Extended privacy policy

Forsikringsselskabet Dansk Sundhedssikring A/S (“Dansk Sundhedssikring”, “we”, “us” or “our”) prioritises confidentiality and data security very highly. This data protection policy applies to our processing of personal data in connection with the provision of health insurance. The data protection policy gives you the information you are entitled to according to current data protection legislation.

 

1. Data Controller and contact details

Forsikringsselskabet Dansk Sundhedssikring A/S is the Data Controller for the processing of your personal data when you have health insurance with us.

Our contact details are:

Forsikringsselskabet Dansk Sundhedssikring A/S

CVR number: 34 73 93 07

Hørkær 12B

2730 Herlev

Tel. +45 70 20 61 21

Email: privacy.gdpr@ds-sundhed.dk

 

DPO (data protection consultants)

According to the General Data Protection Regulation (GDPR), we are obliged to have a DPO (data protection consultant). We have contracted legal practice Bech-Bruun for this purpose.

You can contact our DPO via email dpo.dss@bechbruun.com or tel. 72 27 30 02, weekdays between 9-16.

If your enquiry involves sensitive or confidential data, please use the secure message function: https://dpo.bechbruun.com/dss.

 

2. How we process your personal data

Insured by Forsikringsselskabet Dansk Sundhedssikring A/S

For what purposes are personal data used?

Types of personal data

What is the legal basis for processing?

Taking out and administration of health insurance

When you are covered by health insurance with us, we register your basic details in our systems, so that we can see that you are insured by us. We can then identify you, and ensure that you are able to make a claim with us.

 

 

 

 

 

 

 

 

General personal data

· Name

· Address

· Email address

· Telephone number

· Workplace

· Job title/position

· Employee group

· Payroll number

· Policy number

· Age

· Gender

· Date of birth

· CPR number (confidential personal data)

GDPR art. 6 (1), letter f (weighing of interests): We have a legitimate interest in processing your general personal data, to register you in our systems, to see that you have health insurance with us and can identify you, so that you can report a claim. We believe this interest exceeds consideration for your interest in us not processing your personal data. 

GDPR art. 9 (2), letter f (legal claim) and the Danish Data Protection Act’s Section 7 (1): The need to be able to determine your right to receive insurance products according to the insurance agreement you are covered by.

 

Claims and health-related processing

When you make a claim with us, we register the details you give us in connection with the actual claim. We use them to perform a healthcare-related assessment of your problem, in which we determine how we can provide the best treatment and course of action for you, and which treatment provider we can recommend for you in our external healthcare network.

If you would rather use your own treatment provider who is not in our external healthcare network, we will send a payment guarantee directly to you, and will then not take any further action with your personal data.

If your problem is not solved with the number of treatments we authorised in the first instance, we can ask for details on your treatment from your treatment provider. We will use those details to assess the status of the problem and your progress before we approve further treatments.

 

 

 

 

General personal data

· Name

· Address

· Email address

· Telephone number

· Workplace

· Job title/position

· Employee group

· Payroll number

· Policy number

· Cover and options

· Age

· Gender

· Date of birth

· CPR number (confidential personal data)

Sensitive personal data

· Health data in the form of mental or physical ailments, which need to be treated with regard to providing healthcare treatment.

· Sexual problems that can occur if your treatment involves mental issues that concern your sexuality.

GDPR art. 6 (1), letter f (weighing of interests): We have a legitimate interest in processing your general personal data, so that we can see that you have health insurance with us and can identify you, so that you can report a claim. We believe this interest exceeds consideration for your interest in us not processing your personal data. 

GDPR art. 9 (2) letter b (legal obligation) cf. Sections 5, 10 and 15 of the Executive Order on record-keeping As a result of healthcare legislation, our authorised healthcare personnel are obliged to keep records of all contact they have with you.

GDPR art. 9 (2), letter f (legal claim) and the Danish Data Protection Act’s Section 7 (1): The need to be able to determine your right to receive insurance products according to the insurance agreement you are covered by. This applies when making a claim, and regular assessment of an open case.

