APD/GBA (Belgium) - 109/2024: Difference between revisions
No edit summary |
No edit summary |
||
Line 78: | Line 78: | ||
=== Facts === | === Facts === | ||
A data subject received a | A data subject received a mortgage offer from a company. The data subject received an interest rate discount. However, to sustain the discount, the data subject was obliged to take out debt balance insurance offered by a broker (a controller). | ||
While taking out the insurance, the data subject had to give consent for processing health data. According to the data subject, the consent covered not only the insurance offer at stake, but also other purposes, for example, claims processing, fraud prevention, development of pricing, automated decision making. The data subject asked the controller to rephrase the consent, so it was more specific. | While taking out the insurance, the data subject had to give consent for processing health data. According to the data subject, the consent covered not only the insurance offer at stake, but also other purposes, for example, claims processing, fraud prevention, development of pricing, automated decision making. The data subject asked the controller to rephrase the consent, so that it was more specific. However, the controller did not agree. | ||
Since the data subject did not want to lose the discounted interest rate, they eventually gave the consent for processing their health data. | |||
Afterwards, the data subject sent an email in which they: | Afterwards, the data subject sent the controller an email in which they: | ||
* withdrew the consent regarding health data processing | * withdrew the consent regarding health data processing and automated decision making process; | ||
* requested restriction of data processing until the legal basis of processing was clarified | * requested restriction of data processing until the legal basis of processing was clarified; | ||
* requested correction of signed documents. | * requested correction of signed documents. | ||
Line 97: | Line 97: | ||
The DPA upheld the complaint. | The DPA upheld the complaint. | ||
First, the DPA found the controller failed to obtain valid consent for data processing. Indeed, the consent given by the data subject was not valid. This was because the data subject would have faced negative consequences if they had not given the consent. Thus, the controller violated [[Article 4 GDPR#11|Article 4(11)]] and [[Article 9 GDPR#2|9(2) GDPR]]. | |||
According to the DPA, the controller did not violate [[Article 22 GDPR|Article 22]] and [[Article 24 GDPR|24 GDPR]] with reference to the automated decision making process based on health data. The investigation proved the controller based that processing on an explicit consent. Moreover, appropriate measures, necessary under [[Article 22 GDPR#4|Article 22(4) GDPR]] were introduced, for example by mandatory human intervention of decisions made. | |||
Furthermore, the DPA found no violation of Article 12, 13, 16 and 32 GDPR, | Furthermore, the DPA found no violation of [[Article 12 GDPR|Articles 12]], [[Article 13 GDPR|13]], [[Article 16 GDPR|16]] and [[Article 32 GDPR|32 GDPR]], contrary to what the data subject argued. | ||
Even though the controller violated the GDPR, the DPA decided not to issue a fine. | |||
== Comment == | == Comment == |
Revision as of 14:38, 4 November 2024
APD/GBA - 109/2024 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 4(11) GDPR Article 9(2) GDPR Article 12 GDPR Article 13 GDPR Article 16 GDPR Article 22 GDPR Article 24 GDPR Article 32 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 29.08.2024 |
Published: | |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | 109/2024 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Dutch |
Original Source: | APD/GBA (Belgium) (in NL) |
Initial Contributor: | wp |
The DPA found there was no freely given consent when a data subject was faced with negative consequences of not giving the consent.
English Summary
Facts
A data subject received a mortgage offer from a company. The data subject received an interest rate discount. However, to sustain the discount, the data subject was obliged to take out debt balance insurance offered by a broker (a controller).
While taking out the insurance, the data subject had to give consent for processing health data. According to the data subject, the consent covered not only the insurance offer at stake, but also other purposes, for example, claims processing, fraud prevention, development of pricing, automated decision making. The data subject asked the controller to rephrase the consent, so that it was more specific. However, the controller did not agree.
Since the data subject did not want to lose the discounted interest rate, they eventually gave the consent for processing their health data.
Afterwards, the data subject sent the controller an email in which they:
- withdrew the consent regarding health data processing and automated decision making process;
- requested restriction of data processing until the legal basis of processing was clarified;
- requested correction of signed documents.
The controller answered the requests and provided the data subject with a copy of their data.
The data subject filed a complaint with the Belgian DPA (APD/GBA).
Holding
The DPA upheld the complaint.
First, the DPA found the controller failed to obtain valid consent for data processing. Indeed, the consent given by the data subject was not valid. This was because the data subject would have faced negative consequences if they had not given the consent. Thus, the controller violated Article 4(11) and 9(2) GDPR.
According to the DPA, the controller did not violate Article 22 and 24 GDPR with reference to the automated decision making process based on health data. The investigation proved the controller based that processing on an explicit consent. Moreover, appropriate measures, necessary under Article 22(4) GDPR were introduced, for example by mandatory human intervention of decisions made.
Furthermore, the DPA found no violation of Articles 12, 13, 16 and 32 GDPR, contrary to what the data subject argued.
Even though the controller violated the GDPR, the DPA decided not to issue a fine.
