Data protection

Data protection notice for insured persons of Confido Health Plan (valid from 05.12.2023)

This data protection notice establishes the conditions for processing personal data by Tervisekindlustusagent OÜ (registry code 16572262) in the processing of personal data on the Confido Health Plan self-service portal. This data protection notice applies to individuals who have insurance coverage within the framework of Confido Health Plan mediated by Tervisekindlustusagent OÜ. Tervisekindlustusagent OÜ reserves the right to unilaterally amend and supplement this data protection notice. In such cases, Tervisekindlustusagent OÜ will inform the Insured persons and ther Relatives about the implemented changes.

1. Definitions

2. Tervisekindlustusagent as a data controller

3. Collected personal data, purpose of processing, and legal basis

4. From whom does tervisekindlustusagent collect data

5. Retention of personal data

6. Transfer of personal data

7. Security of personal data

8. Rights related to personal data

1. Definitions

In this Data Protection Notice, the following terms are used:

Data protection notice – This Data Protection Notice regulates the processing of personal data of the Insured persons and their Relatives by Tervisekindlustusagent OÜ.

Confido Health Plan – Insurance developed by the insurer, AS Arstikeskus Confido (hereinafter Confido, registry code 12381384, address Veerenni 51, Tallinn, 10138 Harju County), under which, based on the agreement concluded between Confido and the Policyholder, health services are provided to the Insured persons and their Relatives within the agreed health insurance risk.

Insurer – AS LHV Kindlustus, registry code 14973611, address Tartu mnt 2, 10145 Tallinn, Harju County.

Policyholder – A legal entity that has entered into an insurance contract with the Insurer through Tervisekindlustusagent. If the Insured person is not an independent co-insurer, the Policyholder is the employer of the Insured person.

Insured person – An individual insured by the Policyholder or independently as a co- insurer.

Cooperation partners – Doctors and specialists from third-party cooperation partners who provide services to the Insured persons or their Relatives, as well as other employees of cooperation partners who process personal data on a need-based basis. The list of cooperation partners can be found here.

Relative – The spouse, partner, parents, and children up to the age of 18 of the Insured person insured by the Policyholder.

Service – Any healthcare service covered by the insurance offered by the Insurer. The healthcare services covered by the insurance can be found in the insurance terms.

Tervisekindlustusagent – Tervisekindlustusagent OÜ, registry code 16572262, address Veerenni 51, 10138 Tallinn, Harju County. The data controller responsible for processing the personal data of the Insured persons and Relatives for claims handling purposes.

Confido Health Plan self- service portal – Digital environment through which a person can submit a claim, and where claims are processed, and the data of the Insured persons are managed.

General Data Protection Regulation – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

2. Tervisekindlustusagent as a data controller

2.1.

Tervisekindlustusagent is considered, in the context of the General Data Protection Regulation (GDPR), the data controller for the personal data of the Insured persons and their Relatives. As a data controller, Tervisekindlustusagent determines which personal data to collect from the Insured persons and their Relatives and for what purposes.

3. Collected personal data, purpose of processing, and legal basis

3.1.

Tervisekindlustusagent processes the following personal data of the Insured persons and their Relatives only for specified purposes and on the basis of applicable law:

Category of Personal Data	Personal Data	Purpose	Legal basis
Identification data	Insured person and Relative’s first and last name, personal identification code, email address.	Creating an user on the Health Plan platform, user identification.	Legitimate interest under Article 6(1)(f) of the GDPR. Legitimate interest includes the handling of insurance cases and claims through the Terviselahendus platform. If the Insured person is an independent co-insurer, the legal basis is the performance of a contract under Article 6(1)(b).
Insurance data	Identification data of the Insured person and Relative, insurance card number, and IBAN number.	Handling claims – determining the existence of insurance and identifying insurance limits.	Legitimate interest under Article 6(1)(f) of the GDPR. Legitimate interest includes the handling of insurance claims and making insurance payments to the Insured person and Relative. If the Insured person is an independent co-insurer, the legal basis is the performance of a contract under Article 6(1)(b).
Health data	Data about the Insured person and Relative’s visits – which service the Insured person or Relative has used, including information about prescription and referrals.	Handling claims – determining if the insurance coverage is applicable for the service being sought.	Insurance Activities Act § 218(2)(2).
Contact information	Insured person’s and Relative’s phone number, first and last name, email address.	Direct marketing and seeking feedback. These data may be used by Tervisekindlustus- agent to send newsletters or information about services.	Legitimate interest under Article 6(1)(f) of the GDPR. If the Insured person is an independent co-insurer, the legal basis is the performance of a contract under Article 6(1)(b).
Contact information of the Policyholder	Representative of the Policyholder managing the Insured persons on the Confido Health Plan self-service portal – first and last name, email address.	Identification and use of the Confido Health Plan self- service portal by the representative of the Policyholder.	Legitimate interest under Article 6(1)(f) of the GDPR.
Contact information of Cooperation partners	First and last name, email address.	Identification and use of the Confido Health Plan self- service portal by Cooperation partners.	Legitimate interest under Article 6(1)(f) of the GDPR.

4. From whom does tervisekindlustusagent collect data

4.1.

Tervisekindlustusagent processes data obtained directly from the Insured person, Relative, and third-party sources. Data about the Insured persons can be obtained from the employer or Policyholder if the Insured person is insured by the employer. The Policyholder inputs the Identification Data of the Insured person into the Confido Health Plan self-service portal.