 

 

 

Disclosure to external treatment providers and pension companies

If you want treatment in our external network of healthcare treatment providers, we will send your personal data to the treatment provider chosen.

If you are covered by mandatory provision of early intervention in the event of a risk of loss of the ability to work, we can forward your details to your pension company with your consent.

 

 

 

 

 

 

 

General personal data

· Name

· Address

· Email address

· Telephone number

· Payment guarantee number

· Age

· Gender

· Date of birth

· CPR number (confidential personal data)

Sensitive personal data

· Health data in the form of mental or physical ailments, which need to be treated with regard to providing healthcare treatment.

GDPR art. 6 (1), letter a (consent): We disclose your general personal data with your consent.

GDPR art. 9 (2), letter a (consent): We disclose your CPR number and health data with your consent.

 

 

 

 

 

 

 

 

 

 

 

Duty to keep records

To comply with our legal obligation to keep patient records in accordance with the Executive Order on authorised healthcare staff’s patient records (the Executive Order on record-keeping) and the Executive Order of the Act on psychologists. We are covered by this obligation, as the treatment and consultancy referred to earlier is provided by Dansk Sundhedssikring’s specialised nurses, psychologists and doctors.

 

 

 

 

 

 

 

 

 

General personal data

· Name

· Address

· Email address

· Telephone number

· Age

· Gender

· Date of birth

· CPR number (confidential personal data)

Sensitive personal data

· Health data in the form of mental or physical ailments, which need to be treated with regard to providing healthcare treatment.

· Sexual problems that can occur if your treatment involves mental issues that concern your sexuality.

 

GDPR art. 6 (1), letter f (weighing of interests): We have a legitimate interest in processing your general personal data, to register you in our systems, see that you have health insurance with us and can identify you, so that you can report a claim. We believe this interest exceeds consideration for your interest in us not processing your personal data. 

GDPR art. 9 (2) letter b (legal obligation) cf. Sections 5, 10 and 15 of the Executive Order on record-keeping As a result of healthcare legislation, our authorised healthcare personnel are obliged to keep records of all contact they have with you.

GDPR art. 9 (2), letter f (legal claim) and the Danish Data Protection Act’s Section 7 (1): The need to be able to determine your right to receive insurance products according to the insurance agreement you are covered by.

Acute crisis help

If you are exposed to an event or incident that subsequently requires acute crisis help, and is covered by your health insurance, we can initiate the treatment and disclose your personal data to relevant treatment providers without your consent, if you are unable to do so as a result of the incident.

 

 

 

 

 

 

 

 

 

 

 

 

General personal data

· Name

· Address

· Email address

· Telephone number

· Payment guarantee number

· Policy number

· Cover and options

· Age

· Gender

· Date of birth

· CPR number (confidential personal data)

Sensitive personal data

· Health data in the form of mental or physical ailments, which need to be treated with regard to providing healthcare treatment.

 

      

GDPR art. 6 (1), letter d (vital interest):

GDPR art. 9 (2), letter c (vital interest):

In the event of a situation that requires acute crisis help, we have found that there can be vital consequences for you and your health if you do not receive treatment.

 

 

 

 

 

 

 

 

 

 

 

 


Communication and sending out service notifications

Physical or digital communication, including service notifications via letter, email, e-Boks or via our customer portal Mit DS-Sundhed.

 

 

 

 

 

 

 

 

General personal data

· Name

· Address

· Email address

· Telephone number

· CPR number (confidential personal data)

 

 

 

 

 

GDPR art. 6 (1), letter f (weighing of interests): We have a legitimate interest in processing your general personal data, to communicate with you on your health insurance, your claims and changes to your health insurance. We believe this interest exceeds consideration for your interest in us not processing your personal data.

GDPR art. 9 (2), letter f (legal claim) and the Danish Data Protection Act’s Section 7 (1): The need to be able to determine your right to receive insurance products according to the insurance agreement you are covered by.