Comment
The DPA expressed concerns over lacking specific legal basis referring to insurance contracts in Belgian law.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/24 Dispute resolution Decision on the merits 109/2024 of 29 August 2024 File number: DOS-2022-03909 Subject: Processing of personal data in the context of mortgage protection insurance The Dispute Resolution of the Data Protection Authority, composed of Mr Hielke HIJMANS, chairman, and Mr Dirk Van Der Kelen and Mr Christophe Boeraeve, members; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as the “GDPR”; Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereinafter referred to as “WOG”; Having regard to the internal rules of procedure, as approved by the Chamber of Representatives on 20 December 2018 and published in the Belgian Official Gazette on 15 January 2019; Having regard to the documents in the file; Has taken the following decision regarding: Complainant: Mr X, hereinafter referred to as “the complainant”; and Defendant: Y, represented by Mr Heidi Waem and Mr Simon Verschaeve, both with offices at 1000 Brussels, Wolstraat 70, hereinafter referred to as “the defendant”. Decision on the merits 109/2024 — 2/24 I. Facts and procedure 1. On 19 September 2022, the complainant lodged a complaint with the Data Protection Authority against the defendant. 2. The complaint concerns the following facts. In December 2021, the complainant obtained a credit offer from the defendant in connection with the purchase of a home. The credit offer provides for a conditional interest rate discount, one of the conditions of which is to take out a credit-linked life insurance policy with the defendant for the amount of the credit. If no mortgage insurance is taken out with the defendant, the interest rate discount will lapse. The complainant states that when applying for the mortgage insurance policy through a broker in March 2022, it emerged that the signing of a consent for the processing of health data is necessary. However, according to the complainant, this consent would not only apply to the medical acceptance for the mortgage insurance in question, but to all processing of health data, such as claims handling, elaboration of pricing, refining of accession and coverage conditions, and detecting and preventing fraud. The complainant adds that this is also linked to consent for automated decision-making based on health data. On 9 March 2022, the complainant receives a response from the insurance broker regarding the consent for the processing of health data. This indicates that it is impossible for the defendant to work with a more specific consent. The complainant states that, nevertheless, only a mortgage insurance is being requested. The complainant notes that the defendant's website prevents the questionnaire from being completed if consent is not granted. Given the risk of missing out on the interest discount, the complainant agrees to the consent document and completes the medical questionnaire on the website. Subsequently, a summary document is obtained that must be signed via the website. However, according to the complainant, this summary document does not contain the same information as what was available in the questionnaire input screens. On 18 July 2022, the complainant exercises his rights by e-mail, partially withdrawing his consent, also requests a restriction of the processing pending clarification of the legal basis, withdraws his consent for automated decision-making, and finally requests a correction of the signed document and adequate integrity protection of the signed document. The complainant receives a copy of his personal data from the respondent on 12 August 2022. On the same date, the complainant receives the respondent's response to the other elements of the request. Decision on the merits 109/2024 — 3/24 3. On 21 October 2022, the complaint is declared admissible by the First Line Service on the basis of Articles 58 and 60 WOG and the complaint is transferred to the Dispute Chamber on the basis of Article 62, § 1 WOG . 4. On 17 November 2022, in accordance with Article 96, § 1 WOG, the request of the Dispute Chamber to conduct an investigation is transferred to the Inspection Service, together with the complaint and the inventory of the documents. 5. On 3 March 2023, the investigation by the Inspection Service is completed, the report is added to the file and the file is transferred by the Inspector General to the Chairman of the Dispute Chamber (Article 91, § 1 and § 2 WOG). The report contains findings regarding the subject matter of the complaint and concludes that: 1. there is no infringement in general of Article 5 GDPR, Article 24.1 GDPR and Articles 25.1 and 25.2 GDPR; 2. there is an infringement of Article 4, 11) GDPR, Article 7.1 and 7.3 GDPR and Article 9.2.a) GDPR for the processing of health data; 3. there is an infringement of Article 22.4 GDPR, Article 24.1 GDPR and Article 25.1 GDPR due to the use of automated individual decision-making for health data; and 4. there is a breach of Article 12.1 GDPR, Article 13.1 and 13.2 GDPR, Article 24.1 GDPR and Article 25.1 GDPR with regard to the general privacy statement for customers in the broad sense. The report also contains findings that go beyond the subject of the complaint. The Inspection Service determines, in broad terms, that there is no breach of Article 38.1 GDPR and Article 39 GDPR. 6. On 22 March 2023, the Dispute Resolution Chamber decides on the basis of Article 95, § 1, 1° and Article 98 WOG that the file is ready for consideration on the merits. 7. On 22 March 2023, the parties concerned will be notified by registered mail of the provisions as stated in Article 95, § 2, as well as those in Article 98 of the WOG. They will also be notified of the deadlines for submitting their defences on the basis of Article 99 of the WOG. As regards the findings relating to the subject matter of the complaint, the deadline for receipt of the defendant’s response was set at 5 May 2023, that for the complainant’s response was set at 26 May 2023 and finally that for the defendant’s response was set at 16 June 2023. As regards findings going beyond the subject matter of the complaint, Decision on the merits 109/2024 — 4/24 deadline for receipt of the defendant’s response was set at 5 May 2023. 8. On 23 March 2023, the complainant electronically accepts all communications concerning the case. 9. On 23 March 2023, the defendant electronically accepts all communication regarding the case and indicates that she wishes to make use of the opportunity to be heard, in accordance with Article 98 WOG. 10. On 3 May 2023, the Dispute Chamber receives the conclusion of the response from the defendant regarding the findings regarding the subject of the complaint. In the main, the defendant argues that the procedure and the manner in which it is conducted by the Dispute Chamber and the Inspection Service violate the principles of good governance. In the subordinate order, the defendant argues that she has respected the GDPR when processing health data on the basis of explicit consent. This conclusion also contains the defendant's response regarding the findings made by the Inspection Service outside the scope of the complaint. 11. On 24 April 2023, the Dispute Chamber receives the conclusion of the reply from the complainant for the findings regarding the subject of the complaint. The complainant requests the Dispute Chamber to deal with the complaint in its entirety, including the alleged infringements concerning the accuracy of data, the right to rectification and the integrity of data, although these alleged infringements are not included in the inspection report. In response to the defendant's main pleas, the complainant raises the following: so that, despite any alleged infringements of the principles of public administration raised by the defendant, the Dispute Chamber can rely on the complaint and all the elements contained therein for its assessment of the case. In response to the defendant's subordinate pleas, the complainant argues that the conditions regarding explicit consent for the processing of health data have not been met. Furthermore, the complainant argues that he considers the infringement of automated decision-making based on health data in the original complaint and the Inspection Report to be sufficiently proven. In addition, the complainant denounces the lack of clarity regarding the basis for the processing of health data and the role of consent. Finally, the complainant also establishes that there are infringements of the accuracy of the processed personal data and the integrity and confidentiality. 