There are special safeguards on the processing of special categories of personal data, of which health data is one. As a rule, processing is permitted only if you have consented to the processing in accordance with Art. 9, para. 2 a) GDPR, or if this is a case of one of the other situations defined by law, Art. 9, para. 2 b) – j) DSGVO.
a) Processing of your special categories of personal data
In many cases, in order to review the benefit entitlement, we require personal data belonging to a special category (sensitive data). This includes health data, for example. If, in connection with a specific insured event, you provide us with such data together with a request to review and process the claim, you are explicitly permitting us to process your sensitive data necessary in order to process the insured event. We will again remind you specifically of this fact in the claim form.
You may withdraw your consent at any time, with future effect. However, we explicitly inform you that it may no longer be possible to review our indemnity obligation in connection with the insured event. If the damage event has already been processed, it may be the case that the data cannot be deleted for statutory retention periods, for example.
We may also process your sensitive data if this is necessary to protect your vital interests, and if you are physically or legally incapable of giving consent, Art. 9, para. 2 c) GDPR. This may be the case if you suffer a serious accident while travelling, for example.
In the case of multiple insurance policies, if another insurer seeks recourse from us or if we seek recourse from another insurer, we may process your sensitive data in order to assert and defend the statutory claim for settlement, Art. 9, para. 2 f) GDPR.
b) Requesting health data from third parties for review of the indemnity obligation
In order to examine our duty to indemnify, it may be necessary for us to check information concerning your state of health, as provided by you in substantiating claims, or which is evident from documents submitted (e.g. invoices, prescriptions, reports) or statements, e.g. from a doctor or other member of a healthcare profession.
For this purpose, we will require your consent, including a confidentiality waiver covering us and all agencies subject to a duty of confidentiality, and which are required to provide information for review of the indemnity obligation.
We will notify you in each specific case about what persons or institutions require information for what purpose. You may then decide in each case whether you consent to us collecting and using your health information, and whether to release the named persons or institutions and their employees from their duty of non-disclosure, and if you agree to the communication of your health data to us, or if you want to personally provide the necessary documentation.