Legal obligations and legal claims, including dealing with complaints

To comply with our legal obligations, and to be able to determine, defend and make legal claims applicable.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

General personal data

· Name

· Address

· Email address

· Telephone number

· Workplace

· Policy number

· Cover and options

· Payment guarantee number

· Age

· Gender

· Date of birth

· CPR number (confidential personal data)

· Other relevant details used to comply with a legal obligation or for the purposes of a legal claim

Sensitive personal data

· Health data in the form of mental or physical ailments, which need to be treated with regard to providing healthcare treatment.

· Sexual problems that can occur if your treatment involves mental issues that concern your sexuality.

 

GDPR art. 6 (1), letter c (legal obligation) cf. Executive Order on complaint responsibility and the handling of complaints by financial undertakings, Section 4.

GDPR art. 6 (1), letter f (weighing of interests): We have a legitimate interest in processing your general personal data, to apply or defend a legal claim. We believe this interest exceeds consideration for your interest in us not processing your personal data.

GDPR art. 9 (2), letter f (legal claim)

GDPR art. 9 (2), letter g.

The Danish Data Protection Act’s Section 11 (2), no. 4 cf. the GDPR’s art. 9 (2), letter f (CPR number)

 

 

 

 

 

 

 

 

 


Early intervention in the event of a risk of loss of the ability to work

If you have health insurance with us through your pension company, and are covered by mandatory provision of early intervention in the event of a risk of loss of the ability to work, we will analyse your data to determine whether you are at risk of losing your ability to work.

 

 

 

 

 

 

 

 

General personal data

· Name

· Address

· Email address

· Telephone number

· Cover and options

· Age

· Gender

· Date of birth

· CPR number (confidential personal data)

Sensitive personal data

· Health data in the form of mental or physical ailments, which need to be treated with regard to providing healthcare treatment.

GDPR art. 6 (1), letter f (weighing of interests): We have a legitimate interest in processing your general personal data, to analyse whether you are at risk of losing your ability to work. We believe this interest exceeds consideration for your interest in us not processing your personal data. 

The Danish Data Protection Act’s Section 10 (1)

 

 

 

 

 

 

 

Recording telephone calls

We only record our telephone calls when you contact our Healthcare Team. We do so automatically for the purpose of keeping records, documentation of your claim and our case processing.

 

 

 

 

 

 


General personal data

· Name 

· Telephone number

· CPR number (confidential personal data)

Sensitive personal data

· Health data in the form of mental or physical ailments, which need to be treated with regard to providing healthcare treatment.

· Sexual problems that can occur if your treatment involves mental issues that concern your sexuality.


Executive Order on record-keeping, Section 10, no. 2, letter f.

 

 

 

 

 

 

 

 

 

 

Reporting to public authorities and legal obligations

According to the law, we are obliged as an insurance company to perform a number of analyses of claims received and cover approved. The results of such analyses are reported to the authorities in anonymised format.

We can use personal data if we have to respond to specific enquiries from the public authorities.

 

 

General personal data

· Case number 

· Invoice number

· Treatment date

Sensitive personal data

· Health data in the form of mental or physical ailments, which need to be treated with regard to providing healthcare treatment.

· Sexual problems that can occur if your treatment involves mental issues that concern your sexuality.

GDPR art. 6 (1), letter c (legal obligation)

GDPR art. 9 (2), letter f (legal claim)

 

 

 

 

 

 

 

 

Business Intelligence, customer and product analyses

Dansk Sundhedssikring compiles statistics and analyses via Business Intelligence (BI) to improve its products and services, quality-assure, product development and to perform anonymous reporting to our customers (your employer).

 

 

 

 

 

General personal data

· Case number 

· Invoice number

· Treatment date

Sensitive personal data

· Health data in the form of mental or physical ailments, which need to be treated with regard to providing healthcare treatment.

· Sexual problems that can occur if your treatment involves mental issues that concern your sexuality.


The Danish Health Act, Section 42d (2), no. 2.

GDPR art. 6 (1), letter e (the interests of society).

The Danish Data Protection Act’s Sections 10 (1) and 11 (2), no. 3.