12. On 13 June 2023, the Dispute Chamber receives the defendant's reply with regard to the findings relating to the subject matter of the complaint, in which it reiterates its positions in its reply. Decision on the merits 109/2024 — 5/24 13. On 22 April 2024, the parties are informed that the hearing will take place on 3 June 2024. 14. On 3 June 2024, the parties are heard by the Dispute Chamber. 15. On 12 June 2024, the minutes of the hearing are submitted to the parties. 16. On 5 June 2024, the defendant was granted an additional period to take a position on the following points from the complaint: a) Possible infringement of Article 5.1.d) GDPR and Article 16 GDPR due to the processing of incorrect data and the failure to comply with the right to rectify this data, as the unmentioned conditions are not reflected in the document to be signed and the defendant did not respond to the complainant's request to correct this. b) Possible infringement of Article 5.1.f) GDPR and Article 32 GDPR due to the failure to adequately guarantee the integrity of the data provided by the use of a digital signature based on public key cryptography. 17. The deadline for receipt of the defendant's conclusion of reply regarding the above points is set at 28 June 2024. 18. On 14 June 2024, the Dispute Chamber receives from the complainant some comments regarding the report, which it decides to include in its deliberations. 19. On 18 June 2024, the Dispute Chamber receives from the defendant some comments regarding the report, which it decides to include in its deliberations. 20. On 28 June 2024, the Dispute Chamber receives from the defendant the conclusions regarding the points described in paragraph 16. The defendant reiterates its arguments from its rejoinder and adds that it complies with the requirements regarding accuracy and has given adequate response to the exercise of the complainant's right to rectification (Article 5.1.d) GDPR and Article 16 GDPR) and that it has taken appropriate security measures when processing personal data in the context of concluding the mortgage insurance, which means that there is no infringement of Article 5, paragraph 1, f) GDPR and Article 32 GDPR. II. Reasons II.1. Principles of good governance 21. First, the defendant argues that the Inspectorate has violated the principles of good governance, in particular the principle of motivation, the principle of due care, the principle of reasonableness, the principle of proportionality, the principle of impartiality and its rights of defence. 22. The defendant argues that, on the basis of the principle of motivation, it is necessary that the allegations contain at least a minimum of motivation in order to understand the full sequence of the allegations so that it would be able to defend itself properly. 23. According to the defendant, the manner in which the inspection report was drawn up violates the principle of due care because the Inspectorate has used its investigative powers disproportionately. Furthermore, the Inspection Service is required to draw up the inspection report with due care so that it is clear to the defendant which infringements are or are not included. 24. In addition, according to the defendant, the principle of reasonableness and the principle of proportionality have also been violated because the findings included in the inspection report are not in proportion to the relevant facts and the subject of the complaint. 25. Finally, the defendant argues that the principle of impartiality has also been violated because the Inspection Service did not conduct an investigation for discharge, but on the other hand clearly and a priori assumed the defendant's guilt. 26. According to the defendant, the Dispute Chamber also violated the principles of good governance, including the principle of due care, by deciding that the inspection report, which allegedly conflicts with the principles of good governance, allows the case to be dealt with on the merits and justifies proceedings on the merits. 27. The defendant is led to state that the rights of defence have been violated. 28. In this regard, the Dispute Chamber points out that the procedural guarantees must be fully complied with and, if there was any possibility that the defendant had been harmed by the manner in which the inspection report was drawn up, this harm was completely remedied in the subsequent proceedings, so that there can be no question of any violation of the principles of good governance. The procedural elements put forward by the defendant do not result in the rights of the defence being infringed, since the defendant was given the opportunity to fully present its arguments by means of the reply and rejoinder; moreover, the defendant was able to fully exercise its right to challenge the proceedings during the hearing of the Litigation Chamber. The defendant did not therefore suffer any disadvantage and the rights of the defence were thus indeed respected. Decision on the substance 109/2024 — 7/24 II.2. Lawfulness of the processing II.2.1. Determination of the Inspection Service 29. The Inspection Service notes in its inspection report that the defendant relies on the explicit consent as a legal basis for the processing of health data in the context of concluding a mortgage insurance. However, the Inspection Service concludes that the lawfulness of the processing at issue has not been met because there is a violation of Article 4, 11) GDPR, Article 7.1 and 7.3 GDPR and Article 9.2.a) GDPR. 30. According to the Inspection Service, the consent requested by the defendant from the complainant via the “consent to processing health data” form is not freely and specific, since the form applies to various processing purposes, but that data subjects can only give consent for all of these processing purposes in their entirety. Consequently, the Inspection Service finds that the consent requested via the aforementioned form is not freely given and specific, which means that the consent is not legally valid. Finally, the Inspection Service concludes on the basis of its investigation that withdrawing the consent given is not as easy as giving it, since such withdrawal requires the person concerned to read the privacy statement in advance, which indicates how the withdrawal should be carried out. II.2.2. Position of the complainant 31. In his reply, the complainant argues that the consent given is not specific and not freely given. As regards the lack of specific consent, the complainant argues that the defendant lists various purposes, such as developing correct pricing, efficient cost management and refining access and coverage conditions. She argues that these purposes are inextricably linked to each other. The complainant disputes this and argues that it is a question of vaguely formulated purposes that do not specifically relate to the insurance contract in question. According to the complainant, these are general activities that an insurer can perform in its business operations, but which are not necessary to use, possibly on a large scale, all health data in its possession. The complainant argues that the defendant can also rely on other elements such as a subset of personal data (i.e. of data subjects who have given specific consent), other statistical data sources (such as public mortality statistics) or scientific research. 32. The complainant adds that even if all these purposes were inextricably linked, quodnon, this connection cannot provide grounds for bundling consent for all insurance contracts. The consent is consequently not specific. 33. The complainant asks why the defendant, prior to completing the medical questionnaire for the mortgage insurance, did not ask a short consent question specifically for the mortgage insurance in question and with the necessary divisions for the different purposes. This method also offers the defendant the opportunity to point out to the person concerned that already known health data can also be used in the risk assessment. 