Recommendations
According the Law on insurance supervision, the scope of personal data that is being collected is in compliance with the purpose of the collection. However, the practice shows that the insurance companies collect the unique personal birth number when signing the insurance policy which clearly shows that the scope of personal data collected is wider than it is prescribed by this law. Processing of the unique personal birth number in this particular situation is base on an Approval from the Directorate for Personal Data Protection but for complete compliance with the Law on Personal Data Protection is recommended this processing to be defined by law.
From the aspect of defining measures for personal data protection, Law on insurance supervision contains separate part – DATA CONFIDENTIALITY which stipulates the scope of personal data that is being collected as well as the periods of keeping the data but it does not define technical and organizational measures. Additional provision for the technical and organizational measures is needed not only for the internal procedures of the insurance companies but as well for the conclusion of agreements with the data Users and sharing data with other subjects (MOI, MLSP etc).