4.2.

If the Insured person is an independent co-insurer, Tervisekindlustusagent collects data directly from the Insured person.

4.3.

If the Relative is the Insured person, Tervisekindlustusagent collects the Identification Data of the Relative from the Insured person who insures the Relative.

4.4.

Tervisekindlustusagent collects health data directly from the Insured person or Relative. If the service is paid for by the Insured person or Relative at a Cooperation partner, and they wish to utilize Confido Health Plan limits, the Cooperation partner’s employee enters the personal identification code of the Insured person or Relative into the Confido Health Plan self-service portal to check the existence and limit of Confido Health Plan. If Confido Health Plan and the limit exist, the Collaboration partner’s employee enters the service consumed by the Insured person or Relative into the Confido Health Plan self-service portal.

5. Retention of personal data

5.1.

Tervisekindlustusagent does not retain personal data longer than necessary based on the purpose of processing and in accordance with applicable law.

5.2.

Accounting documents are retained for 7 years from the end of the respective financial year in accordance with the Accounting Act.

5.3.

Data collected for the performance of the contract and for making refunds, as well as data regarding feedback, with no specific legal retention period, are retained for up to 3 years after the termination of the contract.

6. Transfer of personal data

6.1.

Tervisekindlustusagent does not transfer the personal data of the Insured persons or their Relatives to third parties, except when such a right is provided to Tervisekindlustusagent by law or when the transfer of personal data to third parties is necessary for service provision.

6.2.

Tervisekindlustusagent has engaged Cooperation partners for service provision, and these partners, under the authorization of Tervisekindlustusagent, have the right to process the personal data of the Insured persons or their Relatives to a limited extent and on a need-to- know basis. Cooperation partners include various healthcare service providers (the list can be found here. Additionally, IT service partners (e.g., development and management of the Confido Health Plan platform), Policyholders, and accountants are also involved.

6.3.

Tervisekindlustusagent may be obliged under applicable law to disclose personal data to a court or law enforcement authorities based on a valid legal order. In such cases, Tervisekindlustusagent applies all principles related to personal data, including the principle of minimal processing.

6.4.

Tervisekindlustusagent does not transfer the personal data of the Insured persons or their Relatives outside the European Economic Area unless the data recipient is in a country for which the European Commission has issued an adequacy decision or the measures stipulated in Article 46 of the GDPR for the transfer of personal data are implemented.

6.5.

If the Insured person or Relative wishes to obtain more information about the recipients of their personal data, they can submit a request to the email address andmekaitse@confido.ee.

7. Security of personal data

7.1.

Tervisekindlustusagent implements necessary organizational, physical, and information technology security measures to protect processed personal data from any misuse, unauthorized access, disclosure, alteration, or destruction, even when personal data is transferred abroad. More information about applicable security measures can be requested by writing to the email address andmekaitse@confido.ee.

7.2.

Only authorized individuals have access to the personal data of the Insured persons and their Relatives. Authorizations are granted on a need-to-know basis, and individuals with access to personal data are obliged to adhere to confidentiality obligations.

8. Rights related to personal data

8.1.

The Insured persons and relatives have all rights arising from the applicable law regarding the processing of their personal data:

Right of access	The Insured person or Relative has the right to inquire at any time whether Tervisekindlustusagent has personal data about them and to obtain information about the personal data processed by Tervisekindlustusagent.
Right to correct personal data	The Insured person or Relative has the right to request from Tervisekindlustusagent the rectification or completion of their personal data if it is inaccurate, incomplete, or incorrect.
Right to object	The Insured person or Relative has the right to object to the processing of their personal data when such processing is based on the legitimate interests of Tervisekindlustusagent.
Right to erasure of personal data	The Insured person or Relative has the right to request the deletion of their personal data, for example, when the processing is based on consent and the individual withdraws their consent.
Right to restriction of processing	The Insured person or Relative has the right to request that Tervisekindlustusagent restrict the processing of their personal data under certain circumstances, for example, when the data is no longer needed, or the individual has objected to the processing.
Right to withdraw consent	If the processing of personal data is based on the consent given by the Insured person or Relative, they have the right to withdraw their consent at any time.
Right to data portability	The Insured person or Relative has the right to receive the personal data they have provided to Tervisekindlustusagent and request, if technically feasible, that Tervisekindlustusagent transmit this data to another service provider.
Right to lodge a complaint	The Insured person or Relative has the right to lodge a complaint directly with Tervisekindlustusagent by emailing andmekaitse@confido.ee or with the Data Protection Inspectorate at info@aki.ee, phone +372 627 4135, address Tatari 39, Tallinn 10134.

8.2.

The rights listed in this chapter regarding the processing of personal data are not exhaustive. In certain cases, the rights of other data subjects or legal obligations of Tervisekindlustusagent may limit the rights of the Insured person or Relative.

8.3.

To exercise the rights related to the processing of personal data, submit requests, or raise any questions, please contact Tervisekindlustusagent at andmekaitse@confido.ee.

Data protection notice for insured persons of Confido Health Plan (valid from 05.12.2023)

Contents

1. Definitions

2. Tervisekindlustusagent as a data controller

3. Collected personal data, purpose of processing, and legal basis

4. From whom does tervisekindlustusagent collect data

5. Retention of personal data

6. Transfer of personal data

7. Security of personal data

8. Rights related to personal data

Contacts

Useful links

Legal info