Information on Personal Data Processing

The controller is the person who determines the purpose and means of personal data processing.

In the case of your personal data that we process, the controller is:

DÔVERA zdravotná poisťovňa, a. s., with registered office at Einsteinova 25, 851 01 Bratislava, Company ID: 35 942 436, registered in the Commercial Register of the the Bratislava III City Court, Section Sa, Insert No. 3627/B (hereinafter referred to as "Dôvera", "we", "us", "our").

Dôvera has an appointed person responsible for personal data protection, whom you can contact any time using the contact details stated in the " Submitting requests to exercise your rights " section.

1. Management of public health insurance

This is our main activity and our authorisation to process your personal data is based directly on specific laws (in particular Act No. 576/2004 Coll., 577/2004 Coll., 578/2004 Coll., 579/2004 Coll., 580/2004 Coll., 581/2004 Coll., 153/2013 Coll., 362/2011 Coll., 363/2011 Coll., 355/2007 Coll., as amended).

In many cases, you or other entities are directly obliged by law to provide personal data to us so that we can manage public health insurance.

If you are a healthcare provider , we process your personal data on the basis of pre-contractual and contractual relationships (including personal data of healthcare professionals); if you are a non-contractual healthcare provider , we process your personal data on the basis of being legally obliged to do so.

If you are also an insurance premium payer (e.g. an employer), we also have a legal obligation to process personal data about insurance premium payers as well as employees for whom insurance premiums are paid.

As part of managing public health insurance , we also process personal data of legal representatives, authorised representatives, persons authorised to act on behalf of legal persons, with obligations in making retrospective claims, or dependent family members.

The EU Digital COVID Certificate is made available by Dôvera as a controller on the basis of a legal obligation in the management of public health insurance, in accordance with the Integration Agreement . In case of incorrect data, please contact the National Health Information Centre.

2. Provision of safe and quality healthcare, especially emergency healthcare

We process personal data for this purpose with your consent or to protect your vital interests if you are unable to grant consent. We disclose selected data about your health to emergency medical services (purpose BL112) so that they can provide you with safe and quality healthcare.

3. Providing quality and effective healthcare for policyholders through our cooperation with participating healthcare providers in the Dôvera Helps project

We process personal data for this purpose with your consent. It is not possible to participate in this programme without your consent, as personal data processing by the participating healthcare providers is a condition for the programme to work.

4. For the purpose of improving the quality of our services as well as documenting the fulfilment of your notification obligations and communication with you for the purpose of public health insurance provided on the basis of specific legislation, we record calls (process voice recordings) if you contact our call centre.

5. For the purposes of submitting, receiving, registering, handling and reviewing complaints and requests in accordance with Act No. 9/2010 Coll. on Complaints, as amended, we process, in addition to identification data, the content of the submission and the data contained therein.

6. For the purposes of handling and registering complaints about anti-social activities , as well as for the fulfilment of other obligations under Act No. 54/2019 Coll. on the Protection of Persons Reporting Anti-Social Activities and amending and supplementing certain Acts, we process, in addition to identification data, the content of the submission and the data contained therein.

7. For the purposes of internal review (Section 3 of the Health Insurers Act) and internal audit , we process, in addition to identification data, the content of the submission and the data contained therein.

8. For the purpose of registering reports of unusual business operations and their handling - As we are an obliged person in accordance with Act No. 297/2008 Coll. on the Prevention of Legalization of Proceeds from Criminal Activities and Terrorist Financing, we are obliged to carry out the identification of the client for the purpose of due diligence in relation to the client, and for this purpose we are also obliged to make copies of official documents (the ID card in particular).

9. For the purpose of fulfilling the employer's obligations related to employment and work performed outside employment and the resulting management of the company's personnel and payroll agenda, including pre-contractual relationships. We process this data on the basis of specific legislation, in particular the Labour Code, or with your consent if you are a job applicant.

10. The fulfilment of rights and obligations in connection with the management of a company as part of the agenda related to the processing of personal data of the members of the company's bodies and persons with direct management authority. We process this data on the basis of specific legislation, in particular the Commercial Code, Act No. 581/2004 Coll. as amended and the Labour Code.

11. For the purpose of managing the legal agenda and litigation
We process your personal data on the basis of specific legislation for the purposes of active litigation, passive litigation, administrative proceedings and enforcement proceedings.

12. Management of accounting records is also an integral part of fulfilling specified legal obligations

In accordance with the Accounting Act or other related legislation, we also process personal data for this purpose.