34. As regards the free nature of the consent, the complainant points out that there is a definite disadvantage associated with refusing consent, which goes beyond merely not being able to obtain insurance. The complainant also denounces that, by bundling consent for different purposes into one consent, this consent was not freely obtained. 35. As regards the legal basis for processing health data, within the context of medical acceptance for mortgage insurance, the complainant requests the Dispute Chamber to take a position on the legal basis, namely whether there is a sufficiently specific legal basis for the processing or whether consent is the applicable legal basis. The complainant states that any imperfections in the legislation relating to the processing of health data within the context of medical acceptance for mortgage insurance cannot be blamed on the defendant. However, according to the complainant, this does not alter the fact that the defendant must correctly determine the legal basis and if it still relies on explicit consent as a legal basis, consent must be requested in a valid manner. II.2.3. Position of the defendant 36. In its conclusions, the defendant argues that it has respected the GDPR when processing health data on the basis of explicit consent. She argues that explicit consent is freely given and specific and that withdrawing it is as easy as giving it. 37. As regards the specific nature of explicit consent, the defendant argues that the applicable legal framework for (life) insurance has the consequence that the processing activities or ‘sub-purposes’ set out by the defendant in the consent form, which the Inspectorate considers to be separate purposes, are intrinsically linked to one more general purpose, namely the correct fulfilment of the role of the insurer in offering and executing insurance contracts. Splitting the purpose of the processing would either Decision on the merits 109/2024 — 9/24 lead to the defendant no longer being able to apply or comply with the legal principles, or would give the data subject the wrong impression that he or she actually has a choice to consent or not on a granular basis per processing activity or ‘sub-purpose’, which would be contrary to Article 5.1.a) GDPR, which states that “personal data must be processed lawfully, fairly and transparently in relation to the data data subject”. Since the processing of the complainant’s health data took place for only one general purpose, the explicit consent that the defendant obtained is indeed specific, in accordance with the conditions that the GDPR imposes on the processing of personal data on the basis of consent. 38. As regards the free nature of explicit consent, the defendant points out that the legal framework for insurance implies that the processing of health data in question is not ‘unnecessary’ for the correct fulfilment of the role of the insurer in offering and executing insurance contracts, but on the contrary - should be regarded as an essential element. The finding that the defendant makes consent a condition for concluding mortgage insurance does not lead to the conclusion that there is no ‘free’ expression of will by the person concerned and that the consent is therefore invalid by definition. In this context, the defendant points out that explicit consent is used as an exception under Article 9.2.a) GDPR for the processing of special categories of personal data that are necessary for the performance of the contract within the meaning of Article 6.1.b) GDPR. This constitutes a specific issue, particularly in Belgium and particularly for insurance companies. The defendant points out that consent as the only exception under Article 9.2 of the GDPR may apply in the absence of a national legislative framework. This is in contrast to other EU countries such as the Netherlands, Spain, Ireland (and the United Kingdom) where a legal framework has been created for the processing of sensitive personal data by insurers. In this context, the defendant refers to legislative initiatives from the insurance sector with the aim of obtaining such a legislative framework, to date without success. II.2.4. Assessment by the Dispute Resolution Chamber 39. The question arises whether the defendant can validly rely on the explicit consent for the processing of personal data in the context of concluding a mortgage insurance policy. 40. Article 5.1.a) of the GDPR requires that personal data “be processed lawfully, fairly and transparently in relation to the data subject (“lawfulness, fairness and transparency”).” The principle of lawfulness is one of the main principles of the GDPR and is a prerequisite for the application of the other principles of the GDPR with regard to the processing of personal data. 41. It is up to the controller to determine which legal basis is appropriate in relation to the purpose of the processing. Since different consequences result from one or the other legal basis, in particular with regard to the rights of the data subjects, the controller is not allowed to rely on one or the other legal basis, depending on the circumstances. Once a particular legal basis has been chosen, another legal basis cannot be chosen at a later stage. Nor can it be relied upon to use another legal basis for the same processing activity, for the same purposes, when the chosen legal basis ceases to apply. 2 42. Under Article 9.1 GDPR, the processing of health data is in principle prohibited. In the event that processing of categories of special personal data takes place in accordance with Article 9.1 GDPR, the controller must indicate a legal basis in accordance with Article 6 GDPR and an exception under Article 9.2 GDPR in order to be able to speak of a lawful processing. This combination of legal grounds under Article 6 and 9.2 GDPR stems from, among other things, the Meta judgment (C-252/21) of the Court of Justice in which the Court expressly ruled that the processing of sensitive personal data is only permitted if such processing can be regarded as lawful under Article 6.1 GDPR. Opinion 2/2019 of the European Data Protection Board (hereinafter 4 5 “EDPB”) and Opinion 06/2014 of the Article 29 Data Protection Working Party also refer consistently to the application of both Article 6 GDPR and Article 9 GDPR in the case of processing a category of special personal data. Recital 51 GDPR finally clearly indicates that Article 6 GDPR must always be applied. 43. No applicable legal basis can be found in national legislation either. Neither the Act of 30 July 2018 on the protection of natural persons with regard to the processing of personal data, nor the Act of 4 April 2014 on insurance, nor any national law contains a processing ground on the basis of which health data in the context of entering into insurance contracts 1 See also decision 77/2023, §74, of the Dispute Resolution Chamber. 2 See, for example, decisions 38/2021, 54/2023 and 77/2023 of the Litigation Chamber. 3CJEU Judgment of 4 July 2023, Meta, C-252/21, ECLI:EU:C:2023:537, para. 90. 4 Opinion 2/2019 (EDPB) on the questions and answers on the interaction between the Clinical Trials Regulation (CTR) and the General Data Protection Regulation (GDPR) (Article 70(1)(b)) of 23 January 2019. 5 Opinion 06/2014 (WP 29) on the concept of “legitimate interest of the controller” in Article 7 of Directive 95/46/EC. 6BS 5 September 2018. 7 BS 30 April 2014. Decision on the substance 109/2024 — 11/24 processed. Consequently, the defendant must find a legal basis in the GDPR. 44. The EDPB Guidelines 05/2020 state that Article 9.2 GDPR does not provide for the necessity of the performance of the contract as an exception to the general prohibition of processing in Article 9.1 GDPR. In this context, the controller must investigate whether one of the specific exceptions in Article 9.2(b) to j) could apply to such a situation. If none of the exceptions in subparagraphs b - j apply, obtaining explicit consent in accordance with the conditions for valid consent laid down in the GDPR is the only possible legal exception on the basis of which the controller could process personal data belonging to special categories of personal data. 45. As already mentioned above and as indicated by the defendant in its submissions, Belgian national legislation does not provide specific legal grounds for the processing of health data in the context of insurance contracts. Also, the exceptions provided for in Article 9.2 b)-j) GDPR cannot apply to the processing at issue. 