The processing of personal data contained in your records is performed to compile statistics, conduct quality assurance and to develop and analyse the process.

We also make anonymous reports to customers (your employer) and to Dansk Sundhedssikring’s owners, on the basis of results from BI.

Satisfaction and effect surveys

We regularly conduct customer satisfaction and effect surveys. We do so by sending you links after you have been in contact with us and in partnership with one of our data processors, to our online customer satisfaction and effect measurement forms, which you can opt to respond to.

Customer satisfaction and effect measurement surveys are voluntary.

General personal data

· Case number 

· Invoice number

· Treatment date

Sensitive personal data

· Health data in the form of mental or physical ailments, which need to be treated with regard to providing healthcare treatment.

GDPR art. 6 (1), letter f (weighing of interests): We have a legitimate interest in processing your general personal data, to analyse your responses on your satisfaction with your health insurance. We believe this interest exceeds consideration for your interest in us not processing your personal data.

GDPR art. 9 (2), letter a (consent)

Invoicing, bookkeeping and accounts

To invoice, bookkeep and keep accounts, and to calculate financial reserves, etc.





General personal data

· Case number 

· Invoice number

· Treatment date

Sensitive personal data

· Health data in the form of the treatment provided.

GDPR art. 6 (1), letter b (fulfilment of contract).

GDPR art. 6 (1, letter c (legal obligation) cf. the Danish Bookkeeping Act and accounting legislation.

GDPR art. 9 (2), letter f (legal claim)

Disclosure to sister companies

When we perform administrative and financial analysis work for our sister companies PrimaCare A/S and VitalityGuard A/S, we use Dansk Sundhedssikring’s own personal data in the process, to be able to compare our data with those we receive from them.

General personal data

· Payment guarantee number 

· Policy number

 

 

 

GDPR art. 6 (1), letter f (weighing of interests): We have a legitimate interest in processing your general personal data, to be able to perform financial analyses for other members of our group. We believe this interest exceeds consideration for your interest in us not processing your personal data.

Disclosure to insurance brokers

If your insurance was taken out through an insurance broker, we will disclose your personal data to the broker when necessary.

 

 

 

 

 

 

 

 

 

General personal data

· Name

· Address

· Email address

· Telephone number

· Workplace

· Job title/position

· Employee group

· Payroll number

· Age

· Gender

· Date of birth

· CPR number (confidential personal data)

GDPR art. 6 (1), letter f (weighing of interests): We have a legitimate interest in processing your general personal data, to perform administration of your health insurance along with your insurance broker. We believe this interest exceeds consideration for your interest in us not processing your personal data. 

GDPR art. 9 (2), letter f (legal claim) and the Danish Data Protection Act’s Section 7 (1): The need to be able to determine your right to receive insurance products according to the insurance agreement you are covered by.

 

Anonymising

Dansk Sundhedssikring can anonymise your personal data for the purposes of marketing, development of products and services, machine learning, compilation of statistics, and for sharing, reporting to your employer, sales and publication of completely anonymous data. Your data will be anonymised according to our internal anonymising rules.

The data protection rules do not apply to anonymous data.

 

 

 

 

 

 


The data protection rules do not apply to anonymous data.

 

 

 

 

 

 

 

 

Contact personnel at external treatment providers or external treatment providers in the form of sole trader businesses

For what purposes are personal data used?

Types of personal data

What is the legal basis for processing?

Comply with collaboration agreement

Dansk Sundhedssikring processes your personal data with to register your health clinic or treatment location in our network database of approved treatment providers, and subsequently to comply with the collaboration agreement. 

General personal data

· Name

· Address

· Telephone number

· Type of processing offered

· Contract details

GDPR art. 6 (1), letter b (fulfilment of contract).

 

 

 

 

 

Invoicing, bookkeeping and accounts
To invoice, bookkeep and compile accounts.

 

 

 

General personal data

· Name

· Address

· Telephone number

· Invoice

· Payment details

GDPR art. 6 (1), letter b (fulfilment of contract).

GDPR art. 6 (1, letter c (legal obligation) cf. the Danish Bookkeeping Act and accounting legislation.

