Datatilsynet (Denmark) - 2020-31-3840: Difference between revisions
No edit summary |
(→Facts) |
||
Line 55: | Line 55: | ||
=== Facts === | === Facts === | ||
On 3 September 2020, a policyholder lodged a complaint | On 3 September 2020, a policyholder lodged a complaint with the DPA against Tryg Forsikring for infringing of GDPR. The policyholder claimed that the company in violation with GDPR had collected and retained the policyholder´s health information for the period of 10 years, while the consent had been obtained only for five years. | ||
Tryg Forsikring argued that the medical information had been obtained to calculate a compensation to the policyholder in case of claim. The company processed data based on | Tryg Forsikring argued that the medical information had been obtained to calculate a compensation to the policyholder in case of claim. The company processed data based on [[Article 9 GDPR#2|Article 9(2) GDPR]], i.e. processing is necessary for the establishment, exercise or defence of legal claims. Moreover, the company referred to [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] as a legal basis for processing of the policyholder´s data (performance of a contract). Hence, a consent is not relevant in this case. | ||
=== Holding === | === Holding === | ||
The DPA concluded that Tryg Forsikring processed the complainant´s health information in accordance with data protection rules. More specifically, the medical records were obtained to determine a possible claim for compensation under the insurance agreement between the complainant as a policyholder and the company. Thus, | The DPA concluded that Tryg Forsikring processed the complainant´s health information in accordance with data protection rules. More specifically, the medical records were obtained to determine a possible claim for compensation under the insurance agreement between the complainant as a policyholder and the company. Thus, Tryg Forsikring lawfully processed the complainant´s health information as it falls within the exception provided in [[Article 9 GDPR#2|Article 9(2) GDPR]]. | ||
Furthermore, the DPA found that processing of the complainant´s health information took place based on the legal ground set out in [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]], e.g. the processing was necessary for the performance of the insurance contract to which the complainant is a party. | |||
== Comment == | == Comment == | ||
''Share your comments here!'' | ''Share your comments here!'' |
Revision as of 11:32, 19 January 2022
Datatilsynet (Denmark) - 2020-31-3840 | |
---|---|
Authority: | Datatilsynet (Denmark) |
Jurisdiction: | Denmark |
Relevant Law: | Article 6(1)(b) GDPR Article 9(2)(f) GDPR |
Type: | Complaint |
Outcome: | Rejected |
Started: | |
Decided: | |
Published: | 08.12.2021 |
Fine: | None |
Parties: | Tryg Forsikring A/S |
National Case Number/Name: | 2020-31-3840 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Danish |
Original Source: | Datatilsynet (in DA) |
Initial Contributor: | Tetyana Porokhonko |
The Danish DPA found that Tryg Forsikring A/S had lawfully collected a policyholder's medical information under one of the exceptions listed in Article 9(2) GDPR. The processing was based on the legal basis set out in Article 6(1)(b) GDPR.
English Summary
Facts
On 3 September 2020, a policyholder lodged a complaint with the DPA against Tryg Forsikring for infringing of GDPR. The policyholder claimed that the company in violation with GDPR had collected and retained the policyholder´s health information for the period of 10 years, while the consent had been obtained only for five years.
Tryg Forsikring argued that the medical information had been obtained to calculate a compensation to the policyholder in case of claim. The company processed data based on Article 9(2) GDPR, i.e. processing is necessary for the establishment, exercise or defence of legal claims. Moreover, the company referred to Article 6(1)(b) GDPR as a legal basis for processing of the policyholder´s data (performance of a contract). Hence, a consent is not relevant in this case.
Holding
The DPA concluded that Tryg Forsikring processed the complainant´s health information in accordance with data protection rules. More specifically, the medical records were obtained to determine a possible claim for compensation under the insurance agreement between the complainant as a policyholder and the company. Thus, Tryg Forsikring lawfully processed the complainant´s health information as it falls within the exception provided in Article 9(2) GDPR.
Furthermore, the DPA found that processing of the complainant´s health information took place based on the legal ground set out in Article 6(1)(b) GDPR, e.g. the processing was necessary for the performance of the insurance contract to which the complainant is a party.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.