46. Consequently, the defendant refers to Article 9.2.a) GDPR, namely explicit consent, as the basis for the processing of health data. 47. According to Article 9.2.a) GDPR, the prohibition on the processing of special categories of personal data does not apply if the data subject has given his or her explicit consent to the processing of the personal data in question for one or more specific purposes. According to Article 4.11) GDPR, "consent" of the data subject means any freely given, individualised, informed and unambiguous indication of the data subject's wishes by which he or she, by making a statement expressing agreement or by taking an action clearly indicating his or her agreement, signifies his or her acceptance of the processing of his or her personal data. 48. The element “freely” implies real choice and control for the data subject. As a general rule, the GDPR prescribes that if a data subject has no real choice, he/she will feel forced to give consent or it will have negative consequences for him/her. If he/she does not consent, the consent is not valid. 8EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, 4 May 2020, v.1.1 available at https://www.edpb.europa.eu/sites/default/files/files/file1/edpb guidelines 202005 consent en.pdf. 9EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, 4 May 2020, v.1.1, p.8, available at https://www.edpb.europa.eu/sites/default/files/files/file1/edpb guidelines 202005 consent nl.pdf. Decision on the merits 109/2024 — 12/24 49. As is apparent from the complaint, the credit offer in question provides for a conditional interest rate reduction, one of the conditions of which is to take out a credit-linked life insurance policy, the aforementioned mortgage protection insurance, with the defendant in the amount of the credit. If no mortgage protection insurance is taken out with the defendant, the interest rate reduction will lapse. In addition, the Dispute Chamber also refers to the social desirability of mortgage insurance, namely the benefits for partners or heirs who are protected by taking out mortgage insurance. 50. Given the negative consequences associated with not taking out mortgage insurance in question, the Dispute Chamber is of the opinion that the consent was not freely given. Since the condition of free consent has not been met, the other conditions do not need to be tested, given their cumulative nature, in order to assess the lawfulness of the consent in question. Consequently, there is an infringement of Article 4, 11) GDPR and Article 9.2 GDPR. 51. However, the Dispute Chamber points out that this infringement is not attributable to the defendant. The Dispute Chamber wishes to draw attention to the broader problem associated with the complaint, namely the collection of health data by insurers from potential policyholders via their explicit consent (Article 9.2. a) GDPR) in the context of concluding and executing an insurance policy, in this case a mortgage insurance policy, and the associated question to what extent the consent of those policyholders can be freely given. The question arises whether, other than explicit consent, there are other possible processing grounds on the basis of which the health data can be processed by the defendant in the execution of the insurance contract. 52. The aforementioned Act of 30 July 2018 on the protection of natural persons with regard to the processing of personal data, which implements the GDPR, does not contain any specific provisions further regulating the processing of sensitive personal data in the context of insurance. Nor does it contain any other national legislation. The defendant notes that a national legislative framework is lacking in this respect, despite several attempts to do so, including at the initiative of the insurance sector itself. The Dispute Chamber can only comment on this position and note that the legislator should intervene in this regard to provide a legal basis specifically for the insurance sector that allows health data to be collected within well-defined limits in the context of the (pre-)contractual relationship between the insurer and the policyholder. 10 The Dispute Chamber refers to Article 30.3.b for 10 See also Decision 24/2020 of 14 May 2020, paragraphs 74 and 75. Decision on the merits 109/2024 — 13/24 illustration. of the Dutch Implementation Act General Data Protection Regulation in which such a legal basis was provided: 53. Article 30.3 Implementation Act General Data Protection Regulation: “In view of Article 9, paragraph 2, section h, of the Regulation, the prohibition on processing health data does not apply if the processing is carried out by: a. […] b. insurers as referred to in Article 1:1 of the Financial Supervision Act or financial service providers who mediate in insurance as referred to in Article 1:1 of that Act, to the extent that the processing is necessary for: 1°. the assessment of the risk to be insured by the insurer and the data subject has not objected; or 2°. the execution of the insurance contract or assistance with the management and execution of the insurance. 54. Article 30.4 Dutch Implementation Act General Data Protection Regulation: “4. If the first, second or third paragraph is applied, the data shall only be processed by persons who are obliged to maintain confidentiality by virtue of their office, profession or legal requirement or by virtue of an agreement. If the controller processes personal data and is not already subject to a duty of confidentiality by virtue of their office, profession or legal requirement, they shall be obliged to maintain confidentiality of the data, except insofar as the law obliges them to disclose them or their task requires the data to be communicated to others who are authorised to process them by virtue of the first, second or third paragraph.” 55. Despite the various initiatives to provide a specific legal basis for the processing of health data in the context of insurance contracts, the Belgian legislator has not yet followed up on this. 56. The Dispute Resolution Chamber considers that this situation is undesirable for all actors involved in concluding such insurance contracts and urges that a solution be found, preferably at European level. Consequently, the Dispute Resolution Chamber will inform the EDPB of this decision and, in consultation with the GBA Management Board, other competent authorities at national and European level. 1In full: Law of 16 May 2018, containing rules implementing Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016, L 119) (General Data Protection Regulation Implementation Act). Decision on the substance 109/2024 — 14/24 II.3. Automated individual decision-making (Article 22 GDPR) II.3.1. Determination by the Inspection Service 57. In the Inspection Report, the Inspection Service does not establish any infringements with regard to the use of automated individual decision-making for ordinary personal data. 58. With regard to the use of automated individual decision-making for health data, the Inspection Service establishes that Article 22.4 GDPR has not been complied with since the consent requested by the defendant on the basis of Article 9.2.a) GDPR was not validly obtained. Consequently, the Inspection Service establishes that the defendant has committed an infringement of Article 22.4 GDPR and Article 24.1 GDPR and Article 25.1 GDPR with regard to the use of automated individual decision-making concerning health data. II.3.2. Position of the complainant 59. The complainant states that the infringement in connection with automated decision-making based on health data was already sufficiently proven in the original complaint and was also confirmed by the Inspectorate. II.3.3. Position of the defendant 60. The defendant points out that the infringement of Article 22.4 GDPR established by the Inspectorate is a ‘derivative’ infringement that follows from the infringement of Article 9.2.a) GDPR established by the Inspectorate, and that no further infringements were formulated of other conditions of Article 22.4 GDPR. Furthermore, the Inspectorate found that the defendant fully complies with the conditions of Article 22 GDPR with regard to ‘ordinary’ personal data. Consequently, the defendant argues that if the Dispute Chamber were to rule that the explicit consent was lawfully given, the infringement established by the Inspection Service with regard to Article 22.4 GDPR must be rejected. 