13. If you are a contractor of ours, a natural person or if we communicate on your behalf with your authorized persons , we process your or their personal data for the purposes of contract performance, including pre-contractual relationships and any exercise and enforcement of our claims against you.

14.For direct marketing purposes (sending you regular newsletters or occasional emails about Dôvera' s services and products and sending you information related to our business and promotions, and sending you information about our contractual partners).

If you enter the competitions we run, apply to us for a grant and we are reviewing your application, run and want to receive the runners' newsletter , donate blood and want to receive the blood donors' newsletter , or for the purpose of processing and publishing your personal data on our website or in our magazine (if you are a winner in a competition or we have supported you with a grant), we process personal data for this purpose as follows:

• on the basis of your consent, or
• on the basis of our legitimate interest in the case of direct marketing, subject to specified conditions.

15. If your personal data is part of registry records (paper or electronic documents), we process them in accordance with Act No. 395/2002 Coll. on Archives and Registries as amended. The disposal, destruction or archiving of these documents is also fully provided for by this Act.

16. For the purposes of ensuring public order, security, detecting crime and security breaches, protecting company property or the health of persons in the monitored premises and controlling physical access within the building and internal areas of Dôvera' s sites, we have a legitimate interest in processing your personal data from CCTV footage or from monitoring your movement around our premises.

17. For the purposes of ensuring the security and operation of information systems (IS) , infrastructure and web services, chatbots and the mobile application and for the development, testing and operation of IS, infrastructure and web services, chatbots and the mobile application, and the entry and resolution of service reports, we process your personal data on the basis of the law, in particular the Cyber Security Act and the Information Technology in Public Administration Act, or we have a legitimate interest in the processing.

18. Cookies and analytics tools

If you visit our website, a so-called cookie may (depending on your browser settings) be stored on your device. We always process cookies with your consent. For detailed information about the processing of cookies visit this address - Cookies .

A cookie is a short text file that is sent to your browser by the websites you visit. It allows websites to remember information about your visit, such as your preferred language and other settings. This makes your next visit to the site easier and more productive. Cookies are important for personalised web browsing.

When you visit our website or our social media profiles, personal data may be processed for statistical and analytical purposes (Meta (Facebook), Instagram, Google). We use this data to personalize the content of the website and the content on Meta (Facebook) and Instagram. We process this data on the basis of your consent - if you have granted it to us for cookies when you visit our website.

Meta (Facebook)

It records, among other things, your IP address and other information when you visit our profile and stores cookies on your device. On the basis of the information collected in this way, Meta (Facebook) provides us with statistical information about the use of our company profile and other related services.

When processing the company profile data for statistical purposes, we act as joint controllers with Meta (Facebook) in accordance with Article 26 of the Regulation . The main points of the joint controllers' agreement are available in the Controller's Addendum .

Meta (Facebook) processes users' personal data on our behalf to measure the performance and impact of our communication campaigns. It provides us with an aggregated (anonymised) overview of users who interact with our communication and marketing content via personal user profiles created on Meta (Facebook).

In such cases, Meta (Facebook) is our processor.

Your personal data:

• is processed by Meta (Facebook) in accordance with the Data Processing Terms and Conditions
• is protected by Meta (Facebook) in accordance with the Data Security Terms and Conditions .

Meta is processing your personal data according to this privacy policy - Meta Privacy Policy - How Meta collects and uses user data | Privacy Center (facebook.com)

You can contact Meta´s (Facebook) data protection officer about your personal data protection at the following address: Contact the data protection officer (DPO) | Facebook .

We use Facebook pixel technology on our website www.dovera.sk . You grant us your consent to use this technology when you visit our website in the customisable selection in our cookie bar under "Targeting cookies".

Google Analytics

Google Analytics (GA) is a web analytics service provided by Google Inc. This service provides aggregated anonymous statistics about visitors to our website. In addition to creating reports on website usage statistics, Google Analytics can be used to display more relevant ads owned by Google and on the web, as well as to measure interactions with the ads displayed.

Hotjar

We use Hotjar on our website, a tool for monitoring and evaluating user behaviour.

You consent to our use of analytics cookies when you visit our website. Cookies can be used to create analytical and statistical reports on website usage and social media profile accounts without identifying specific visitors.

19.Social media

Meta (Facebook) and Instagram

Dôvera has set up its corporate profile onMeta (Facebook) and Instagram. In the "About Us" section on Meta (Facebook), you will find a link to Dôvera' s website and to this information about your personal data processing as part of the operation of this corporate profile.

If you interact with us on social media, please familiarise yourself with the privacy policy of the individual social media operators. Outside the scope of personal data processing through our social media profiles, your personal data is also processed directly by social media operators.

