Legal analysis of the law
- Title of the law and Official Gazette number (last change or modification)?
Law on Insurance Supervision – (“Official Gazette of the Republic of Macedonia” no.27/2002, 98/2002, 79/2007; 88/2008; 67/2010; 44/2011; 112/2011; 188/2013; 30/2014, 43/2014 and 112/2014)
- Does the Law envisage processing of personal data and in what type of Collection (Evidence, Register, Database)?
The law envisages the processing of personal data in the following formats:
Databases of the insured;
Databases of the incurred damages;
Databases for estimation of the insurance security and the level of damage.
- What is the purpose of collecting personal data? Is that purpose clear?
Carrying out activities related to insurance in general.
- What categories of personal data are collected? Is the scope in compliance with the purpose?
Register of insured – name and surname, date and place of birth, permanent or temporary address, name of the insurance company, number of insurance policy, duration of the insurance, insured case and insurance security.
According the Law on insurance supervision, the scope of personal data that is being collected is in compliance with the purpose of the collection. However, the practice shows that the insurance companies collect the unique personal birth number when signing the insurance policy which clearly shows that the scope of personal data collected is wider than it is prescribed by this law. Processing of the unique personal birth number in this particular situation is base on an Approval from the Directorate for Personal Data Protection but for complete compliance with the Law on Personal Data Protection is recommended this processing to be defined by law.
Databases of the incurred damages – name and surname, date and place of birth, permanent or temporary address and PIN of the persons involved in the incurred damage as well as the same data for the witnesses.
- Who collects the personal data at first instance? (company, institution)
Insurance brokerage companies;
National Insurance Bureau.
- Is the Consent of the data subject for personal data protection envisaged by this law?
No. For the cases when the data should be given to the National Insurance Bureau for analyses, the Consent of the data subject should be stipulated by law.
- Is the keeping period of personal data clearly defined?
Yes. Article 109 envisages that data shall be kept for a period up to ten years after the expiry of the insurance contract, or in case of damage occurrence, ten years after closing the case. The data shall be kept ten years after closing the case upon the incurred damage. After the expiry of the abovementioned period, the data from the databases referred shall be obliterated.
- Does the law contain separate provision for personal data protection that clearly states the implementation of technical and organizational measures?
From the aspect of defining measures for personal data protection, Law on insurance supervision contains separate part – DATA CONFIDENTIALITY which stipulates the scope of personal data that is being collected as well as the periods of keeping the data but it does not define technical and organizational measures.
Additional provision for the technical and organizational measures is needed not only for the internal procedures of the insurance companies but as well for the conclusion of agreements with the data Users and sharing data with other subjects (MOI, MLSP etc).
- Is the processing of personal data prescribed by this law connected to implementation of another law?
Law on Compulsory Traffic Insurance.
- Are there any exceptions for processing of sensitive data? (PIN, biometrics, video surveillance)
- Is there an opinion issued by the DPDP regarding this law and is that opinion taken into consideration?
DPDP has issued Approval for processing of PIN, Analyses of the state of play in the insurance sector based on performed inspections, Opinion on the keeping periods and sharing personal data with the brokerage companies.