61. During the hearing, the defendant was asked to further clarify its position on the finding regarding automated individual decision-making. The defendant explained that this method of decision-making is a conscious choice by the defendant, not least to protect the confidentiality and integrity of the medical data. When this processing produces a positive result for the customer, there is no human control. If a potential problem arises (also known as a flashing light), the file is sent to an employee for Decision on the merits 109/2024 — 15/24 control of the decision-making. Insurance is therefore never refused without the decision-making having been checked by an employee of the defendant. 62. As regards the infringements of Article 24.1 GDPR and Article 25.1 GDPR, the defendant argues that these are in any case unfounded due to a lack of motivation from the Inspection Service (see II.1). If the Dispute Resolution Chamber were nevertheless to proceed to assess the substance of an infringement of these articles, the defendant argues that it has taken all appropriate technical and organisational measures to achieve the objectives intended by the GDPR. A dysfunction in a rare case does not of course mean that the necessary procedures and processes would not have been implemented in general, which the Inspectorate also found in the context of its initial assessment, the defendant states. Consequently, the defendant has complied with the conditions for automated individual decision-making in accordance with the requirements arising from Article 22.4 GDPR, Article 24.1 GDPR and Article 25.1 GDPR. II.3.4. Assessment by the Dispute Resolution Chamber 63. When personal data are used to reach a specific decision and this decision is based solely on automated processing of personal data, this constitutes automated individual decision-making. Under Article 22.1 GDPR, data subjects have the right not to be subject to a decision based solely on automated processing (including profiling), which either produces legal effects concerning them or significantly affects them in another way. 64. However, the foregoing does not apply if the decision: a) is necessary for entering into, or the performance of, a contract between the data subject and a controller; b) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or c) is based on the data subject’s explicit consent (Article 22.2 GDPR). 65. According to Article 22.4 GDPR, automated individual decisions may not be based on special categories of personal data unless they are based on the explicit consent of the data subject, or the use is necessary for an important public interest under Union or Member State law. In both cases, appropriate measures must be taken to safeguard the legitimate interests of the data subject. In the first situation, the controller shall take such measures himself, in the second situation they shall be prescribed by law. Decision on the substance 109/2024 — 16/24 66. As argued by the defendant, automated individual decision-making is based on explicit consent as prescribed by Article 9.2.a) GDPR. In the present case, the Dispute Resolution Chamber held that the express consent had not been validly obtained, but that this infringement was not attributable to the defendant (see section II.2). Consequently, the defendant may rely on Article 22.2.c) GDPR in conjunction with Article 22.4 GDPR, if it meets the applicable conditions. 67. Since the defendant relies on Article 22.2.c) GDPR in conjunction with Article 22.4 GDPR, it must take the necessary appropriate measures to protect the rights of the data subject. These measures must include at least the following: the right to human intervention, the right for the data subject to make his or her point of view known and the right to challenge the decision. 68. Based on the defendant's statement and the privacy statement regarding automatically taken decisions as submitted by the defendant, the Dispute Chamber establishes that the defendant has taken various measures. Automated individual decision-making without human intervention is only taken in the case of a positive decision. In the event that various indicators go off and a negative decision may have to be taken, the file will in any case be assessed by an employee for verification. The person concerned can object to profiling, which means that the decision to qualify for credit and associated mortgage insurance cannot be made automatically. If a person concerned does not agree with the automated individual decision, he or she can, in accordance with the privacy statement, contact the defendant in various ways to let know why he or she does not agree with the decision and to ask to review the decision taken. 69. In view of the above, the Dispute Chamber finds, on the basis of the statements of the defendant and the applicable privacy statement, that the defendant legitimately bases the automated individual decision-making based on health data on explicit consent and has taken the necessary appropriate measures to protect the rights of the data subject. Since the Dispute Chamber finds no indications in the Inspection Report or in the conclusions of the complainant that would refute this finding, the Dispute Chamber finds that there is no infringement of Article 22 GDPR, Article 24 GDPR and Article 25 GDPR. Decision on the merits 109/2024 — 17/24 II.4. Information obligations in the privacy statement II.4.1. Findings in the Inspection Report 70. The Inspection Service finds that the general privacy statement regarding customers in the broad sense does not always contain concise, transparent and comprehensible information (Article 12.1 GDPR) and does not contain all the information required under Article 13 GDPR. 71. With regard to the information that is not always concise, transparent and comprehensible, the Inspection Service finds that the statement in the privacy statement that the defendant is part of a group of companies has no added value. Furthermore, the Inspection Service points out that the words personal data and data are not synonyms that are used interchangeably. Furthermore, the privacy statement contains long, complex sentences with jargon on several occasions, which may be unclear to the defendant's customers who are not familiar with the subject matter. 72. The Inspectorate considers the privacy statement to be incomplete, since the direct telephone number of the data protection officer is not included in the privacy statement (Article 13.1.b) GDPR). Furthermore, the privacy statement lacks transparent information on what the appropriate or suitable safeguards are, how a copy can be obtained or who can be consulted when transferring personal data by the defendant to third countries for which there is no adequacy decision by the European Commission (Article 13.1.f) GDPR). The Inspectorate also notes a lack of transparent information on whether the data subject is obliged to provide the personal data and what the possible consequences are if personal data are not provided if the provision of personal data is based on a legal or contractual obligation or a necessary condition for concluding a contract (Article 13.2.e) GDPR). II.4.2. Position of the defendant 73. The defendant disputes the findings of the Inspectorate regarding the privacy statement and refutes them in its conclusions. 