APD/GBA (Belgium) - 109/2024
From GDPRhub
| APD/GBA - 109/2024 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 4(11) GDPR Article 9(2) GDPR Article 12 GDPR Article 13 GDPR Article 16 GDPR Article 22 GDPR Article 24 GDPR Article 32 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 29.08.2024 |
| Published: | |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | 109/2024 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Dutch |
| Original Source: | APD/GBA (Belgium) (in NL) |
| Initial Contributor: | wp |
The DPA found there was no freely given consent when a data subject was faced with negative consequences of not giving the consent.
English Summary
Facts
A data subject received a loan offer from a company. The loan referred to a purchase of a home. The data subject received an interest rate discount. However, to sustain the discount, the data subject was obliged to take out debt balance insurance offered by a broker (a controller).
While taking out the insurance, the data subject had to give consent for processing health data. According to the data subject, the consent covered not only the insurance offer at stake, but also other purposes, for example, claims processing, fraud prevention, development of pricing, automated decision making. The data subject asked the controller to rephrase the consent, so it was more specific. The controller didn’t agree.
Because the data subject didn’t want to lose the discounter interest rate, they eventually gave the consent for processing their health data.
Afterwards, the data subject sent an email in which they: • withdrew the consent regarding health data processing, automated decision making process, • requested restriction of data processing until the legal basis of processing was clarified • requested correction of signed documents.
The controller answered the requests and provided the data subject with a copy of their data.
The data subject filed a complaint with the Belgian DPA (APD/GBA).
Holding
The DPA upheld the complaint.
The DPA found the controller failed to obtain valid consent for data processing. The consent given by the data subject was not given. This was because of negative consequences to be faced by the data subject. Thus, the controller violated Article 4(11) and Article 9(2) GDPR.
For the DPA the controller didn’t violate Article 22 and 24 GDPR with reference to automated decision making process based on health data. The investigation proved the controller based that processing on an explicit consent. Moreover, appropriate measures, necessary under Article 22(4) GDPR were introduced, for example, by mandatory human intervention of decisions made.
Furthermore, the DPA found no violation of Article 12, 13, 16 and 32 GDPR, as argued by the data subject.
Although the controller violated the GDPR, the DPA decided not to charge them.
Comment
The DPA expressed concerns over lacking specific legal basis referring to insurance contracts in Belgian law.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/24
Dispute resolution
Decision on the merits 109/2024 of 29 August 2024
File number: DOS-2022-03909
Subject: Processing of personal data in the context of
mortgage protection insurance
The Dispute Resolution of the Data Protection Authority, composed of Mr
Hielke HIJMANS, chairman, and Mr Dirk Van Der Kelen and Mr Christophe Boeraeve, members;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
on the protection of natural persons with regard to the processing of
personal data and on the free movement of such data, and repealing
Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as the “GDPR”;
Having regard to the law of 3 December 2017 establishing the Data Protection Authority,
hereinafter referred to as “WOG”;
Having regard to the internal rules of procedure, as approved by the Chamber of
Representatives on 20 December 2018 and published in the Belgian Official Gazette on
15 January 2019;
Having regard to the documents in the file;
Has taken the following decision regarding:
Complainant: Mr X, hereinafter referred to as “the complainant”; and
Defendant: Y, represented by Mr Heidi Waem and Mr Simon Verschaeve, both
with offices at 1000 Brussels, Wolstraat 70, hereinafter referred to as “the defendant”. Decision on the merits 109/2024 — 2/24
I. Facts and procedure
1. On 19 September 2022, the complainant lodged a complaint with the Data Protection Authority
against the defendant.
2. The complaint concerns the following facts. In December 2021, the complainant
obtained a credit offer from the defendant in connection with the purchase of a home. The
credit offer provides for a conditional interest rate discount, one of the conditions
of which is to take out a credit-linked life insurance policy with the defendant
for the amount of the credit. If no mortgage insurance is taken out
with the defendant, the interest rate discount will lapse. The complainant states that when applying for the
mortgage insurance policy through a broker in March 2022, it emerged that the
signing of a consent for the processing of health data
is necessary. However, according to the complainant, this consent would not only apply to the
medical acceptance for the mortgage insurance in question, but to all
processing of health data, such as claims handling, elaboration of
pricing, refining of accession and coverage conditions, and detecting and
preventing fraud. The complainant adds that this is also linked to
consent for automated decision-making based on health data. On 9 March 2022, the complainant
receives a response from the insurance broker regarding the consent for the processing
of health data. This indicates that it is impossible for the defendant
to work with a more specific consent. The complainant states that, nevertheless,
only a mortgage insurance is being requested. The complainant notes that the
defendant's website prevents the questionnaire from being completed if consent is not
granted. Given the risk of missing out on the interest discount, the complainant agrees to the
consent document and completes the medical questionnaire on the website. Subsequently,
a summary document is obtained that must be signed via the website. However, according to the complainant, this summary document does not contain the same
information as what was available in the questionnaire input screens. On 18 July 2022,
the complainant exercises his rights by e-mail, partially withdrawing his consent,
also requests a restriction of the processing pending clarification of the legal basis,
withdraws his consent for automated decision-making, and finally requests a correction of the signed
document and adequate integrity protection of the signed document. The complainant receives a copy of his
personal data from the respondent on 12 August 2022. On the same
date, the complainant receives the respondent's response to the other elements of the
request. Decision on the merits 109/2024 — 3/24
3. On 21 October 2022, the complaint is declared admissible by the First Line Service on the basis of
Articles 58 and 60 WOG and the complaint is transferred to the Dispute Chamber on the basis of Article 62, § 1 WOG
.
4. On 17 November 2022, in accordance with Article 96, § 1 WOG, the request of the
Dispute Chamber to conduct an investigation is transferred to the Inspection Service,
together with the complaint and the inventory of the documents.
5. On 3 March 2023, the investigation by the Inspection Service is completed, the report
is added to the file and the file is transferred by the Inspector General to
the Chairman of the Dispute Chamber (Article 91, § 1 and § 2 WOG).