We have no control over this processing and you must exercise the data subject rights you have as a result of using these social media directly with these operators. Further information on personal data processing by social media operators can be found below on the respective social media.

Information on personal data processing by Meta (Facebook) can be found here:  Meta (Facebook) Privacy Policy

Information on personal data processing by Instagram can be found here: Instagram Privacy Policy

Dôvera carries out the following activities on its corporate Meta (Facebook) and Instagram profiles:

a/ direct marketing, promotion, raising awareness of Dôvera, its brand, services or benefits - publishing Dôvera' s own content (it reaches Meta (Facebook) users and statuses are collected in the background directly on Meta (Facebook));

b/ communication with users or visitors to the corporate profile, comments or communication through Messenger (archiving of communication takes place directly on Meta (Facebook)); in the case of Instagram, communication takes place through Direct;

c/ organising and evaluating competitions (in addition to the previous points, competitions are governed by competition terms and conditions, which always contain information on personal data protection);

d/ monitoring and evaluating statistics, monitoring impact and interaction (we monitor and evaluate aggregated statistics, but we are unable to specify users from them - anonymous user statistics);

e/ paid promotion of Meta (Facebook) content, or promotion of unpublished content (however, we are unable to specify users when targeting);

f/ collection of personal data using the Lead Ads format (collection of personal data and identification of users or visitors to the corporate profile, we currently collect first name and surname, phone, email, address), which includes consent to the processing of the data collected in this way;

g/ information on job offers (search for new employees).

Dôvera has set up a profile on YouTube .

Further information on personal data protection can be found here: Google Security Center - Your Internet security

Dôvera has set up a profile on LinkedIn .

LinkedIn uses advertising cookies, which you can change here: Ads unsubscribe

Further information on personal data protection on LinkedIn can be found here: LinkedIn Privacy Policy  

20. Mobile application

Dôvera operates a mobile application for its policyholders. It is available on mobile devices with iOS, Android and HarmonyOS (Huawei) operating systems. You can find the text of this information on personal data processing in the mobile application. The personal data processed in the mobile application is fully subject to the purposes of personal data processing set out above in this section. A similar situation applies to the legal bases for processing and data subject rights.

You can generate and store an EU Digital COVID Certificate on your mobile device in the mobile application. As mentioned above, as part of the purpose of managing public health insurance, the National Health Information Center is responsible for the accuracy of the data and makes these certificates available to the operator at the request of the policyholder. A certificate generated in this way and stored on your device is accessible only to you. The operator does not have access to this certificate.

In addition to the information stated above:

a/ The mobile application allows you to find the nearest pharmacy on a map after logging in. If such a request is made, your mobile device will prompt you to enable your location tracking. However, the operator does not have access to this data, it does not process your location. Your location is processed solely on your mobile device.

b/ The mobile application allows you to take your profile photo through the camera function on your mobile device. However, this photo is not processed by the operator (it is not transferred to its information systems) and is stored solely on your mobile device.

c/ The mobile application also allows you to take a photo of your documents through the camera function on your mobile device for the purpose of claiming policyholder benefits (e.g. the Healthy Teeth benefit). Without enabling the camera function, your mobile device will not allow you to take a photo of these documents. In this case, you will be able to send them to the operator in a different way. Documents proving the provision of treatment or reimbursement are mandatory attachments to the application when claiming a benefit. The data from the application and attachments is processed by the controller for the purposes of managing public health insurance.

d/ Similarly to the camera function, when uploading documents, the mobile application may prompt you to agree to scan the QR code and prompt your mobile device to enable this. Similarly to what we stated above, this approval is required by your mobile device. If you do not enable the function, you will be able to upload the documents and attach them to the application in a different way.

e/ Collection of "unique device token" data to ensure push notifications are sent.

f/ Collection of device operating system version data and installed application version data for the purposes of application diagnostics and troubleshooting.

• Our legitimate interest is personal data processing as part of processing:
  
• voice recordings,
• CCTV footage,
• records of monitoring access to and within our premises,
• litigation agenda and legal agenda,
• internal audit agenda,
• direct marketing, subject to specified conditions,
• satisfaction surveys and the operation of social media profile pages,
• and the disclosure of healthcare provider data on the Healthcare Map,
• disclosure of data on healthcare providers and/or insurance premium payers when registering for the Controller's electronic services to verify the identity of the person being registered,
• and the collection of "unique device token" data to ensure push notifications are sent when using the mobile application,
• collection of device operating system version data and installed application version data for the purposes of application diagnostics and troubleshooting when using the mobile application,
• contact details published by the debtor for the purpose of recovering owed health insurance premiums.