74. With regard to the findings regarding the not always concise, transparent and comprehensible information, the defendant points out that references to the group of which it is part are functionally important to explain to the data subject how his or her personal data may be used within the group. With regard to the use of the terms data and personal data, the defendant argues that it does make it clear to the data subject that the privacy statement relates to personal data. The word personal data appears no less than 130 times in the privacy statement. She also points out that the use of the word data does not in any way limit the scope of the Decision on the merits 109/2024 — 18/24 privacy statement, since the word ‘data’ can be considered broader in normal language and under the GDPR than the term ‘personal data’. Next, concerning the use of language in the privacy statement, the defendant argues that the Inspectorate does not reproduce the targeted passages in their original context, as a result of which the information that clarifies these passages has been omitted. In addition, the defendant states that it uses the most common language possible, but that, given the nature of its activities and the legal framework in which it operates, it is forced in certain cases to use specific names and terms. The information to the data subject must be in accordance with Article 12.1 GDPR not only clear but also concise, whereby an appropriate balance must be found between adding additional explanation on the one hand and including information in summary form on the other. 75. As regards the finding that the privacy statement contains incomplete information, the defendant puts forward arguments to refute this finding. Regarding the lack of mention of the direct telephone number of the data protection officer in the privacy statement, the defendant clarifies that it has chosen not to mention this telephone number in view of the defendant's reputation in the Belgian market and the size of the company. After all, it receives a significant number and a wide variety of requests and questions from data subjects. It would not be feasible for the data protection officer to be called directly with these requests. Data subjects can, however, contact the defendant's helpdesk by telephone. If necessary, the helpdesk agents will forward questions about data protection to the Group Data Protection Unit, of which the data protection officer is a member. As regards the information on appropriate safeguards for transfers, the defendant states that it explains the relevant transfers and provides detailed information on the processors it cooperates with. It also provides clear information to the data subject on how to contact it and how to exercise rights. In its privacy statement, the defendant firstly confirms its intention to transfer personal data to recipients who may be located outside the European Economic Area in certain situations, secondly in which countries the processors are located through which transfers may take place and thirdly that for certain countries to which transfers may take place there is no adequacy decision by the European Commission and that, where appropriate, appropriate safeguards will be invoked, including standard contractual clauses and control mechanisms to ensure the level of protection. Finally, the defendant points out that it does indeed state in detail in its privacy statement when the provision of personal data is a legal or contractual obligation. II.4.3. Assessment by the Dispute Resolution Chamber 76. In implementation of the principle of transparency in Article 5.1.a) GDPR, the controller shall take appropriate measures to ensure that the data subject receives the information referred to in Articles 13 and 14 and the communication referred to in Articles 15 to 22 and Article 34 in connection with the processing in a concise, transparent, intelligible and easily accessible form, and in clear and plain language. 77. Taking into account the findings of the Inspection Service and after assessing the argumentation of the defendants and the privacy statement enclosed with the documents, the Dispute Chamber rules that there is no infringement of Article 12.1 GDPR in conjunction with Articles 13.1 and 13.2 GDPR. II.5. Accuracy of the data and right to rectification (Article 5.1.d) GDPR and Article 16 GDPR) II.5.1. Position of the complainant 78. In his complaint, the complainant states that the medical questionnaire is completed via the website of the defendant, where the user is guided through the questionnaire via a series of screens. Before completing the questionnaire, the user is informed that the information buttons in the questionnaire must always be used to avoid unnecessary information being included. For each section of the questionnaire there is a list of conditions that should not be mentioned. At the end, this completion process results in a summary document that must be signed. However, this summary document lacks the list of conditions that should not be mentioned, which, according to the complainant, makes the questionnaire open to discussion. In this regard, the complainant states that the question may arise whether a specific condition was concealed by the applicant or whether the respondent herself had indicated that it was not necessary to mention that specific condition. Consequently, there is a possibility that the completed data may be subject to different interpretations. In this regard, the complainant points out that a possible discussion about the completed data between the respondent as insurer and the beneficiaries of the insurance may arise after the death of the insured. However, these beneficiaries did not complete this list, and are also unaware of the original questions and the difference between the questionnaire and the resulting summary document. According to the complainant, the accuracy of the information, given the context of the mortgage protection insurance, is extremely important, among other things because of the high financial stake. Although the complainant requested this, the Decision on the merits 109/2024 — 20/24 defendant did not, according to him, make any corrections to the final document in order to accurately reflect the questionnaire. II.5.2. Position of the defendant 79. In its conclusions, the defendant argues that, in order to help the customer complete the digital medical questionnaire and avoid the collection of unnecessary data (and thus ensure data minimisation), it provides a limited number of ‘information buttons’ in some free text fields of its digital medical questionnaire. These information buttons indicate conditions that in any case have no influence on the risk of death and are therefore by definition not relevant when completing the questionnaire. 80. The defendant emphasizes that the purpose of the medical questionnaire is to be able to correctly estimate the risk of death of the insured. The defendant may, on the basis of the insurance legislation, only request information on conditions that may entail an increased risk of death with her medical questionnaire for a mortgage loan, referring to Article 5.1° of the Royal Decree of 10 April 2014 regulating certain insurance contracts to guarantee the repayment of the capital of a mortgage loan 12 ("Royal Decree on Mortgage Loan Insurance"). This article stipulated, among other things, the following condition for the medical questionnaire: "the questions asked are precise and relate exclusively to events that may substantiate the increased nature of a health risk for the candidate insured". 81. The defendant adds that, as a guarantee with regard to the insured, the legislator subjects the medical questionnaire of each insurer to external supervision. The questionnaire used by the defendant is subject to the prior approval of the Follow-up agency subject, pursuant to article 4 of the Royal Decree 13 Mortgage protection insurance. 82. The defendant then refers to article 5.1.d) GDPR, which states that personal data must be correct and updated if necessary. All reasonable measures must be taken to erase or rectify without delay personal data that are inaccurate, having regard to the purposes for which they are processed. Pursuant to article 16 GDPR, the data subject has the right to obtain from the controller without delay rectification of incorrect personal data concerning him. 1BS 10 June 2014. 