Processing of personal data

For the General Health Insurance Company of the Czech Republic with its registered office at: Orlická 2020/4, 130 00 Praha 3 - Vinohrady, Czech Republic; Comp. ID No.: 41197518 (hereinafter referred to as "VZP CR") the protection of personal data is an integral part of the fulfilment of obligations towards insured persons and other natural persons (hereinafter referred to as "data subject"). The protection of personal data is dealt with in a long-term, systematic manner, with the attention that this issue requires, and always in accordance with the applicable legislative framework of the Czech Republic, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter referred to as the "General Regulation") and Act No. 110/2019 Coll., on the Processing of Personal Data.

Here you will find information on what personal data we process about data subjects, for what purpose, on the basis of which legal title these personal data are processed, to whom the personal data may be transferred and what rights you can exercise in accordance with the relevant legislation.

Contents:

What personal data do we process?

Why do we process personal data and on the basis of what authorisation?

Who processes your data and to whom do we transfer your data?

From what sources do we obtain your personal data?

How long do we keep personal data?

What are your basic data protection rights?

How can you exercise your rights?

What personal data do we process?

VZP CR processes the following personal data:

  1. address and identification data – first name, surname, date and place of birth, sex, marital status, personal ID number, insurance number, nationality, permanent address, data relating to the right of residence in the Czech Republic, number and period of validity of the personal document, date and place of death,
  2. contact details – e-mail address, telephone number, delivery address,
  3. special categories of personal data – data about your health,
  4. descriptive data – education, number of children, previous employment, previous health insurance company, bank details, etc.,
  5. data about another person – e.g. address and identification data of a family member, spouse, child, legal guardian, etc.,
  6. other data – data related to the provision of healthcare to the insured person and the provision of public health insurance in the scope of documentation maintained by the General Health Insurance Company of the Czech Republic in accordance with applicable legislation,
  7. other relevant data – e.g. data on court disputes, inheritance proceedings, execution proceedings, personal bankruptcies, data related to the fulfilment of legal obligations of the person concerned,
  8. video recordings from the camera system and audio recordings of call-centre calls, personal data processed in the context of online contact, e.g. cookies, IP addresses.

Why do we process personal data and on the basis of what authorisation?

Processing of personal data on the basis of the law

VZP CR, as the personal data administrator, is authorised to process personal data on the basis of legal regulations to ensure the fulfilment of public health insurance. Personal data of insured persons, premium payers, or their representatives or authorized persons are processed by the insurance company on the basis of Act No. 551/1991 Coll., on the General Health Insurance Company of the Czech Republic, Act No. 48/1997 Coll., on Public Health Insurance and on Amendments and Supplements to Some Related Acts, Act No. 592/1992 Coll., on Public Health Insurance Premiums. In accordance with the relevant legal norms, the data subject is obliged to provide personal data for the purpose of exercising public health insurance. In addition, VZP CR may process personal data for the purpose of fulfilling legal obligations under Czech legislation governing accounting and financial control.  

Processing of personal data on the basis of legitimate interest

VZP CR, as the personal data administrator, also processes the personal data of the data subject within the meaning of Art. 6(1)(f) of the General Regulation by operating a camera system to ensure the protection of property and persons, the safety of employees and clients. The camera system processes and stores short-term personal data in the scope of image recording of persons who move near or inside the buildings of the VZP CR. Each building with a monitoring system is marked in accordance with the General Regulation. 

Furthermore, VZP CR processes data provided by clients voluntarily in its legitimate interest for the purpose of streamlining communication during the insurance relationship and for direct marketing purposes, e.g. sending regular newsletters or occasional emails with information related to VZP CR activities.

Processing of personal data based on the performance of a contract

VZP CR, as a personal data administrator, processes the personal data of the data subject within the meaning of Article 6(1)(b) of the General Regulation for the purpose of establishing and operating a secure electronic communication service between the data subject and VZP CR via the e-Health application and for the purpose of fulfilling the obligations of external suppliers of services and assets.

Processing of personal data on the basis of consent

Pursuant to Article 6(1)(a) of the General Regulation, VZP CR processes personal data on the basis of the data subject's consent granted for the specified scope of personal data processed and the purpose of processing. VZP CR is entitled to process this personal data for the period for which the consent was granted or until its revocation.

Processing of special categories of personal data

VZP CR processes special categories of personal data within the meaning of Article 9(2)(i) of the General Regulation in the context of the targeted invitation of insured persons to screening programmes, as the processing is necessary for reasons of public interest in the field of public health.

Additional information on the processing of personal data

Who processes your data and to whom do we transfer your data?

In most cases, your personal data is processed directly by VZP CR. This means that VZP CR determines the above defined purposes for which it collects your personal data, determines the means of processing and is responsible for their proper implementation.