 

 

Satisfaction and effect surveys
Dansk Sundhedssikring issues satisfaction surveys after receiving treatment, to get feedback on your treatment. 

 

 

 

 

 

 

General personal data

Details of customer satisfaction with your treatment

 

 

 

 

 

 

 

GDPR art. 6 (1), letter f (weighing of interests): We have a legitimate interest in processing your general personal data, to issue and receive responses to satisfaction and effect surveys, to be able to improve our own products and services, along with Dansk Sundhedssikring’s network of external and our own healthcare treatment providers. We believe this interest exceeds consideration for your interest in us not processing your personal data.

 

Legal claim
To comply with our legal obligations, and to be able to determine, defend and make legal claims applicable.

 

 

 

 

General personal data

· Name

· Address

· Telephone number

· Type of processing offered

· Contract details

· Correspondence

GDPR art. 6 (1), letter c (legal obligation).

GDPR art. 6 (1), letter f (weighing of interests): We have a legitimate interest in processing your general personal data, to apply or defend a legal claim. We believe this interest exceeds consideration for your interest in us not processing your personal data.

 

2.2 About your ability to influence our legal basis

Withdrawal of consent

You can withdraw your consent to the processing activities for which we use your consent as legal basis at any time.

If you do want to withdraw your consent, log in to your profile on Mit DS-Sundhed, where you can find the option for withdrawal at the same place as you gave it. If you withdraw your consent, we will no longer process your personal data based on that consent. Withdrawal will not affect the legality of our processing of personal data from the point in time when consent was given, up to it being withdrawn.

 

Objecting to weighing of interests

If you want to object to one or more processing activities we base on a legitimate interest as described above, you can contact us either via our customer portal Mit DS-Sundhed or by email to privacy.gdpr@ds-sundhed.dk, where you can lodge your objection against any specific processing. We will then consider whether your objection is justified, and whether the processing ought to be stopped on that basis.

 

2.3 Where do we get your details from?

When you take out insurance with us, we receive details on you from your employer, or from your employer’s insurance broker if the agreement on health insurance has gone through them.

We also receive details from you when you report a claim to us, or change your details in your profile at Mit DS-Sundhed.

If you have health insurance with us as co-insured, the details we have on you come from your family member who is the prime insured.

We also receive details from the public authorities, including Det Centrale Personregister (CPR register).

If you are in a treatment regime via us, we can receive details on your current treatment from your treatment provider.

 

3. Recipients of personal data

To fulfil the above purposes, Dansk Sundhedssikring can give your personal data to third parties who provide relevant services on the basis of a contractual relationship with Dansk Sundhedssikring.

Data processors

Certain suppliers will only process personal data in accordance with our instructions under data processing agreements. Dansk Sundhedssikring currently uses the data processors, or categories of data processors:

  1. IT suppliers for operation and security
  2. IT consultancies
  3. Suppliers of call centre services
  4. PrimaCare A/S, a group member. PrimaCare A/S supplies an external network of healthcare treatment providers, in the form of psychologists, physiotherapists, chiropractors and masseurs.

Independent Data Controllers

In certain instances, it will also be necessary to disclose your personal data to independent Data Controllers. The following categories of recipients are involved on the basis of the following legal basis:

  1. Law offices, accountants, courts and public authorities on the basis of our legitimate interest in being able to determine, defend and make legal claims (GDPR article 6 (1), letter f (general personal data), GDPR article 9 (2), letter f (health data) and the Danish Data Protection Act’s Section 11 (2), no. 2, no. 4 cf. GDPR article 9 (2), letter f (CPR numbers)).
  2. Pension companies (consent according to GDPR article 6 (1), letter a (general personal data), article 9 (2), letter a (sensitive personal data) and the Danish Data Protection Act’s Section 11 ()2, no. 2 (CPR number)). We refer to the table above.
  3. Insurance brokers (GDPR article 6 (1), letter f (general personal data), and the Danish Data Protection Act’s Section 11 (2), no. 2, no. 4 cf. GDPR article 9 (2), letter f (CPR numbers)).
  4. External health clinics and treatment centres approved as part of Dansk Sundhedssikring’s healthcare network (consent according to GDPR article 6 (1), letter a (general personal data), article 9 (2), letter a (sensitive personal data) and the Danish Data Protection Act’s Section 11 (2), no. 2 (CPR number)). We refer to the table above.