All our contractual partners who process your personal data on our behalf (processors). You can find a list of them here. 

However, recipients also include healthcare providers, public health insurance payers, other health insurers, the Social Insurance Company, contractual partners who help us with incentive schemes for you, bailiffs, the Financial Administration (tax authorities), pension management companies, auditors, the State Archive, law enforcement authorities, the courts, the Healthcare Supervisory Authority, the National Health Information Centre, the Ministries of Health and Finance, the Antimonopoly Office.

Social media operators are also recipients if they are joint controllers or processors.

We restrict the transfer of personal data to third countries outside of the European Union (EU) and European Economic Area (EEA) unless it is necessary for the performance of contracts with selected partners who may be based and/or have data centres in the U.S. or other third countries.

We transfer personal data outside the EU or EEA to the U.S. in line with the requirements of the Regulation, and the transfer is subject to the EU Standard Contractual Clauses for Data Transfers, which our processors take into account as annexes to their contracts and the terms and conditions of use of their services.

The Standard Contractual Clauses are available at the following address: Standard Contractual Clauses for Data Transfers .

When you interact with the electronic communication channels we use, personal data may be transferred to third countries, primarily as part of the use of analytical and statistical services of the operators of the social media on which we have set up a corporate profile.

Transfers of personal data to third countries may also occur when we use cloud services provided by Microsoft.

We send certain selected and contractually specified personal data to the U.S. as part of our quarterly billing for U.S. Steel Košice employees. (Article 49(1)(b) of the Regulation).

We process personal data for as long as we are required to do so by specific laws (in particular Section 16 (7) of the Health Insurers Act) or for as long as it is specified in our registry plan.

If you give us consent, we process it for as long as it is specified in the consent given. We only ever process it for as long as the purpose of processing it lasts. If we have a contract with you, we process it for as long as the contract lasts, or longer if we are exercising legal claims under the contract, for example by legal action.

Right to withdraw your consent

Where the personal data processing is based on your consent, you may withdraw this consent at any time by following the procedures described in the relevant consent form.

We guarantee that consent can be withdrawn in the same way it was given. The withdrawal of consent does not affect the lawfulness of personal data processing based on your consent prior to its withdrawal. In some cases, the withdrawal of consent will result in the inability to use certain services that are based on personal data processing.

Right to rectification

If you suspect that your data processed by us is incorrect, you have the right to ask us to correct or complete your personal data. We regularly try to keep your personal data up to date and we constantly try to keep it accurate, complete, up to date and relevant based on the latest information available to us.

In some cases where we obtain personal data from other entities not managed by us, we have no control over its accuracy and updating (e.g. if you have not complied with your notification obligations to the relevant public authorities or registers, if the law requires you to do so, and by law that entity automatically sends the data to us because the data is considered to be reference data).

Right to restriction of processing

We may restrict the processing of your data if:

a/ you question the accuracy of the personal data, for the period we need to verify the accuracy;

b/ personal data processing is unlawful and you request the restriction of processing instead of deletion of the personal data;

c/ we no longer need the personal data but you require it to demonstrate, exercise or defend your legal claims; or

d/ you object to the processing while we verify the legitimacy of your request.

Right to access

You have the right to ask us to confirm whether we process any of your personal data, including, for example, information about which categories of personal data we process, for what purpose the personal data is used, to whom we transfer it, how long we will keep it, where we obtained it - if not directly from you - or to which recipients or categories of recipients we have disclosed the personal data, or about your rights associated with it.

You can use the contact details provided in the " Submitting requests to exercise your rights " section to make a request.

We will preferably send you confirmation of whether we process your personal data electronically or by post.

We are also obliged to provide you with the personal data we process about you if you request it. Due to its protection and security, we provide personal data by storing it electronically, by sending it by registered post or by handing it to you in person at the head office of the Health Insurance Company or at the branch of your choice, where, depending on the scope, your personal data will be handed over to you with your signature, after verifying your identity, preferably on a data carrier.

We reserve the right to charge a reasonable fee for processing your request. This applies in particular to inadequate and frequently repeated requests or applications that require excessive administrative effort. The fee will be charged at the rate of the administrative costs associated with making copies of the data (e.g. the cost of the data carrier - CD, USB flash drive).

Right of portability

At your request, we will hand over all processed personal data to you in a structured, commonly used and machine-readable format or, if technically possible, we will hand it over to another data controller specified by you. This right can be exercised provided that we process your personal data on the basis of your consent or a contract and only if the processing is carried out by automated means. Please note that the exercise of the right to data portability does not apply to personal data that we process on the basis of law, for example for the purposes of managing public health insurance.