Tryg Forsikring meets the requirements within the data protection rules Date: 08-12-2021 Decision The Danish Data Protection Agency has assessed that Tryg Forsikring A / S ’collection of health information about a policyholder (complaints) had taken place within the data protection rules. The Authority has further found that the complainant's consent was not a consent covered by the GDPR. Journal number: 2020-31-3840. The Danish Data Protection Agency hereby returns to the case, where on 3 September 2020 you complained about Tryg Forsikring A / S ’processing of information about you. The Danish Data Protection Agency has understood your inquiry as a complaint that Tryg Forsikring A / S has collected information about you in the form of medical records 10 years ago, even though you had only given consent for the company to collect information for a period of up to 5 years prior. for the time of injury. Summary The Danish Data Protection Agency has made a decision in a case where a citizen [complainant] has complained that Tryg Forsikring - for the purpose of assessing a claim for compensation made by complainants - had obtained information about him in the form of medical records. The Danish Data Protection Agency found that Tryg Forsikring's collection of health information about complaints had taken place in accordance with the data protection rules. The Danish Data Protection Agency emphasized that Tryg Forsikring's collection of information about complaints took place with the purpose of determining whether the complainants were entitled to compensation in accordance with the insurance conditions that applied to the insurance contract. The Authority further emphasized that the collection of the information took place with a view to fulfilling the agreement between Tryg Forsikring and the policyholder in order to determine a possible claim for payment in accordance with the insurance agreement. The Danish Data Protection Agency also found no basis for overriding Tryg Forsikring's assessment that they had collected the information that was necessary for them as an insurance company to process the reported damage. Finally, the Danish Data Protection Agency noted that the consent which the complainants in the case had given to Tryg Forsikring was not a consent under data protection law covered by the rules of the Data Protection Ordinance. Decision After a review of the case, the Danish Data Protection Agency finds that Tryg Forsikring A / S ’processing of information about you has taken place within the framework of the rules in the Data Protection Ordinance [1], cf. Article 9 (1). And Article 6 (2). 1. Below is a more detailed review of the case and a justification for the Danish Data Protection Agency's decision. 2. Case presentation It appears from the case that you have reported a claim to Tryg Forsikring A / S, where you are insured. On 30 May 2020, you signed a declaration that Tryg Forsikring A / S in connection with the processing of your claims case had to obtain and pass on the information that was necessary for the company's assessment of your case. The consent included information for a period of up to 5 years prior to the time of the injury or the time of the onset of the illness and up to the time when Tryg Forsikring A / S had taken a position on your case. 2.1. Your comments You have stated that you have only given consent for Tryg Forsikring A / S to obtain information about you, including health information, for a period of five years prior to the time of the injury, and that Tryg Forsikring A / S has nevertheless collected information about you who go back 10 years. You have further stated that it must be considered unnecessary that Tryg Forsikring A / S has collected information about you that goes back 10 years. In this connection, you have referred to the fact that the Data Protection Regulation and the Data Protection Act state that no more information may be obtained about the individual than is relevant and sufficient for the fulfillment of the objective purposes for which the information is obtained. 2.2. Tryg Forsikring A / S ’comments Tryg Forsikring A / S has stated that Tryg Forsikring A / S has obtained information about you from your doctor in order to assess whether the damage reported by you is covered by the insurance's conditions, and whether compensation must be paid for a permanent injury, including the size of a possible permanent injury. The information that Tryg Forsikring A / S has collected about you consists of health information in the form of a medical record 5 years prior to the time of injury, as well as a functional certificate which contains information about current genes and any genes 10 years prior to the time of injury. The medical information is necessary for Tryg to calculate the claim for compensation from you. The collection of information has taken place on the basis of the legal requirement rule in Article 9 (1) of the Data Protection Regulation. Article 6 (2) (f) 1, letter b) for policyholders and letter f) for insured persons under the insurance. Tryg Forsikring A / S has further noted that the consent obtained in the case does not constitute the processing authority for Tryg Forsikring A / S 'processing of personal data for use in the compensation statement. Finally, Tryg Forsikring A / S has stated that the collection of information about you has taken place in accordance with the basic principles for the processing of personal data in Article 5 of the Data Protection Ordinance. Tryg Forsikring A / S has hereby emphasized that the collection of information is necessary for , that Tryg as an insurance company can treat your reported damage. Information about your health history helps to determine whether you are entitled to compensation in accordance with the insurance conditions that apply to the insurance contract. Here it is i.a. decisive whether the reported damage is due to consequences of pre-existing or present injuries / diseases. Justification for the Danish Data Protection Agency's decision The Danish Data Protection Agency assumes that you have taken out insurance with Tryg Forsikring A / S, and that the information in the case concerns Tryg Forsikring A / S 'treatment of a reported damage. Pursuant to Article 9 (1) of the Data Protection Regulation 1, there is in principle a ban on the processing of health information. However, the prohibition shall not apply if one of the exceptions in Article 9 (1) 2 shall apply. It is clear from Article 9 (1) 2, letter f, that the prohibition on processing does not apply if the processing is necessary for legal claims to be established, asserted or defended. When processing information covered by Article 9 (1) There must also be a legal basis for the processing in Article 6 (1) of the Data Protection Regulation. It follows from Article 6 (1) of the Data Protection Regulation 1, letter b, that personal data may be lawfully processed if the processing is necessary for the fulfillment of a contract to which the data subject is a party. The Danish Data Protection Agency finds that Tryg Forsikring A / S ’processing of your health information is covered by the exception to the prohibition in Article 9 (1) of the Data Protection Ordinance. 2, letter f. The Danish Data Protection Agency has hereby emphasized that Tryg Forsikring A / S collected information about you from your doctor for the purpose of determining whether you are entitled to compensation in accordance with the insurance conditions that apply to the insurance agreement. Furthermore, the Danish Data Protection Agency finds that the processing could take place on the basis of Article 6 (1) of the Data Protection Regulation. 1, letter b. The Danish Data Protection Agency has hereby emphasized that the said information was obtained with a view to fulfilling the agreement with you as the policyholder in order to determine a possible claim for payment in accordance with the insurance agreement. Against this background, the Danish Data Protection Agency finds that Tryg Forsikring A / S ’processing of your health information took place in accordance with Article 9 (1) of the Data Protection Ordinance. Article 2 (2) (f) and Article 6 (2) 1, letter b. The Danish Data Protection Agency also finds that there is no basis for overriding what Tryg Forsikring A / S stated that Tryg Forsikring A / S has collected the information about you that is necessary for Tryg Forsikring A / S, as an insurance company, can process your reported damage in accordance with Article 5 (1) of the Data Protection Regulation. 1, letter c. (Principle of data minimization). The Danish Data Protection Agency presupposes that Tryg Forsikring A / S, in fulfilling its duty to provide information pursuant to Articles 13 and 14 of the Data Protection Ordinance, has stated the grounds on which Tryg Forsikring A / S bases its processing in connection with the assessment of a reported damage, and that It appears that the processing of personal data is carried out on the basis of Article 6 (1) of the Data Protection Regulation. 1, letter b, and 9, para. 2, letter f. It is noted that the consent given in the statement in question for use in Tryg Forsikring A / S 'collection of health information about you is not a data protection law consent covered by the rules of the Data Protection Ordinance and does not form the basis for processing information in connection with your reported damage. [1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General data protection regulation).