 

4. How long do we retain your details?

Danish law regulates how long personal data can be retained.

Healthcare details and details we are obliged to obtain to be able to refer you for healthcare treatment are retained for 10 years from the last activity in your records, cf. Executive Order on authorised healthcare staff’s patient records.

Telephone recordings from our Healthcare Team are retained for 6 months.

Other personal data not directly relevant to your claim will, in principle, be retained for 5 years.

We either delete or anonymise your data when the period for retention expires.

 

5. Your rights

The GDPR gives you a number of rights that you can exercise by contacting us. But please note that your rights can be limited by other Danish legislation, or can be subject to other, weightier considerations.

To exercise your rights, log in to your profile at Mit DS-Sundhed, which you can find here. You can also contact our data protection team at privacy.gdpr@ds-sundhed.dk.                   

Your rights according to GDPR are:

a. Right of access

You have the right to access to and a copy of the personal data we process on you. But there are certain exceptions. 

b. Right to rectification

You have the right to correct or update outdated or incorrect details we have registered on you.

c. Right to erasure (the right to be forgotten)

You have the right to have your personal data erased before we would normally do so, unless Dansk Sundhedssikring is entitled or legally obliged to continue to retain your data, as a result of the Bookkeeping Act, record-keeping rules or claim/court cases in progress.

d. Right to restrict processing of personal data

You have the right to have the processing of your personal data restricted, unless Dansk Sundhedssikring is entitled or legally obliged to continue to retain your data, as a result of the Bookkeeping Act, record-keeping rules or claim/court cases in progress. If your request restriction of the processing of your personal data, we will always seek to restrict processing as much as possible. 

e. Right to object

Your right to object to our processing of your personal data on the basis of weighing of interests according to GDPR art. 6 (1), letter f is described in more detail in item 2.2. of the data protection policy.

f. Right to data portability

You have the right to a copy of the personal data you have given us. The copy must be in a structured, commonly used and machine-readable format. In certain instances, you also have the right to ask us to transmit your data to another Data Controller.

 

6. Security

We protect the confidentiality, integrity and accessibility of your personal data. We have therefore implemented security precautions to ensure that our internal procedures fulfil the security standards and legal requirements laid down. All our personal data are stored and transmitted encrypted, in accordance with the Danish Data Protection Agency’s guidelines. You can also log in with confidence to our customer portal, Mit DS-Sundhed via NemId, where you can see your personal data and communicate with us concerning your cases.

Dansk Sundhedssikring has also compiled and implemented its own internal rules on information security, which include instructions and precautions to protect your personal data against destruction, loss, amendment, unauthorised publication, and against any unauthorised third parties gaining access to or knowledge of them. Our healthcare personnel are subject to statutory confidentiality.

 

7. Questions and complaints

If you have any questions to this data protection policy or want to complain about our processing of your personal data, please contact us at privacy.gdpr@ds-sundhed.dk or contact our DPO, Bech-Bruun, at the above contact details.

You can also complain about Dansk Sundhedssikring’s processing of your personal data direct to the Danish Data Protection Agency, at Carl Jacobsens Vej 35, 2500 Valby. Tel. 33 19 32 00, email: dt@datatilsynet.dk or via their website www.datatilsynet.dk.

 

8. Changes to the data protection policy

This data protection policy does not represent an agreement between Dansk Sundhedssikring and you, but does form the basis for Dansk Sundhedssikring’s duty to inform according to data protection law. We reserve the right to make changes to the data protection policy from time to time, in accordance with the data protection legislation in force at any time. In the event of any changes, the date at the bottom of the data protection policy will be changed. The data protection policy in effect at any time will be available on our website.

 

 

Revision date: 05 July 2021