Information on data processing and your rights in relation to the AOK-Bundesverband

AOK, as a provider of solidarity-based health and care insurance, has the task of preserving, restoring or improving the health of its policy holders, as well as providing assistance to those in need of care who rely on solidarity support owing to the level of their need for care.

The benefits and other expenditure are financed by collecting contributions from employers and members.

In order to fulfil these statutory tasks, AOK processes the data required for this purpose. This data is collected from you on the basis of statutory duties of cooperation (see, e.g. Section 60 et seq. SGB I) or on the basis of consent. AOK also receives data from third parties in accordance with the SGB (e.g. from your employer or care providers). Your failure to cooperate could adversely affect you when it comes to the provision of benefits (refusal or withdrawal of benefits).

For health insurance, the legal basis for data processing is Art. 6(1)(e) and (3)(b) and Art. 9(2)(b) and (4) EU-GDPR in conjunction with Section 284 of the German Social Code, Book V (SGB V), and for nursing care insurance it is Section 94 of the German Social Code, Book XI (SGB XI). AOK is also entrusted with tasks under other statutory provisions for which the processing of personal data is necessary.

In particular, this includes:

For the tasks of the health insurance companies

• setting up the insurance contract and membership, including the data required for initiating an insurance contract.
• issuing the electronic health card.
• establishing the obligation to contribute and the contributions, responsibility for the contributions and payment of the contributions.
• assessment of the obligation to pay and provide benefits to the policy holder, including the requirements for benefit restrictions, determination of co-payment status and carrying out of cost reimbursements, reimbursements of contributions and determination of the limit.
• assisting the policy holder in the event of malpractice.
• assumption of treatment costs for individuals not required to have insurance in accordance with Section 264 of SGB V against reimbursement of costs.
• involvement of the Health Insurance Medical Service (Medizinischer Dienst, formerly MDK).
• settlement with care providers, including checking the lawfulness and plausibility of the invoice.
• monitoring of compliance with the contractual and statutory obligations of providers of aid.
• monitoring of the cost-effectiveness of the provision of benefits.
• settlement with other funding agencies.
• settlement of claims for reimbursement or compensation against third parties.
• preparation, agreement and execution of morbidity-orientated remuneration agreements.
• preparation, execution of pilot projects, contracts for integrated forms of care and for the outpatient provision of highly specialised services, including the execution of performance and quality audits.
• implementation of the risk adjustment scheme, as well as the preparation and implementation of structured treatment programmes, including recruiting policy holders to participate in these programmes.
• conclusion and execution of nursing care rate agreements, remuneration agreements and performance and quality agreements.
• consulting on measures for prevention and rehabilitation, and consulting on participation, as well as benefits and help with care.
• coordination of nursing care, care consulting, and fulfilment of duties at care support points.
• performance of discharge and sickness allowance case management.
• acquisition of new members.
• reimbursement of employer’s contributions in the case of illness or maternity.
• combating of misconduct in healthcare (Section 197a SGB V).
• research projects.

For the tasks of the nursing care insurance fund

• Determination of the insurance relationship and membership
• Determination of the contribution obligation and the contributions, who bears them and their payment
• Examination of the obligation to pay benefits and the provision of benefits to insured persons as well as the implementation of claims for reimbursement and compensation.
• Involvement of the medical service.
• Accounting with service providers and reimbursement of costs.
• Monitoring of the efficiency of service provision and accounting and the quality of service provision
• Conclusion and implementation of nursing care rate agreements, remuneration agreements and contracts for integrated care.
• Clarification and information.
• Coordination of nursing care assistance, nursing care counselling, issuing of counselling vouchers as well as the performance of tasks in the nursing care support centres
• Accounting with other service providers
• Statistical purposes
• Support for insured persons when asserting of claims for damages
• Combating misconduct in the health care system (Section 47a German Social Code (SGB) Book XI).
• Research projects

AOK also processes data on the basis of express declarations of consent (Article 6 (1a) EU-GDPR, Article 9 (2a) EU-GDPR in conjunction with Section 67b (2) SGB Book X and supplementary regulations of the SGB), e.g. in connection with the electronic patient file, participation in structured treatment programmes and special forms of care, when making use of care and discharge management and for individual consultation and assistance in the event of incapacity for work in the event of sickness benefit or when processing data on interested parties. Consent is voluntary and can be revoked at any time with effect for the future without affecting the lawfulness of the processing carried out on the basis of the consent until revocation.

The processing of social data is only permissible in Germany or another member state of the European Union or the European Economic Area if the legal requirements specified for this are met. Data processing outside the European Union or the European Economic Area may only take place under the strict conditions of the Social Code and the General Data Protection Regulation, provided that an adequacy decision in accordance with Art. 45 EU-GDPR is available, which confirms an adequate level of protection.

We process the following categories of data:

1. personal data (e.g. address and communication data, date of birth, photo)
2. data on membership and its initiation
3. data on optional tariffs and bonus programmes
4. data of care providers and other contractual partners
5. data of prospective customers, competition participants
6. data from promotions and programmes.
7. data on the insurance contract
8. contribution and payment data
9. benefit, health care and account data, including health information (e.g. diagnoses, periods of inability to work)
10. data on the caregiver
11. data on the legal representative
12. data of employers and their tax consultants

Data is transferred regularly in accordance with the statutory provisions to: providers of pension and accident insurance, the German Federal Employment Agency (Bundesagentur für Arbeit), the Health Insurance Medical Service (Medizinischer Dienst, formerly MDK), care providers, welfare authorities and, in relation to payment transactions, financial institutions, employers and paying agents. Furthermore, data may be transferred only in those individual cases stipulated by law under Section 67d et seq. SGB X (e.g. police authorities, local and municipal administration, tax authorities).

The AOK can have its statutory tasks performed by another social service provider, working groups or by other service providers (in particular processors/Art. 28 EU-GDPR in conjunction with Section 80 SGB X), e.g. IT service providers, file and data carrier shredders, print service providers, billing service providers, producers of the electronic health insurance card (eGK) and providers of digital health services.

AOK may use and process the lawfully collected and stored data of the data subject for other purposes if there is another legal basis for doing so under the SGB or if the data subject has given their express consent for this.

The data is stored while the task(s) are being completed and for the duration of the retention periods prescribed by law (e.g. Section 110a SGB IV, Section 304 SGB V, Section 84 SGB X, Section 107 SGB XI) and is then deleted.

• right of access to processed data (Art. 15 GDPR in conjunction with Section 83 SGB X)
• right to rectification of inaccurate data (Art. 16 GDPR in conjunction with Section 84 SGB X)
• right to erasure (Art. 17 GDPR in conjunction with Section 84 SGB X)
• right to restriction of processing (Art. 18 GDPR in conjunction with Section 84 SGB X)
• right to object (Art. 21 GDPR in conjunction with Section 84 SGB X)
• right to data portability (Art. 20 GDPR)
• In the case of data processing based on consent, you have the right to revoke this consent at any time with future effect.