Right to erasure

We will erase your personal data without undue delay if:

a/ the personal data is no longer necessary for the purpose for which it was collected or processed;

b/ you object to the personal data processing for the purposes of our legitimate interests and at the same time there are no legitimate interests of ours overriding yours;

c/ the processing is based on your consent, you withdraw consent, and there is no other legal basis for the processing;

d/ the personal data is processed unlawfully;

e/ its erasure is required to comply with a legal obligation imposed by European Union or Member State law which applies to us;

f/ the personal data collected concerned a person under the age of 16;

and unless the processing was also necessary to comply with a legal obligation or for establishing, exercising or defending legal claims.

Right to object to processing

You may object at any time to your personal data processing on a specific ground, provided that the processing is not based on your consent but on our legitimate interests or the legitimate interests of a third party. In this case, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds overriding your rights and freedoms. If you object to processing, please indicate whether you wish to erase your personal data or restrict processing.

Rights related to automated processing (including profiling)

In connection with processing by automated means, you have the right to ask us at any time for human intervention regarding your personal data processing, i.e. for our authorised employee to review the processing carried out by automated means. At the same time, you can express your opinion on this procedure and object to it at any time.

Right to lodge a complaint

In the event of an alleged breach of the applicable data protection legislation, you may lodge a complaint with the data protection supervisory authority in the country in which you live or in the country where the alleged personal data protection breach occurred. In Slovakia, this authority is the Office for Personal Data Protection of the Slovak Republic.

Time limit for processing your request when exercising your rights

We will always try to process your request within 30 days of receipt. However, the time limit may be extended by further 2 months due to a large number of requests and their complexity. We will inform you of this within 30 days of receipt of your request, together with the reason for the extension. You are also entitled to lodge a complaint with the supervisory authority in this case.

Restriction of the processing of your request

In certain situations, we may not be able to disclose some or all of your personal data to you, in particular because of specific legal provisions or to protect the rights and freedoms of third parties (e.g. if there is other persons' data in the same document). If we refuse your request for access, we will also tell you the reason for the refusal.

Impossible to identify

We suppose that in some cases it will not be possible to find all of your personal data according to the identifiers you have provided in your request. In such cases where we are unable to identify you as the data subject, we are unable to comply with your request unless you provide us with further information enabling us to identify you.

We also have the right to ask you to prove your identity if we have any doubts about your identity. We will inform you of the reasons why we are unable to comply with your request.

Submitting requests to exercise your rights

Please contact our data protection officer:

In writing
DÔVERA zdravotná poisťovňa, a. s.
Einsteinova 25
851 01 Bratislava

By email
[email protected]

Via the Electronic service

When processing personal data, we profile public health insurance payers primarily according to their payment discipline, according to the category of the insurance premium payer and use it to assign the insurance premium payer to a group for the annual premium report in accordance with specific regulations or to send targeted messages regarding reminders or recovery of insurance premiums.

We also use profiling in the case of direct marketing for targeted campaigns and to send notifications.

We also use profiling in the case of our Safe Medicines Online, displaying medication interactions for targeted communication with policyholders.

We do not exclusively use automated decision-making. In some cases (e.g., spa treatment approval), an information system evaluates your request. If some elements of the proposal are not correct, the application is always reviewed by a reviewing doctor.

Sources of personal data

In some cases, we do not collect personal data directly from you, but we may receive your personal data from other entities based on legislation, contracts or your consent.

In particular, the sources of this personal data for us are:

• Your employers,
• Ministry of Interior of the Slovak Republic, which maintains the relevant registers, in particular the population register,
• Other health insurance companies in Slovakia, but also in other Member States, or liaison bodies of other Member States in respect of benefits provided to our policyholders or policyholders from other Member States in Slovakia,
• Healthcare Supervisory Authority,
• Financial Administration of the Slovak Republic
• Ministry of Education of the Slovak Republic,
• Social Insurance Company
• Ministry of Labour, Social Affairs and Family of the Slovak Republic,
• Ministry of Defence of the Slovak Republic,
• Trade licensing authorities
• Prison and Court Guard Service,
• Central Administration of Reference Data (IS CSRÚ)
• Register of Legal Persons
• Trade Journal,
• Self-governing regions,
• Ministry of Health of the Slovak Republic,
• Publicly available registers,
• Law enforcement authorities,
• Courts,
• Other controllers to whom you give your consent, e.g. race organisers, the Red Cross, the Children's Foundation of Slovakia.