VZP CR may also transfer your personal data to other entities for processing, namely:

  • state administration authorities or persons defined by the legal regulations of the Czech Republic within the framework of mandatory cooperation,
  • contractual partners providing business and services for VZP CR in the position of a processor, mainly in the following areas:
  • provision of postal services,
  • ensuring the production of insurance cards,
  • arranging convalescent stays,
  • arranging conferences and training,
  • provision of security services,
  • provision of ICT services.

Contract partners, including GDPR processors, can be found at https://smlouvy.gov.cz/.

VZP CR, as the administrator of personal data, has defined and declared in writing the performance of processing activities with all processors in order to ensure compliance with the General Regulation and to achieve maximum security of the processed personal data.

VZP CR does not transfer your personal data to third countries or international organisations. Should such a transfer be necessary, VZP CR will provide specific information in the particular case.

From what sources do we obtain your personal data?

We obtain personal data from:

  • clients/policyholders,
  • other natural persons (e.g. participants in competitions),
  • relevant registers of citizens of the Czech Republic,
  • directly from the data subjects,
  • state and other authorities in the performance of their statutory obligations under the relevant legislation,
  • health service providers,
  • publicly accessible registers, lists and records.

How long do we keep the personal data?

The processed personal data are stored by VZP CR for the period of time necessary even after the end of the insurance relationship in accordance with the time limits specified in the VZP CR File Regulations and in the relevant legislation.

What are your basic data protection rights?

Right of access to personal data

You have the right to request confirmation as to whether or not your personal data is being processed. If so, you have the right to request identification of what data is being processed about you and to what extent, including: the category of personal data processed, the purpose of the processing, the period of retention, information about the recipients to whom the personal data is disclosed, any available information about the source of the personal data, and information about whether automated decision-making, including profiling, takes place. 

The VZP CR, as an auditor of a large amount of information, may use the possibility to ask the data subject to indicate the specific information or activities to which his/her request relates before providing the information.

Right to correction or completion

In case you suspect that the data processed by VZP CR is incorrect, you have the right to request the correction or completion of your personal data.

Right to transferability

The data subject shall have the right to request the administrator to transmit (where technically feasible) his or her personal data in a structured, commonly used and machine-readable format to another administrator.

Right to erasure

In some cases, you have the right to have your personal data erased. We will delete your personal data without undue delay if:

  • we no longer need your personal data for the purposes for which we processed it,
  • you withdraw your consent to the processing of your personal data, where the data is data for which your consent is necessary and we have no other reason why we need to continue to process the data,
  • Provision of the service has been terminated on the basis of a contractual relationship,
  • you believe that the processing of personal data by us has ceased to comply with generally binding regulations.

The right to erasure does not apply if the processing of your personal data is still necessary for the fulfilment of a legal obligation of VZP CR or the establishment, exercise or defence of its legal claims.

Right to the restriction of processing

In some cases, in addition to the right to erasure, you can exercise the right to restrict the processing of personal data. This right allows you to request that your personal data be marked and not be subject to any further processing operations – but in this case not forever (as with the right to erasure), but for a limited period of time. We must restrict the processing of personal data when:

  • you dispute the accuracy of the personal data before we agree what data is correct,
  • we process your personal data without a sufficient legal basis (e.g. beyond what we need to process), but you prefer to restrict such data before erasing it,
  • we no longer need your personal data for processing purposes, but you require it for the establishment, exercise or defence of your legal claims.

Right to object to processing

You have the right to object to the processing of personal data based on the legitimate interest of VZP CR. If you object to processing for marketing purposes, we will no longer process your personal data for these purposes. In other cases, we will do so unless we have compelling legitimate grounds for not continuing such processing.

Right to withdraw consent

You may withdraw your consent to the processing of your personal data at any time. However, the withdrawal of consent shall not affect the lawfulness of processing based on consent prior to its withdrawal. Withdrawal of consent also has no effect on any contractual relationship.

The right not to be subject to automated individual decision-making with legal or similar effects, including profiling

You have the right not to be subject to any decision based solely on automated processing, including profiling, except where the decision is: 

  • necessary for the conclusion or performance of a contract between you and the data administrator, 
  • permitted by European Union or Czech law,
  • based on your express consent.

Right to complain

You may exercise this right in the event of an alleged violation of applicable data protection laws. You can lodge a complaint against the processing of personal data by VZP CR with the supervisory authority or the Office for Personal Data Protection, which is located at Pplk. Sochora 27, 170 00 Prague 7.

How can you exercise your rights?

All your requests will be handled by the Data Protection Officer of the VZP CR, who is Mgr. Renáta Alexejevová, e-mail address below.

You can exercise your rights at any time by making a request:

by post to: Data Protection Officer - VZP ČR, Orlická 2020/4, 130 00 Prague 3 by e-mail: poverenec@vzp.cz
via data mailbox: i48ae3q
by phone: 952 220 773.

The deadline for processing requests is 30 days from the date of receipt.

Document version 1.0, Update – September 2020