|
 |
- The processing of sensitive data is prohibited. Personal data are deemed to be sensitive, if they relate to or are intended to relate to the state of health, illness or handicap of a person or the treatment or other comparable measures directed at the person.
This prohibition does not prevent:
a)
processing of data where the data subject has given an express consent;
b)
processing of data for purposes of historical, scientific or statistical research;
c)
a health care unit or a health care professional from processing data collected in the course of their operations and relating to the state of health, illness or handicap of the data subject or the treatment or other measures directed at the data subject, or
other data which are indispensable in the treatment of the data subject;
e)
an insurer from processing data collected in the course of its insurance activity and relating to the state of health, illness or handicap of the policyholder/claimant or the treatment or other measures directed at the policyholder/claimant, or data on the criminal act, punishment or other sanction of the policyholder/claimant or the person causing the damage, where necessary for the determination of the liability of the insurer.
- Sensitive data shall be erased from the data file immediately when there no longer is a reason for its processing. The reason and the need for processing shall be re-evaluated at five-year intervals at the longest, unless otherwise provided in an Act or stated in a permission of the Data Protection Board.
- Regardless of secrecy provisions, everyone shall have the right of access, after having supplied sufficient search criteria, to the data on him/her in a personal data file, or to a notice that the file contains no such data. The controller shall at the same time provide the data subject with information of the regular sources of data in the file, on the uses for the data in the file and the regular destinations of disclosed data. Where an automated decision, the data subject shall also have the right of access to information on the operating principles of the pertinent automatic processing of data.
The controller may charge for the provision of access to the data only if less than one year has passed since the previous instance of providing the data subject with access to data in the file. The charge shall be reasonable and it shall not exceed the immediate costs of providing access to the data.
- There is no right of access:
(1) if providing access to the data could compromise national security, defence or public order or security, or hinder the prevention or investigation of crime;
(2) if providing access to the data would cause serious danger to the health or treatment of the data subject or to the rights of someone else;
(3) if the data in the file are used solely for historical or scientific research or statistical purposes.
If only a part of the data on a data subject falls within the restriction on the right of access provided, the data subject shall have the right of access to the remainder of the data.
- Anyone who wishes to have access to the data on himself/herself shall make a request to this effect to the controller by a personally signed or otherwise comparably verified document or by appearing personally in the premises of the controller.
The controller shall without undue delay reserve the data subject an opportunity to inspect the data or, upon request, provide a hard copy of the data. The data shall be given in an intelligible form. If the controller refuses to provide access to the data, a written certificate to this effect shall be issued. The certificate shall also mention the reasons for the refusal. A failure by the controller to give a written response to the data subject within three months of the request is deemed equivalent to a refusal to provide access to the data. In this event, the data subject may bring the matter to the attention of the Data Protection Ombudsman.
- Anyone who wishes to have access to the data on himself/herself in the files of the health care authorities and institutions, physicians and dentists or other health care professionals and relating to their state of health or illness, shall make a request to this effect to a physician or another health care professional, who shall then see to the obtainment of the data with the consent of the data subject and provide him/her with access to the entries in the file. The same regulations as mentioned under 5 apply to the procedure in the realisation and refusal of the right of access.
- The controller shall, on its own initiative or at the request of the data subject, without undue delay rectify, erase or supplement personal data contained in its personal data file and erroneous, unnecessary, incomplete or obsolete as regards the purpose of the processing. The controller shall also prevent the dissemination of such data, if this could compromise the protection of the privacy of the data subject or his/her rights.
If the controller refuses the request of a data subject of the rectification of an error, a written certificate to this effect shall be issued. The certificate shall also mention the reasons for the refusal. In this event, the data subject may bring the matter to the attention of the Data Protection Ombudsman. The controller shall notify the rectification to the recipients to whom the data have been disclosed and to the source of the erroneous personal data. However, there is no duty of notification if this is impossible or unreasonably difficult.
Top |
|
|
|