The report contains findings regarding the subject matter of the complaint and concludes
that:
1. there is no infringement in general of Article 5 GDPR, Article 24.1 GDPR
and Articles 25.1 and 25.2 GDPR;
2. there is an infringement of Article 4, 11) GDPR, Article 7.1 and 7.3 GDPR and Article 9.2.a) GDPR
for the processing of health data;
3. there is an infringement of Article 22.4 GDPR, Article 24.1 GDPR and Article 25.1 GDPR
due to the use of automated individual decision-making for
health data; and
4. there is a breach of Article 12.1 GDPR, Article 13.1 and 13.2 GDPR, Article 24.1
GDPR and Article 25.1 GDPR with regard to the general privacy statement for customers
in the broad sense.
The report also contains findings that go beyond the subject of the complaint.
The Inspection Service determines, in broad terms, that there is no breach of Article
38.1 GDPR and Article 39 GDPR.
6. On 22 March 2023, the Dispute Resolution Chamber decides on the basis of Article 95, § 1, 1° and Article 98
WOG that the file is ready for consideration on the merits.
7. On 22 March 2023, the parties concerned will be notified by registered mail of the provisions as stated in Article 95, § 2, as well as those in Article 98 of the WOG.
They will also be notified of the deadlines for submitting their defences on the basis of Article 99 of the WOG.
As regards the findings relating to the subject matter of the complaint, the
deadline for receipt of the defendant’s response
was set at 5 May 2023, that for the complainant’s response
was set at 26 May 2023
and finally that for the defendant’s response
was set at 16 June 2023. As regards
findings going beyond the subject matter of the complaint, Decision on the merits 109/2024 — 4/24
deadline for receipt of the defendant’s response
was set at 5 May 2023.
8. On 23 March 2023, the complainant electronically accepts all communications concerning the case.
9. On 23 March 2023, the defendant electronically accepts all communication regarding the
case and indicates that she wishes to make use of the opportunity to be heard, in accordance
with Article 98 WOG.
10. On 3 May 2023, the Dispute Chamber receives the conclusion of the
response from the defendant regarding the findings regarding the subject of the
complaint. In the main, the defendant argues that the procedure and the manner in which it
is conducted by the Dispute Chamber and the Inspection Service violate the principles of
good governance. In the subordinate order, the defendant argues that she has
respected the GDPR when processing health data on the basis of explicit
consent. This conclusion also contains the defendant's response
regarding the findings made by the Inspection Service outside the scope of the
complaint. 11. On 24 April 2023, the Dispute Chamber receives the conclusion of the reply from the complainant for
the findings regarding the subject of the complaint. The complainant
requests the Dispute Chamber to deal with the complaint in its entirety, including the
alleged infringements concerning the accuracy of data, the right to rectification and the
integrity of data, although these alleged infringements are not included in the
inspection report. In response to the defendant's main pleas, the complainant
raises the following:
so that, despite any alleged infringements of the principles of public
administration raised by the defendant, the Dispute Chamber can rely on the complaint and all the
elements contained therein for its assessment of the case. In response to the defendant's
subordinate pleas, the complainant argues that the conditions regarding
explicit consent for the processing of health data have not been met. Furthermore, the complainant argues that he considers the infringement of automated decision-making based on health data in the original complaint and the Inspection Report to be sufficiently proven. In addition, the complainant denounces the lack of clarity regarding the basis for the processing of health data and the role of consent. Finally, the complainant also establishes that there are infringements of the accuracy of the processed personal data and the integrity and confidentiality.
12. On 13 June 2023, the Dispute Chamber receives the defendant's reply
with regard to the findings relating to the subject matter of the complaint, in which
it reiterates its positions in its reply. Decision on the merits 109/2024 — 5/24
13. On 22 April 2024, the parties are informed that the hearing will
take place on 3 June 2024.
14. On 3 June 2024, the parties are heard by the Dispute Chamber.
15. On 12 June 2024, the minutes of the hearing are submitted to the parties.
16. On 5 June 2024, the defendant was granted an additional period to take a position
on the following points from the complaint:
a) Possible infringement of Article 5.1.d) GDPR and Article 16 GDPR due to the processing of
incorrect data and the failure to comply with the right to rectify this data,
as the unmentioned conditions are not reflected in the
document to be signed and the defendant did not respond to the complainant's request to
correct this.
b) Possible infringement of Article 5.1.f) GDPR and Article 32 GDPR due to the
failure to adequately guarantee the integrity of the data provided by the use of a
digital signature based on public key cryptography.
17. The deadline for receipt of the defendant's conclusion of reply
regarding the above points is set at 28 June 2024.
18. On 14 June 2024, the Dispute Chamber receives from the complainant some comments
regarding the report, which it decides to include in its deliberations.
19. On 18 June 2024, the Dispute Chamber receives from the defendant some comments
regarding the report, which it decides to include in its deliberations.
20. On 28 June 2024, the Dispute Chamber receives from the defendant the conclusions
regarding the points described in paragraph 16. The defendant reiterates its
arguments from its rejoinder and adds that it complies with the requirements
regarding accuracy and has given adequate response to the exercise of the complainant's right
to rectification (Article 5.1.d) GDPR and Article 16 GDPR) and
that it has taken appropriate security measures when processing personal data
in the context of concluding the mortgage insurance, which means that there is no
infringement of Article 5, paragraph 1, f) GDPR and Article 32 GDPR.
II. Reasons
II.1. Principles of good governance
21. First, the defendant argues that the Inspectorate has violated the principles of good governance, in particular the principle of motivation, the principle of due care, the principle of reasonableness, the principle of proportionality, the principle of impartiality and its
rights of defence.
22. The defendant argues that, on the basis of the principle of motivation, it is necessary that
the allegations contain at least a minimum of motivation in order to understand the full
sequence of the allegations so that it would be able to defend itself properly.
23. According to the defendant, the manner in which the inspection report was drawn up
violates the principle of due care because the Inspectorate has used its investigative powers
disproportionately. Furthermore, the Inspection Service is required to draw up the inspection report with due care so that it is clear to the defendant which infringements are or are not included.
24. In addition, according to the defendant, the principle of reasonableness and the principle of proportionality have also been violated because the findings included in the inspection report are not in proportion to the relevant facts and the subject of the complaint.
25. Finally, the defendant argues that the principle of impartiality has also been violated because the Inspection Service did not conduct an investigation for discharge, but
on the other hand clearly and a priori assumed the defendant's guilt.
26. According to the defendant, the Dispute Chamber also violated the principles of good governance,
including the principle of due care, by deciding that the inspection report, which
allegedly conflicts with the principles of good governance, allows the case to be dealt
with on the merits and justifies proceedings on the merits.
27. The defendant is led to state that the rights of defence have been
violated.
28. In this regard, the Dispute Chamber points out that the procedural guarantees
must be fully complied with and, if there was any possibility that the defendant had been
harmed by the manner in which the inspection report was drawn up, this
harm was completely remedied in the subsequent proceedings, so that there can be no question of any
violation of the principles of good governance. The procedural elements put forward by the defendant do not result in the rights of the defence being infringed, since the defendant was given the opportunity to fully present its arguments by means of the reply and rejoinder;
moreover, the defendant was able to fully exercise its right to challenge the proceedings
during the hearing of the Litigation Chamber. The defendant did not therefore suffer any disadvantage and the rights of the defence were thus indeed respected. Decision on the substance 109/2024 — 7/24
II.2. Lawfulness of the processing
II.2.1. Determination of the Inspection Service
29. The Inspection Service notes in its inspection report that the defendant relies on the
explicit consent as a legal basis for the processing of health data
in the context of concluding a mortgage insurance. However, the Inspection Service
concludes that the lawfulness of the processing at issue has not been met
because there is a violation of Article 4, 11) GDPR, Article 7.1 and 7.3 GDPR and Article
9.2.a) GDPR.
30. According to the Inspection Service, the consent requested by the defendant from the complainant via the
“consent to processing health data” form is not freely and
specific, since the form applies to various processing purposes, but that data subjects can only
give consent for all of these processing purposes in their entirety. Consequently, the Inspection Service finds that the
consent requested via the aforementioned form is not freely given and specific,
which means that the consent is not legally valid. Finally, the Inspection Service concludes on
the basis of its investigation that withdrawing the consent given is not as easy as
giving it, since such withdrawal requires the person concerned to read the
privacy statement in advance, which indicates how the withdrawal should be
carried out.
II.2.2. Position of the complainant
31. In his reply, the complainant argues that the consent given is not specific
and not freely given. As regards the lack of specific consent, the complainant
argues that the defendant lists various purposes, such as developing correct
pricing, efficient cost management and refining access and coverage
conditions. She argues that these purposes are inextricably linked to
each other. The complainant disputes this and argues that it is a question of vaguely formulated purposes that
do not specifically relate to the insurance contract in question. According to the complainant, these are general activities that an insurer can perform in its business operations, but which are not necessary to use, possibly on a large scale, all
health data in its possession. The complainant argues that the defendant can also
rely on other elements such as a subset of personal data (i.e. of data subjects who have given specific consent), other
statistical data sources (such as public mortality statistics) or scientific research.
32. The complainant adds that even if all these purposes were inextricably linked,
quodnon, this connection cannot provide grounds for bundling consent for all insurance contracts. The consent is
consequently not specific.
33. The complainant asks why the defendant, prior to completing the
medical questionnaire for the mortgage insurance, did not ask a short consent question
specifically for the mortgage insurance in question and with the necessary divisions
for the different purposes. This method also offers the defendant the
opportunity to point out to the person concerned that already known health data
can also be used in the risk assessment.
34. As regards the free nature of the consent, the complainant points out that there is a
definite disadvantage associated with refusing consent, which goes beyond
merely not being able to obtain insurance. The complainant also denounces that, by
bundling consent for different purposes into one consent, this
consent was not freely obtained.
35. As regards the legal basis for processing health data, within the
context of medical acceptance for mortgage insurance, the complainant requests the
Dispute Chamber to take a position on the legal basis, namely whether there
is a sufficiently specific legal basis for the processing or whether consent is the
applicable legal basis. The complainant states that any imperfections in the
legislation relating to the processing of health data within the context of
medical acceptance for mortgage insurance cannot be blamed on the defendant.
However, according to the complainant, this does not alter the fact that the
defendant must correctly determine the legal basis and if it still relies on explicit
consent as a legal basis, consent must be requested in a valid manner.
II.2.3. Position of the defendant
36. In its conclusions, the defendant argues that it has respected the GDPR when
processing health data on the basis of explicit consent. She argues that
explicit consent is freely given and specific and that withdrawing it is as
easy as giving it.
37. As regards the specific nature of explicit consent, the
defendant argues that the applicable legal framework for (life) insurance
has the consequence that the processing activities or ‘sub-purposes’ set out
by the defendant in the consent form, which the Inspectorate considers to be
separate purposes, are intrinsically linked to one more general purpose, namely
the correct fulfilment of the role of the insurer in offering and
executing insurance contracts. Splitting the purpose of the processing would either Decision on the merits 109/2024 — 9/24
lead to the defendant no longer being able to apply or comply with the legal principles,
or would give the data subject the wrong impression that he or she actually has a
choice to consent or not on a granular basis per processing activity or
‘sub-purpose’, which would be contrary to Article 5.1.a) GDPR, which states that “personal
data must be processed lawfully, fairly and transparently in relation to the data
data subject”. Since the processing of the complainant’s health data took
place for only one general purpose, the explicit consent that the defendant obtained
is indeed specific, in accordance with the conditions that the GDPR imposes on the
processing of personal data on the basis of consent. 38. As regards the free nature of explicit consent, the defendant points out that the legal framework for insurance implies that the processing of health data in question is not ‘unnecessary’ for the correct fulfilment of the role of the insurer in offering and executing insurance contracts, but on the contrary - should be regarded as an essential element. The finding that the defendant makes consent a condition for concluding mortgage insurance does not lead to the conclusion that there is no ‘free’ expression of will by the person concerned and that the consent is therefore invalid by definition. In this context, the defendant points out that explicit consent is used as an exception under Article 9.2.a) GDPR for the processing of special categories of personal data that are necessary for the performance of the contract within the meaning of Article 6.1.b) GDPR. This constitutes a specific issue, particularly in Belgium and particularly for insurance companies. The
defendant points out that consent as the only exception under Article 9.2
of the GDPR may apply in the absence of a national legislative framework. This is in contrast
to other EU countries such as the Netherlands, Spain, Ireland (and the United Kingdom) where
a legal framework has been created for the processing of sensitive personal data by
insurers. In this context, the defendant refers to legislative initiatives from the
insurance sector with the aim of obtaining such a legislative framework, to date
without success.
II.2.4. Assessment by the Dispute Resolution Chamber
39. The question arises whether the defendant can validly rely on the
explicit consent for the processing of personal data in the context of concluding
a mortgage insurance policy.
40. Article 5.1.a) of the GDPR requires that personal data “be processed
lawfully, fairly and transparently in relation to the data subject (“lawfulness,
fairness and transparency”).” The principle of lawfulness is one of the main principles of the GDPR and is a prerequisite for the application of the other principles of the GDPR with regard to the processing of personal data.
41. It is up to the controller to determine which legal basis is appropriate in relation to the purpose of the processing. Since different consequences result from one or the other legal basis, in particular with regard to the rights of the data subjects, the controller is not allowed to rely on one or the other legal basis, depending on the circumstances.
Once a particular legal basis has been chosen, another legal basis cannot be chosen at a later stage. Nor can it be relied upon to use another legal basis for the same processing activity, for the same purposes, when the chosen legal basis ceases to apply. 2
42. Under Article 9.1 GDPR, the processing of health data is in principle
prohibited. In the event that processing of categories of special personal data
takes place in accordance with Article 9.1 GDPR, the controller must indicate a legal basis
in accordance with Article 6 GDPR and an exception under Article 9.2 GDPR in order
to be able to speak of a lawful processing. This combination of legal grounds under Article 6 and 9.2
GDPR stems from, among other things, the Meta judgment (C-252/21) of the Court of Justice in which
the Court expressly ruled that the processing of sensitive personal data is
only permitted if such processing can be regarded as lawful under Article 6.1 GDPR. Opinion 2/2019 of the European Data Protection Board (hereinafter
4 5
“EDPB”) and Opinion 06/2014 of the Article 29 Data Protection Working Party also refer
consistently to the application of both Article 6 GDPR and Article 9 GDPR in the case of
processing a category of special personal data. Recital 51 GDPR
finally clearly indicates that Article 6 GDPR must always be applied.
43. No applicable legal basis can be found in national legislation either. Neither
the Act of 30 July 2018 on the protection of natural persons with
regard to the processing of personal data, nor the Act of 4 April 2014 on
insurance, nor any national law contains a processing ground on the basis of which
health data in the context of entering into insurance contracts
1 See also decision 77/2023, §74, of the Dispute Resolution Chamber. 2
See, for example, decisions 38/2021, 54/2023 and 77/2023 of the Litigation Chamber.
3CJEU Judgment of 4 July 2023, Meta, C-252/21, ECLI:EU:C:2023:537, para. 90.
4
Opinion 2/2019 (EDPB) on the questions and answers on the interaction between the Clinical Trials Regulation (CTR) and the General Data Protection Regulation (GDPR) (Article 70(1)(b)) of 23 January 2019.
5 Opinion 06/2014 (WP 29) on the concept of “legitimate interest of the controller” in Article 7 of Directive 95/46/EC.
6BS 5 September 2018.
7
BS 30 April 2014. Decision on the substance 109/2024 — 11/24
processed. Consequently, the defendant must find a legal basis in the
GDPR.
44. The EDPB Guidelines 05/2020 state that Article 9.2 GDPR does not provide for the
necessity of the performance of the contract as an exception to the general
prohibition of processing in Article 9.1 GDPR. In this context, the
controller must investigate whether one of the specific exceptions in Article 9.2(b) to
j) could apply to such a situation.
If none of the exceptions in subparagraphs b - j apply, obtaining explicit consent in accordance with the conditions for valid consent laid down in the GDPR is the only possible legal exception on the basis of which the controller could process personal data belonging to special categories of personal data.
45. As already mentioned above and as indicated by the defendant in its submissions, Belgian national legislation does not provide specific legal grounds for the processing of health data in the context of insurance contracts. Also, the exceptions provided for in Article 9.2 b)-j) GDPR cannot apply to the processing at issue.
46. Consequently, the defendant refers to Article 9.2.a) GDPR, namely explicit consent,
as the basis for the processing of health data.
47. According to Article 9.2.a) GDPR, the prohibition on the processing of special
categories of personal data does not apply if the data subject has given his or her
explicit consent to the processing of the personal data in question
for one or more specific purposes. According to Article 4.11) GDPR,
"consent" of the data subject means any freely given, individualised,
informed and unambiguous indication of the data subject's wishes by which he or she,
by making a statement expressing agreement or by taking an action
clearly indicating his or her agreement, signifies his or her acceptance of the
processing of his or her personal data. 48. The element “freely” implies real choice and control for the data subject. As a general rule, the GDPR prescribes that if a data subject has no real choice, he/she will feel forced to give consent or it will have negative consequences for him/her.
If he/she does not consent, the consent is not valid.
8EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, 4 May 2020, v.1.1 available
at https://www.edpb.europa.eu/sites/default/files/files/file1/edpb guidelines 202005 consent en.pdf. 9EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, 4 May 2020, v.1.1, p.8, available at https://www.edpb.europa.eu/sites/default/files/files/file1/edpb guidelines 202005 consent nl.pdf. Decision on the merits 109/2024 — 12/24
49. As is apparent from the complaint, the credit offer in question provides for a conditional
interest rate reduction, one of the conditions of which is to take out a credit-linked
life insurance policy, the aforementioned mortgage protection insurance, with the defendant in
the amount of the credit. If no mortgage protection insurance is taken out with the
defendant, the interest rate reduction will lapse. In addition, the Dispute Chamber also refers to
the social desirability of mortgage insurance, namely the benefits for
partners or heirs who are protected by taking out mortgage insurance.
50. Given the negative consequences associated with not taking out mortgage insurance
in question, the Dispute Chamber is of the opinion that the consent
was not freely given. Since the condition of free consent has not been met,
the other conditions do not need to be tested, given their cumulative nature,
in order to assess the lawfulness of the consent in question. Consequently,
there is an infringement of Article 4, 11) GDPR and Article 9.2 GDPR.
51. However, the Dispute Chamber points out that this infringement
is not attributable to the defendant. The Dispute Chamber wishes to draw attention to the broader
problem associated with the complaint, namely the collection of health data by insurers from potential policyholders via their
explicit consent (Article 9.2. a) GDPR) in the context of concluding and executing
an insurance policy, in this case a mortgage insurance policy, and the associated question
to what extent the consent of those policyholders can be freely given. The question arises whether,
other than explicit consent, there are other possible processing grounds on the basis of
which the health data can be processed by the defendant in the execution of the
insurance contract.
52. The aforementioned Act of 30 July 2018 on the protection of natural persons
with regard to the processing of personal data, which implements the
GDPR, does not contain any specific provisions further regulating the processing of sensitive
personal data in the context of insurance. Nor does it contain any other
national legislation. The defendant notes that a national legislative framework is lacking in this respect, despite several attempts to do so, including at the initiative of the insurance sector itself. The Dispute Chamber can only comment on this position and note that the legislator should intervene in this regard to provide a legal basis specifically for the insurance sector that allows health data to be collected within well-defined limits in the context of the (pre-)contractual relationship between the insurer and the policyholder. 10 The Dispute Chamber refers to Article 30.3.b for
10
See also Decision 24/2020 of 14 May 2020, paragraphs 74 and 75. Decision on the merits 109/2024 — 13/24
illustration. of the Dutch Implementation Act General Data Protection Regulation
in which such a legal basis was provided:
53. Article 30.3 Implementation Act General Data Protection Regulation: “In view of Article
9, paragraph 2, section h, of the Regulation, the prohibition on processing health data
does not apply if the processing is carried out by:
a. […]
b. insurers as referred to in Article 1:1 of the Financial Supervision Act or financial
service providers who mediate in insurance as referred to in Article 1:1 of that Act, to the extent that the processing is
necessary for:
1°. the assessment of the risk to be insured by the insurer and the
data subject has not objected; or
2°. the execution of the insurance contract or assistance with the
management and execution of the insurance.
54. Article 30.4 Dutch Implementation Act General Data Protection Regulation:
“4. If the first, second or third paragraph is applied, the
data shall only be processed by persons who are obliged to maintain confidentiality by virtue of their office, profession or
legal requirement or by virtue of an agreement. If
the controller processes personal data and is not already subject to a duty of confidentiality
by virtue of their office, profession or legal requirement, they shall be
obliged to maintain confidentiality of the data, except insofar as the law obliges them to
disclose them or their task requires the data to be communicated to others who are
authorised to process them by virtue of the first, second or third paragraph.”
55. Despite the various initiatives to provide a specific legal basis for the
processing of health data in the context of insurance contracts, the Belgian legislator has not yet
followed up on this. 56. The Dispute Resolution Chamber considers that this situation is undesirable for all actors involved in concluding such insurance contracts and urges that a solution be found, preferably at European level. Consequently, the Dispute Resolution Chamber will inform the EDPB of this decision and, in consultation with the GBA Management Board, other competent authorities at national and European level.
1In full: Law of 16 May 2018, containing rules implementing Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016, L 119) (General Data Protection Regulation Implementation Act). Decision on the substance 109/2024 — 14/24
II.3. Automated individual decision-making (Article 22 GDPR)
II.3.1. Determination by the Inspection Service
57. In the Inspection Report, the Inspection Service does not establish any infringements with regard to the
use of automated individual decision-making for ordinary personal data.
58. With regard to the use of automated individual decision-making for
health data, the Inspection Service establishes that Article 22.4 GDPR has not been complied with
since the consent requested by the defendant on the basis of Article 9.2.a)
GDPR was not validly obtained. Consequently, the Inspection Service establishes that the
defendant has committed an infringement of Article 22.4 GDPR and Article 24.1 GDPR and Article 25.1
GDPR with regard to the use of automated individual decision-making
concerning health data.
II.3.2. Position of the complainant
59. The complainant states that the infringement in connection with automated decision-making based on
health data was already sufficiently proven in the original complaint and was also
confirmed by the Inspectorate.
II.3.3. Position of the defendant
60. The defendant points out that the infringement of Article 22.4 GDPR
established by the Inspectorate is a ‘derivative’ infringement that follows from the
infringement of Article 9.2.a) GDPR established by the Inspectorate, and that no
further infringements were formulated of other conditions of Article 22.4 GDPR. Furthermore, the
Inspectorate found that the defendant fully complies with the conditions of Article 22 GDPR
with regard to ‘ordinary’ personal data. Consequently, the defendant argues that if the
Dispute Chamber were to rule that the explicit consent was lawfully given,
the infringement established by the Inspection Service with regard to Article 22.4 GDPR must be rejected.
61. During the hearing, the defendant was asked to further clarify its position on the
finding regarding automated individual decision-making. The defendant explained that this method of decision-making is a
conscious choice by the defendant, not least to protect the confidentiality and integrity of the
medical data. When this processing produces a positive result for the customer, there is no
human control. If a potential problem arises (also known as a flashing light), the file is sent to an employee for
Decision on the merits 109/2024 — 15/24
control of the decision-making. Insurance is therefore never refused without the
decision-making having been checked by an employee of the defendant.
62. As regards the infringements of Article 24.1 GDPR and Article 25.1 GDPR, the
defendant argues that these are in any case unfounded due to a lack of motivation from the
Inspection Service (see II.1). If the Dispute Resolution Chamber were nevertheless to proceed to assess
the substance of an infringement of these articles, the defendant argues that it has taken
all appropriate technical and organisational measures to achieve the objectives intended by the
GDPR. A dysfunction in a rare case does not of course mean that the necessary
procedures and processes would not have been implemented in general, which the Inspectorate
also found in the context of its initial assessment, the defendant states. Consequently, the
defendant has complied with the conditions for automated individual decision-making in
accordance with the requirements arising from Article 22.4 GDPR, Article 24.1 GDPR and
Article 25.1 GDPR.
II.3.4. Assessment by the Dispute Resolution Chamber
63. When personal data are used to reach a specific decision and this
decision is based solely on automated processing of personal data,
this constitutes automated individual decision-making. Under Article 22.1
GDPR, data subjects have the right not to be subject to a decision based solely on
automated processing (including profiling), which either produces legal effects concerning
them or significantly affects them in another way.
64. However, the foregoing does not apply if the decision: a) is necessary for
entering into, or the performance of, a contract between the data subject and a
controller; b) is authorised by Union or Member State law to which the controller is
subject and which also lays down suitable measures to safeguard the data subject’s
rights and freedoms and legitimate interests; or c) is based on the data subject’s
explicit consent (Article 22.2 GDPR).
65. According to Article 22.4 GDPR, automated individual decisions may not be
based on special categories of personal data unless they are based on the explicit consent of the data subject, or the use is
necessary for an important public interest under Union or Member State law. In both cases,
appropriate measures must be taken to safeguard the legitimate interests of the data subject. In the first
situation, the controller shall take such measures himself, in the second situation they shall be
prescribed by law. Decision on the substance 109/2024 — 16/24
66. As argued by the defendant, automated individual decision-making
is based on explicit consent as prescribed by Article 9.2.a) GDPR.
In the present case, the Dispute Resolution Chamber held that the express
consent had not been validly obtained, but that this infringement was not attributable
to the defendant (see section II.2). Consequently, the defendant may rely on Article
22.2.c) GDPR in conjunction with Article 22.4 GDPR, if it meets the applicable conditions.
67. Since the defendant relies on Article 22.2.c) GDPR in conjunction with Article 22.4 GDPR, it must
take the necessary appropriate measures to protect the rights of the data subject. These measures must include at least the
following: the right to human intervention, the right for the data subject to make his or her
point of view known and the right to challenge the decision. 68. Based on the defendant's statement and the privacy statement regarding automatically
taken decisions as submitted by the defendant, the Dispute Chamber
establishes that the defendant has taken various measures. Automated
individual decision-making without human intervention is only taken in the
case of a positive decision. In the event that various indicators go off and
a negative decision may have to be taken, the file will in any case be
assessed by an employee for verification. The person concerned can object to
profiling, which means that the decision to qualify for credit and
associated mortgage insurance cannot be made automatically. If a person concerned does not
agree with the automated individual decision, he or she can, in accordance with the
privacy statement, contact the defendant in various ways to let
know why he or she does not agree with the decision and to ask
to review the decision taken. 69. In view of the above, the Dispute Chamber finds, on the basis of the statements of
the defendant and the applicable privacy statement, that the defendant legitimately bases
the automated individual decision-making based on health data on explicit consent and has taken the necessary
appropriate measures to protect the rights of the data subject. Since the
Dispute Chamber finds no indications in the Inspection Report or in the
conclusions of the complainant that would refute this finding, the Dispute Chamber finds that
there is no infringement of Article 22 GDPR, Article 24 GDPR and Article 25 GDPR.
Decision on the merits 109/2024 — 17/24
II.4. Information obligations in the privacy statement
II.4.1. Findings in the Inspection Report
70. The Inspection Service finds that the general privacy statement regarding customers in the broad sense
does not always contain concise, transparent and comprehensible information (Article 12.1
GDPR) and does not contain all the information required under Article 13 GDPR.
71. With regard to the information that is not always concise, transparent and comprehensible, the
Inspection Service finds that the statement in the privacy statement that the defendant is part
of a group of companies has no added value. Furthermore, the
Inspection Service points out that the words personal data and data are not synonyms that are
used interchangeably. Furthermore, the privacy statement contains long, complex sentences with jargon on several occasions, which may be unclear to
the defendant's customers who are not familiar with the subject matter.
72. The Inspectorate considers the privacy statement to be incomplete, since the direct telephone number of the data protection officer is not included in the privacy statement (Article 13.1.b) GDPR). Furthermore, the privacy statement lacks transparent information on what the appropriate or suitable safeguards are, how a copy can be obtained or who can be consulted when transferring personal data by the defendant to third countries for which there is no adequacy decision by the European Commission (Article 13.1.f) GDPR). The Inspectorate also notes a lack of transparent information on whether the data subject is obliged to provide the personal data and what the possible consequences are if personal data are not provided if the provision of personal data is based on a legal or contractual obligation or a necessary condition for concluding a contract (Article 13.2.e) GDPR).
II.4.2. Position of the defendant
73. The defendant disputes the findings of the Inspectorate regarding the privacy statement
and refutes them in its conclusions.
74. With regard to the findings regarding the not always concise, transparent and
comprehensible information, the defendant points out that references to the group of
which it is part are functionally important to explain to the data subject how his or
her personal data may be used within the group. With regard to the
use of the terms data and personal data, the defendant argues that it does make it
clear to the data subject that the privacy statement relates to personal
data. The word personal data appears no less than 130 times in the privacy
statement. She also points out that the use of the word data does not in any way limit the scope of the Decision on the merits 109/2024 — 18/24
privacy statement, since the word
‘data’ can be considered broader in normal language and under the GDPR than the term
‘personal data’. Next, concerning the use of language in the
privacy statement, the defendant argues that the Inspectorate does not reproduce the targeted passages
in their original context, as a result of which the information that clarifies these
passages has been omitted. In addition, the defendant states that it uses the most common
language possible, but that, given the nature of its activities and the
legal framework in which it operates, it is forced in certain cases to use specific
names and terms. The information to the data subject must be
in accordance with Article 12.1 GDPR not only clear but also concise, whereby an appropriate balance must be found between adding additional
explanation on the one hand and including information in summary form on the other.
75. As regards the finding that the privacy statement contains incomplete information, the defendant puts forward arguments to refute this finding.
Regarding the lack of mention of the direct telephone number of the data protection officer in the privacy statement, the defendant clarifies that it has chosen not to mention this telephone number in view of the defendant's reputation in the Belgian market and the size of the company. After all, it receives a significant number and a wide variety of requests and questions from data subjects. It would not be feasible for the data protection officer to be called directly with these requests.
Data subjects can, however, contact the defendant's helpdesk by telephone. If necessary, the helpdesk agents will forward questions about data protection to the Group Data Protection Unit, of which the data protection officer is a member. As regards the information on
appropriate safeguards for transfers, the defendant states that it explains the relevant transfers
and provides detailed information on the processors it cooperates with. It also provides clear information to the data subject on how to
contact it and how to exercise rights. In its
privacy statement, the defendant firstly confirms its intention to transfer
personal data to recipients who may be located outside the European Economic
Area in certain situations, secondly in which countries the processors are located
through which transfers may take place and thirdly that for certain
countries to which transfers may take place there is no adequacy decision by the European
Commission and that, where appropriate, appropriate safeguards will be invoked, including
standard contractual clauses and control mechanisms
to ensure the level of protection. Finally, the defendant points out that it does indeed state in detail in its privacy statement when the provision of personal data is a legal or contractual obligation.
II.4.3. Assessment by the Dispute Resolution Chamber
76. In implementation of the principle of transparency in Article 5.1.a) GDPR, the controller shall take appropriate measures to ensure that the data subject receives the information referred to in Articles 13 and 14 and the communication referred to in Articles 15 to 22 and Article 34 in connection with the processing in a concise, transparent,
intelligible and easily accessible form, and in clear and plain language.
77. Taking into account the findings of the Inspection Service and after assessing the
argumentation of the defendants and the privacy statement enclosed with the documents, the
Dispute Chamber rules that there is no infringement of Article 12.1 GDPR in conjunction with Articles 13.1 and 13.2 GDPR.
II.5. Accuracy of the data and right to rectification (Article 5.1.d) GDPR and Article 16 GDPR)
II.5.1. Position of the complainant
78. In his complaint, the complainant states that the medical questionnaire is completed via the
website of the defendant, where the user is guided through the questionnaire via a series of
screens. Before completing the questionnaire, the user is informed that the information buttons in the questionnaire
must always be used to avoid unnecessary information being included. For each section of the questionnaire there is a list of conditions that should not be mentioned. At the end, this completion process results in a summary document that must be signed. However, this summary document lacks the list of conditions that should not be mentioned, which, according to the complainant, makes the questionnaire open to discussion. In this regard, the complainant states that the question may arise whether a specific condition was concealed by the applicant or whether the respondent herself had indicated that it was not necessary to mention that specific condition. Consequently, there is a possibility that the completed data may be subject to different interpretations. In this regard, the complainant points out that a possible discussion about the completed data between the respondent as insurer and the beneficiaries of the insurance may arise after the death of the insured. However, these beneficiaries did not complete this list, and
are also unaware of the original questions and the difference between the questionnaire
and the resulting summary document. According to the complainant, the accuracy of the
information, given the context of the mortgage protection insurance, is extremely important,
among other things because of the high financial stake. Although the complainant requested this, the
Decision on the merits 109/2024 — 20/24
defendant did not, according to him, make any corrections to the final document in order to
accurately reflect the questionnaire.
II.5.2. Position of the defendant
79. In its conclusions, the defendant argues that, in order to help the customer
complete the digital medical questionnaire and avoid the collection of unnecessary data (and
thus ensure data minimisation), it provides a limited number of ‘information buttons’
in some free text fields of its digital medical questionnaire. These information buttons
indicate conditions that in any case have no influence on the risk of death and
are therefore by definition not relevant when completing the questionnaire.
80. The defendant emphasizes that the purpose of the medical questionnaire is to be able to correctly estimate the risk of death of the insured. The defendant may, on the basis of the insurance legislation, only request information on conditions that may entail an increased risk of death with her medical questionnaire for a mortgage loan, referring to Article 5.1° of the Royal Decree of 10 April 2014 regulating certain insurance contracts to guarantee the repayment of the capital of a mortgage loan 12 ("Royal Decree on Mortgage Loan Insurance"). This article stipulated, among other things, the following condition for the medical questionnaire: "the questions asked are precise and relate exclusively to events that may substantiate the increased nature of a health risk for the candidate insured".
81. The defendant adds that, as a guarantee with regard to the insured, the legislator subjects the medical questionnaire of each insurer to external supervision.
The questionnaire used by the defendant is subject to the prior approval of the Follow-up agency subject, pursuant to article 4 of the Royal Decree
13
Mortgage protection insurance.
82. The defendant then refers to article 5.1.d) GDPR, which states that personal data
must be correct and updated if necessary. All reasonable measures must be
taken to erase or rectify without delay personal data that are inaccurate,
having regard to the purposes for which they are processed. Pursuant to article 16 GDPR,
the data subject has the right to obtain from the controller without delay rectification
of incorrect personal data concerning him.
1BS 10 June 2014.
13
Art. 4 Royal Decree on Mortgage Protection Insurance: “An insurance company may only use a medical questionnaire
when processing an application for mortgage protection insurance on condition that the formulation of the questions
has been approved in advance by the Follow-up Agency. The Monitoring Office shall decide within one month of receipt on the approval of the wording of the questions. The decision by the Monitoring Office shall be taken by a simple majority of votes.” Decision on the substance 109/2024 — 21/24
83. The defendant states that the medical questionnaire, including the information buttons, and the answers provided are stored on its secure IT system, which means that the personal data are ‘correct’ within the meaning of Article 5.1.d) GDPR. The subsequent possibility that the defendant offers to download the questions and answers in a PDF document does not affect the foregoing and does not entail that the personal data stored in the defendant’s systems are therefore incorrect and would give the complainant the right to ‘rectify’ those data accordingly within the meaning of Article 16 GDPR.
84. It also follows from the text of the GDPR that the accuracy of the personal data must be
assessed in light of the purposes for which they are processed, as the defendant argues. The fact that the medical questionnaire is intended to allow the defendant
to assess the risk of death of the prospective policyholder – for which
conditions without an influence on the risk of death that are indicated in the
information button are irrelevant – means that the personal data as shown in the
downloadable PDF document must also be considered as correct in light of the
aforementioned purpose of the processing.
85. Consequently, the defendant concludes, it can hardly be said that the complainant's right to rectification was disregarded, since, firstly, the personal data must indeed be considered correct and, secondly, the defendant responded to the complainant's request within the period provided for by the GDPR and requested clarification in this regard, to which it did not receive a response from the complainant.
II.5.3. Assessment by the Dispute Resolution Chamber
86. On the basis of the elements provided by the defendant in the conclusions, with reference
to the documents, the Dispute Resolution Chamber concludes that the defendant has made the necessary efforts
to demonstrate that the accuracy of the personal data is guaranteed and that it has responded to the complainant's request
for rectification in a timely and correct manner, so that there is no infringement of Article 5.1.e) GDPR and Article 16 GDPR.
II.6. Integrity and confidentiality (Article 5.1.f) GDPR)
II.6.1. Position of the complainant
87. The complainant states that after completing the aforementioned questionnaire when applying for the
mortgage insurance, a document is offered for signature, the above-
summary document. This signature must be done via the mobile application
of the defendant and is an essential part of guaranteeing the integrity of the
substantive decision 109/2024 — 22/24
personal data. The complainant argues that, without proper
signature, there is a possibility that the defendant will subsequently change the data. The
complainant also points out that the defendant, as an insurer, has a conflicting interest
with respect to the data subjects (the beneficiaries).
88. In assessing whether the security is appropriate, the complainant submits that
the sensitivity of the personal data in question and the impact of a change, i.e. a breach of the integrity, of the data, should be taken into account. The complainant argues that
although appropriate technology is available to ensure the integrity of the data and to provide evidence of this
to third parties, the respondent does not use it. According to the complainant, the integrity of the document is not
guaranteed by a digital signature based on public key cryptography, or this signature
is in any case not visible to the complainant. In the absence of such a signature, the
integrity of the document is not sufficiently guaranteed.
II.6.2. Position of the defendant
89. The defendant disputes the complainant's allegations and states that it has indeed taken appropriate
technical and organisational measures "to ensure a level of security appropriate to the risk",
in accordance with what Article 5.1.f) GDPR and
Article 32 GDPR require. Article 32 GDPR also expressly
makes it clear that the GDPR does not prescribe one specific security
measure, but that the assessment of the level of security is based on the totality of
technical and organisational measures taken, as well as on the need to take into
account "the state of the art, the costs of implementation, and the nature, scope,
context and purposes of the processing and the varying likelihood and severity of the
risks to the rights and freedoms of individuals".
90. As regards the integrity of the digital medical questionnaire, the
defendant has implemented an appropriate combination of technical and organisational
measures. After the digital medical questionnaire has been completed, all answers entered by the prospective policyholder are automatically transferred by the system to the document that is presented to the person concerned for signature. After
signing, these data can no longer be modified in the defendant's systems.
This is technically built into the database. Even if an employee is granted access to the stored medical questionnaire under the strict
access policy, that employee cannot modify the stored answers of the prospective policyholder to the medical
questionnaire in the system.
91. The defendant then sets out the main security measures concerning the integrity of the data from the medical questionnaire. This includes strong Decision on the merits 109/2024 — 23/24
authentication within the highly secured banking environment of the defendant, the
signature with a secret PIN code or via facial recognition, the time stamp of the
signature, the isolated storage systems where the completed questionnaires are
stored in an isolated database, separate from other files and
processing systems of the defendant, access control for employees with a very
strict access policy, no possibility of changing the completed answers
for employees; the completed medical questionnaires can never be consulted by
agencies or offices, and the internal policy includes specific guidelines for the
processing of medical data within the defendant, such as the management of
access to medical data and of the authorisation for certain applications and the storage of
medical data. The defendant emphasises that these technical and organisational
measures are closely monitored and adjusted if necessary. 92. The defendant also points out that, apart from all the previous measures, the
candidate policyholder can also save the completed medical questionnaire on
his/her own device. The alleged – and purely hypothetical – risk of modification by
the defendant that the plaintiff refers to can simply be countered in this way,
the defendant states. In such a scenario, the downloaded copy would enable the
plaintiff to demonstrate a modification and provide counter-evidence,
the defendant explains. If desired, the person concerned can also subsequently
ask the defendant for a copy of the medical questionnaire, as the plaintiff did in this
case.
93. Finally, the defendant argues that there are no special legal requirements for the
signing of medical questionnaires regarding the type of signature required, neither under the
EU eIDAS Regulation, nor under Belgian law, nor under the GDPR. The totality of the organisational and technical measures taken
guarantee a sufficient level of security appropriate to the risk in accordance with the
requirements of Article 5.1.f) GDPR in conjunction with Article 32 GDPR, the defendant concludes.
II.6.3. Assessment by the Dispute Chamber
94. Based on the elements provided by the defendant in the conclusions, with reference
to the documents, the Dispute Chamber concludes that the defendant has made the necessary efforts
to demonstrate that the required technical and organisational measures
have been taken to ensure secure data processing, so that there is no infringement
of Article 5.1.f) GDPR in conjunction with Article 32 GDPR.
14Full version: Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC.
