the exchange of data between the insurer and cooperation partners within the Confido Health Plan, including the processing of personal data necessary for the conclusion and fulfilment of the insurance contract. In the context of the General Data Protection Regulation, Tervisekindlustusagent is considered to be the processor of the personal data of the insured persons and their relatives for the purpose of handling claims on behalf of and based on the instructions of the insurer.

In the context of the General Data Protection Regulation, the insurer is considered the controller of the personal data of the insured persons and their relatives, who determines which personal data is collected from the insured persons and their relatives and for what purposes.

Tervisekindlustusagent processes the following personal data of the insured persons and their relatives only for specified purposes and on the basis of applicable law:

Tervisekindlustusagent receives information about the insured person from the following sources, depending on who has taken out the insurance:

If the insured person is insured through a policyholder (e.g. an employer), the policyholder transfers the necessary information to the Health Plan self-service portal;

If the insured person is an independent co-insured person, they transfer the data themselves directly to Tervisekindlustusagent;

If the insured person is a relative, the necessary identification data is provided by the insured person who insured the relative.

Tervisekindlustusagent may also receive personal data from an identity verification service provider that has been authorised by Tervisekindlustusagent to verify and confirm identity.

The health data will be transferred to Tervisekindlustusagent either by the insured person or relative themselves or, with their consent, via cooperation partners. If the insured person or relative uses a cooperation partner’s service and wishes to use the Confido Health Plan insurance limit, the cooperation partner’s employee enters the insured person’s or relative’s personal identification code in the Health Plan self-service portal to verify the existence of insurance coverage and the insurance limit. If available, the cooperation partner’s employee will add information about the service provided to the Health Plan self-service portal.

Tervisekindlustusagent does not retain personal data longer than necessary based on the purpose of processing and in accordance with applicable law.

Accounting documents are retained for 7 (seven) years from the end of the respective financial year in accordance with the Accounting Act.

Data collected for the performance of the contract and for making refunds, as well as data regarding feedback, with no specific legal retention period, are retained for up to 3 (three) years after the termination of the contract.

Tervisekindlustusagent transfers the insured person’s or relative’s personal data only if:

Such an obligation is imposed by law (e.g. an obligation to provide information to a court or law enforcement authorities);

It is necessary for fulfilling the insurance contract;

It is carried out through Tervisekindlustusagent’s authorised service providers (e.g. IT service provider, identity verification service provider), who are entitled to process personal data only for the relevant purpose and to a limited extent. If Tervisekindlustusagent refers to a third-party website for the collection of personal data (e.g. for identity verification purposes), we recommend also reading the privacy policy of the third-party service provider.

When transferring personal data, Tervisekindlustusagent always applies the principles of data protection, including the requirements of minimisation, purpose limitation and confidentiality.

Tervisekindlustusagent does not transfer the personal data of the insured person or relative outside the European Economic Area. If the need for such a transfer arises in the future, Tervisekindlustusagent will only do so if the recipient of the data is located in a country for which the European Commission has issued an adequate protection decision or if appropriate additional safeguards are in place (e.g. European Commission standard contractual clauses). In such cases, Tervisekindlustusagent also updates the data protection notice with the relevant information.

Tervisekindlustusagent implements necessary organisational, physical and information technology security measures to protect the processed personal data from any misuse, unauthorised access, disclosure, alteration or destruction, even when personal data is transferred abroad.

Only authorised individuals have access to the personal data of the insured person and their relative. Authorisations are granted on a need-to-know basis, and individuals with access to personal data are obliged to adhere to confidentiality obligations.

The insured persons and their relatives have all rights arising from the applicable law regarding the processing of their personal data, which include:

Right of access – the insured person or relative has the right to inquire at any time whether Tervisekindlustusagent has personal data about them and to obtain information about the personal data processed by Tervisekindlustusagent.

Right to correct personal data – the insured person or relative has the right to request from Tervisekindlustusagent the rectification or completion of their personal data if it is inaccurate, incomplete or incorrect.

Right to object – the insured person or relative has the right to object to the processing of their personal data, for example when such processing is based on the legitimate interests of Tervisekindlustusagent.

Right to erasure of personal data – the insured person or relative has the right to request the deletion of their personal data, for example when the processing is based on consent provided by the insured person or relative and they have withdrawn their consent.

Right to restriction of processing of personal data – the insured person or relative has the right to request that Tervisekindlustusagent restrict the processing of their personal data under certain circumstances, for example, when the data is no longer needed, or the insured person or relative has objected to the processing.

Right to withdraw consent to the processing of personal data – if the processing of personal data is based on consent given by the insured person or relative, they have the right to withdraw the consent given to Tervisekindlustusagent at any time. Withdrawal of consent does not apply retroactively, i.e. it does not affect the lawfulness of the prior processing.

Right to data portability – the insured person or relative has the right to receive the personal data they have provided to Tervisekindlustusagent and request, if technically feasible, that Tervisekindlustusagent transfer this data to a third party service provider.

Right to lodge a complaint – the insured person or relative has the right to lodge a complaint directly with Tervisekindlustusagent by emailing andmekaitse@confido.ee or with the Data Protection Inspectorate at info@aki.ee, phone +372 627 4135, address Tatari 39, 10134 Tallinn.

The rights listed in this chapter regarding the processing of personal data do not include all their rights. In certain cases, the rights of other data subjects or legal obligations of Tervisekindlustusagent may limit the rights of the insured person or relative.

To exercise the rights related to the processing of personal data, submit requests, or raise any questions, please contact Tervisekindlustusagent at andmekaitse@confido.ee.