13 Art. 4 Royal Decree on Mortgage Protection Insurance: “An insurance company may only use a medical questionnaire when processing an application for mortgage protection insurance on condition that the formulation of the questions has been approved in advance by the Follow-up Agency. The Monitoring Office shall decide within one month of receipt on the approval of the wording of the questions. The decision by the Monitoring Office shall be taken by a simple majority of votes.” Decision on the substance 109/2024 — 21/24 83. The defendant states that the medical questionnaire, including the information buttons, and the answers provided are stored on its secure IT system, which means that the personal data are ‘correct’ within the meaning of Article 5.1.d) GDPR. The subsequent possibility that the defendant offers to download the questions and answers in a PDF document does not affect the foregoing and does not entail that the personal data stored in the defendant’s systems are therefore incorrect and would give the complainant the right to ‘rectify’ those data accordingly within the meaning of Article 16 GDPR. 84. It also follows from the text of the GDPR that the accuracy of the personal data must be assessed in light of the purposes for which they are processed, as the defendant argues. The fact that the medical questionnaire is intended to allow the defendant to assess the risk of death of the prospective policyholder – for which conditions without an influence on the risk of death that are indicated in the information button are irrelevant – means that the personal data as shown in the downloadable PDF document must also be considered as correct in light of the aforementioned purpose of the processing. 85. Consequently, the defendant concludes, it can hardly be said that the complainant's right to rectification was disregarded, since, firstly, the personal data must indeed be considered correct and, secondly, the defendant responded to the complainant's request within the period provided for by the GDPR and requested clarification in this regard, to which it did not receive a response from the complainant. II.5.3. Assessment by the Dispute Resolution Chamber 86. On the basis of the elements provided by the defendant in the conclusions, with reference to the documents, the Dispute Resolution Chamber concludes that the defendant has made the necessary efforts to demonstrate that the accuracy of the personal data is guaranteed and that it has responded to the complainant's request for rectification in a timely and correct manner, so that there is no infringement of Article 5.1.e) GDPR and Article 16 GDPR. II.6. Integrity and confidentiality (Article 5.1.f) GDPR) II.6.1. Position of the complainant 87. The complainant states that after completing the aforementioned questionnaire when applying for the mortgage insurance, a document is offered for signature, the above- summary document. This signature must be done via the mobile application of the defendant and is an essential part of guaranteeing the integrity of the substantive decision 109/2024 — 22/24 personal data. The complainant argues that, without proper signature, there is a possibility that the defendant will subsequently change the data. The complainant also points out that the defendant, as an insurer, has a conflicting interest with respect to the data subjects (the beneficiaries). 88. In assessing whether the security is appropriate, the complainant submits that the sensitivity of the personal data in question and the impact of a change, i.e. a breach of the integrity, of the data, should be taken into account. The complainant argues that although appropriate technology is available to ensure the integrity of the data and to provide evidence of this to third parties, the respondent does not use it. According to the complainant, the integrity of the document is not guaranteed by a digital signature based on public key cryptography, or this signature is in any case not visible to the complainant. In the absence of such a signature, the integrity of the document is not sufficiently guaranteed. II.6.2. Position of the defendant 89. The defendant disputes the complainant's allegations and states that it has indeed taken appropriate technical and organisational measures "to ensure a level of security appropriate to the risk", in accordance with what Article 5.1.f) GDPR and Article 32 GDPR require. Article 32 GDPR also expressly makes it clear that the GDPR does not prescribe one specific security measure, but that the assessment of the level of security is based on the totality of technical and organisational measures taken, as well as on the need to take into account "the state of the art, the costs of implementation, and the nature, scope, context and purposes of the processing and the varying likelihood and severity of the risks to the rights and freedoms of individuals". 90. As regards the integrity of the digital medical questionnaire, the defendant has implemented an appropriate combination of technical and organisational measures. After the digital medical questionnaire has been completed, all answers entered by the prospective policyholder are automatically transferred by the system to the document that is presented to the person concerned for signature. After signing, these data can no longer be modified in the defendant's systems. This is technically built into the database. Even if an employee is granted access to the stored medical questionnaire under the strict access policy, that employee cannot modify the stored answers of the prospective policyholder to the medical questionnaire in the system. 91. The defendant then sets out the main security measures concerning the integrity of the data from the medical questionnaire. This includes strong Decision on the merits 109/2024 — 23/24 authentication within the highly secured banking environment of the defendant, the signature with a secret PIN code or via facial recognition, the time stamp of the signature, the isolated storage systems where the completed questionnaires are stored in an isolated database, separate from other files and processing systems of the defendant, access control for employees with a very strict access policy, no possibility of changing the completed answers for employees; the completed medical questionnaires can never be consulted by agencies or offices, and the internal policy includes specific guidelines for the processing of medical data within the defendant, such as the management of access to medical data and of the authorisation for certain applications and the storage of medical data. The defendant emphasises that these technical and organisational measures are closely monitored and adjusted if necessary. 92. The defendant also points out that, apart from all the previous measures, the candidate policyholder can also save the completed medical questionnaire on his/her own device. The alleged – and purely hypothetical – risk of modification by the defendant that the plaintiff refers to can simply be countered in this way, the defendant states. In such a scenario, the downloaded copy would enable the plaintiff to demonstrate a modification and provide counter-evidence, the defendant explains. If desired, the person concerned can also subsequently ask the defendant for a copy of the medical questionnaire, as the plaintiff did in this case. 93. Finally, the defendant argues that there are no special legal requirements for the signing of medical questionnaires regarding the type of signature required, neither under the EU eIDAS Regulation, nor under Belgian law, nor under the GDPR. The totality of the organisational and technical measures taken guarantee a sufficient level of security appropriate to the risk in accordance with the requirements of Article 5.1.f) GDPR in conjunction with Article 32 GDPR, the defendant concludes. II.6.3. Assessment by the Dispute Chamber 94. Based on the elements provided by the defendant in the conclusions, with reference to the documents, the Dispute Chamber concludes that the defendant has made the necessary efforts to demonstrate that the required technical and organisational measures have been taken to ensure secure data processing, so that there is no infringement of Article 5.1.f) GDPR in conjunction with Article 32 GDPR. 14Full version: Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC.