APD/GBA (Belgium) - 25/2020

From GDPRhub
Revision as of 09:56, 27 May 2020 by Robertr (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Belgium |DPA-BG-Color= |DPAlogo=LogoBE.png |DPA_Abbrevation=APD/GBA |DPA_With_Country=APD/GBA (Belgium) |Case_Number_Name=DOS-2019-01156 |ECLI...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
APD/GBA - DOS-2019-01156
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5 GDPR
Article 6 GDPR
Article 7 GDPR
Article 30 GDPR
Article 37 GDPR
Article 38 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 14.05.2020
Published: 14.05.2020
Fine: 50000 EUR
Parties: n/a
National Case Number/Name: DOS-2019-01156
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Dutch
Original Source: Belgian DPA (in NL)
Initial Contributor: n/a

The Litigation Chamber analysed the legal grounds for the various processing activities described in an insurer's privacy statement. The litigation concluded to a violation of the GDPR since the legitimate interests invoked were not further explained by the controller.

English Summary

Facts

The insurance company had an privacy policy with unspecified legitimate interests were advanced as a legal ground for some of these processing activities. Consent was requested separately for specific purposes (despite the fact that the defendent claimed during the proceedings that this was based on legitimate interests).

Dispute

- Is the privacy policy specific enough ? - Are the legitimate interests that the controller claims to have valid under article 6 GDPR ? - Should a DPIA be conducted and should it be shared with the complainant ?

Holding

- The Litigation Chamber held that the controller did not demonstrate any legitimate interest that would justify processing for those purposes. In this case, consent was required.

- The privacy statement did not meet some of the requirements of Art. 13 GDPR. For instance, the Litigation Chamber criticised the absence of indication of the right to object to the processing (regarding direct marketing processing activities and other processing activities based on "legitimate interests" ).

- The Litigation Chamber considered that the lack of any information on the specific legitimate interests invoked violated article 13.

- DPIA was not to be conducted but best practice requires that a regular assessment of the policy is done

- Heath data cannot be processed on the basis of Article 6.1 b (necessary for the contract) but need another legal basis under Article 9 such as consent.

Comment

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

File number : DOS-2019-02902 
 
Subject	: 	Lack 	of 	transparency 	in 	the 	privacy statement 	of 	an insurance company.  
 
The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke 
Hijmans, chairman and Messrs Dirk Van Der Kelen and Jelle Stassijns, members; 
 
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter AVG; 
 
Having regard to the Act of 3 December 2017 establishing the Data Protection Authority, hereinafter referred to as 
WOG; 
 
Having regard to the Internal Rules of Procedure approved by the Court of Auditors of 
Representatives on 20 December 2018 and published in the Belgian Official Gazette on 15 January 2019; 
 
Having regard to the documents in the file; 
 
 
 	 
. 
has taken the following decision regarding: 
-	X, hereinafter referred to as 'complainant'; 
-	Y, hereinafter referred to as "defendant". 
 
 
(a) Facts and procedure 
1.	On 14 June 2019, the complainant filed a complaint with the Data Protection Authority against the defendant. 
 
2.	The subject of the complaint concerns the use of health data obtained from the person concerned by the insurance company within the framework of hospitalisation insurance for other purposes without the express consent of the insured person concerned. The complainant states that he has no problem with his health data being processed for the execution of obligations under the hospitalization insurance taken out with the defendant, but does have a problem when the same health data are processed for the purposes listed in point 4.3. of the privacy statement and for the transfer to third parties as mentioned in point 9 of the same privacy statement (it concerns point 6, but the reference to point 9 is a material error) as mentioned in the privacy statement of the defendant. He asks that specifically for those purposes, as well as for the transfer, the defendant gives the data subject the choice whether or not to consent to the processing of his health data. 	Finally, the 	complainant 	indicates 	that he 	wishes to receive a data protection impact assessment from the defendant, as it concerns the processing of data with a high risk for the data subjects. 
 
3.	On 26 June 2019, the complaint will be declared admissible pursuant to Sections 58 and 60 of the WOG, the complainant will be notified pursuant to Section 61 of the WOG and the complaint will be submitted to the Disputes Chamber pursuant to Section 62(1) of the WOG. 
 
4.	On 23 July 2019, the Disputes Chamber will decide on the basis of art. 95, §1, 1° and art. 98 WOG that the file is ready for treatment on the merits. 
 
5.	On 24 July 2019, the parties concerned will be informed by registered mail of the provisions as mentioned in article 95, §2, as well as of these provisions in art. 98 WOG. On the basis of art. 99 WOG, the parties concerned were also informed of the time limits for submitting their defences. The deadline for receiving the conclusion of the complainant's reply was set at 7 October 2019 and for the defendant at 7 November 2019. 
 
6.	On 29 July 2019, the defendant notifies the Chamber of Disputes that she has taken note of the complaint, requests a copy of the file (art. 95, §2, 3° WOG) and accepts electronically all communication concerning the case (art. 98, 1° WOG). 
 
7.	A copy of the file shall be transmitted to the defendant on 30 July 2019. 
 
8.	On 2 August 2019, the Disputes Chamber receives a letter in which the defendant indicates that he wishes to be heard by the Disputes Chamber (art. 98, 2° WOG). 
 
9.	On 6 September 2019, the Disputes Chamber receives the conclusion of the response from the defendant. The defendant states in its conclusion that the processing of special categories of personal data, in this case health data, by the health care insurer is lawful. The processing of these special categories of personal data (Article 9 of the AVG) is in principle prohibited. For the processing, the defendant invokes the exception ground of article 9 paragraph 2, a AVG. This is the legal basis for the explicit consent of the data subject. Second, the defendant argues that no separate consent is required for every transfer of personal data. Third, according to the defendant, there is no question of requesting consent for the processing of data other than health data. Finally, according to the defendant, a data protection impact assessment was not necessary in this case as it concerns already existing processing operations and not new processing operations that started after 25 May 2018. 
 
10.	The complainant did not exercise the right to submit a reply. 
 
11.	The defendant does not submit a new conclusion and on 7 November 2019 submits only productions in support of the conclusion of reply submitted on 6 September 2019. 
 
12.	On 9 January 2020, the parties are informed that the hearing will take place on 28 January 2020. 
 
13.	On 28 January 2020, the defendant will be heard by the Chamber of Disputes. The complainant, although duly summoned, did not appear. Among other things, the defendant answers questions from the Disputes Chamber about the legal basis for the processing of personal data, other than health data. After this, the debates are closed. 
 
14.	On 29 January 2019, the oral hearing will be verbally presented to the parties. 
 
15.	On 31 January 2020, as requested at the hearing, the defendant provides the annual turnover for the last three financial years. Over the years 2016-2018, these always amount to a turnover between 500 and 600 million Euros. 
 
16.	On 6 February 2020, the Chamber of Disputes receives some comments from the defendant concerning the minutes, which it decides to include in its deliberations. 
 
17.	On 25 March 2020, the Disputes Chamber informed the defendant of its intention to impose an administrative fine, as well as the amount thereof, in order to give the defendant the opportunity to defend himself before the sanction is effectively imposed. 
 
18.	On 8 May 2020, the Disputes Chamber will receive the defendant's response to the intention to impose an administrative fine, as well as the amount thereof. 
 
19.	The defendant argues that the alleged infringements as included in the intention of the Chamber of Disputes are completely new and that he has not been able to defend himself in this respect. However, the Chamber of Disputes must establish that it is irrefutable from the documents in the file that the defendant has been able to fully exercise his right of defence. 
 
20.	The defendant also disagrees with the imposition of a fine, or the proposed level of the fine. It does not, however, put forward any (new) arguments in support of this assertion. Therefore, the defendant's response does not give cause for the Disputes Chamber to amend the intention to impose an administrative fine, nor does it change the amount of the fine as intended. 
 
(b) Legal basis 
 
	• 	Lawfulness of processing 
 
Art. 6.1. AVG 
 
1. Processing shall only be lawful if and insofar as at least one of the following conditions is met: 
a)	the data subject has given his or her consent to the processing of his or her personal data for one or more specific purposes; 
b)	processing is necessary for the performance of a contract to which the data subject is party, or to take measures at the request of the data subject prior to the conclusion of a contract; 
c)	the processing is necessary to comply with a legal obligation incumbent on the controller; 
[…] 
(f) processing is necessary for the purposes of pursuing the legitimate interests of the controller or of a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child. 
 
Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the exercise of their functions. 
 
	• 	Transparent information 
 
Art. 5.1. AVG: 
Personal data must be:  
(a) processed in a way that is lawful, adequate and transparent as regards the data subject ('lawfulness, adequacy and transparency'); 
[…] 
 
 
Art. 5.2. AVG: 
 
2. The controller shall be responsible for ensuring compliance with paragraph 1 and shall be able to demonstrate ('accountability') 
 
Art. 12.1. AVG. 
 
1. The controller shall take appropriate measures to ensure that the data subject receives the information referred to in Articles 13 and 14 and the communication relating to the processing referred to in Articles 15 to 22 and Article 34 in a concise, transparent, comprehensible and easily accessible form, in clear and simple language, in particular when the information is specifically intended for a child. The information shall be provided in writing or by other means, including, where appropriate, by electronic means. If the data subject so requests, the information may be provided orally, provided that the identity of the data subject is proven by other means. 
 
 
Art. 13.1. and 2. AVG. 
 
1.	Where personal data relating to a data subject are collected from that person, the controller shall provide the data subject with all of the following information when the personal data are obtained: 
[…] 
c)	the processing purposes for which the personal data are intended and the legal basis for the processing; 
d)	the legitimate interests of the controller or of a third party where the processing is based on Article 6(1)(f); 
[…] 
2.	In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the following additional information when the personal data are obtained in order to ensure proper and transparent processing: 
[…] 
(b) that the data subject shall have the right to obtain from the controller access to, and the right to rectify or erase, personal data or to restrict processing operations concerning him/her, as well as the right to object to such processing and the right to obtain the transfer of data; 
[…] 
 
 
e) Reason 
 
a) Purposes in 4.3. of the Privacy Statement - Ground for processing (Art. 6.1. AVG) 
 
21.	The Disputes Chamber notes that the issue raised by the complainant relates to point 4.3. of the defendant's privacy statement, which states that personal data are processed on the basis of the legitimate interest of the insurance company, for the following purposes: 
•	Performing computer tests; 
•	Monitoring the quality of service; 
•	Training personnel; 
•	Monitoring and reporting; 
•	Preventing abuse and fraud; 
•	The storage of video surveillance recordings during the legal period 
•	Compiling statistics of coded data, including big data; 
•	Providing information, regardless of the means of communication, on the commercial actions, products and services of the insurance company and of the group to which it belongs. 
 
22.	The complainant argues in this regard that the customer should be given a choice as to whether he agrees to the processing of sensitive data relating to him that he has provided to the defendant in the context of carrying out the obligations relating to his hospitalisation insurance, for the purposes listed in point 4.3 above. The complainant contends that the defendant does not offer him this option. 
 
23.	In this regard, the defendant argues that the processing operations listed in 4.3. of the Privacy Statement do not require consent, since the defendant invokes the legitimate interest as a legal basis for the processing for the purposes stated therein in accordance with Article 6.1.f) of the AVG. The defendant argues that he can rely on that legal ground, since only 'ordinary' personal data are processed for those purposes and no consent of the data subject is required as in the case of health data as referred to in Article 9 AVG. 
 
24.	The defendant argues that for the purposes mentioned in point 4.3. of the Privacy Statement, personal data are processed, but not health data. 
 
25.	The Disputes Chamber notes that for the processing of personal data, other than health data, the lawfulness of the processing must be assessed in the light of article 6.1. AVG which contains six ancillary processing grounds, including the legitimate interest (art. 6.1(f) AVG) invoked by the defendant in the present case. 
 
26.	However, the Disputes Chamber emphasises that, according to the jurisprudence of the European Court of Justice, when a controller relies on the legitimate interest to consider a processing operation to be lawful, 'three cumulative conditions must be met for the processing of personal data to be lawful, that is to say, in the first place, the protection of a legitimate interest of the controller or of the third party or parties to whom the data are disclosed, secondly, the necessity of the processing of the personal data for the protection of the legitimate interest and, thirdly, the fact that the fundamental rights and freedoms of the data subject do not prevail.” 
27.	In doing so, the interests or fundamental rights and freedoms of the person concerned must be weighed up (Article 6(1)(f) of the AVG) and the considerations of the AVG in relation to Article 6(1)(f) must be taken into account. AVG should be taken into account, in particular Recital 47. 
 
28.	Thus, the Disputes Chamber is of the opinion that, for each of the purposes mentioned in point 4.3. of the privacy statement, the extent to which the defendant can invoke the legitimate interest as a legal ground on which the processing is based should be examined. Recital 47 of the AVG states centrally that a careful assessment is required to determine whether there is a legitimate interest, as well as to determine whether a data subject may reasonably expect that processing can take place for that purpose at the time and in the context of the collection of the personal data. 
 
29.	On the basis of the elements available to the Chamber of Disputes, it is of the opinion that the defendant can base the data processing on the legitimate interest for the objective 'prevention of abuse and fraud' as mentioned in section 5 of point 4.3. of the Privacy Statement. Indeed, it is undisputed that the processing of personal data for this purpose is necessary to protect the legitimate interest of the defendant and that this interest outweighs the interest of the complainant in the protection of his personal data. In this respect, the Disputes Chamber refers to consideration 47 of the AVG, which states that the processing of personal data that is strictly necessary for the prevention of fraud is a legitimate interest of the controller. 
30.	The Litigation Chamber adds that notwithstanding the defendant's assertion that no health data are processed for the purposes set out in 4.3. of the Privacy Statement, including the purpose of 'preventing abuse and fraud', it is clear from the consent form that explicit consent is sought to process health data for, inter alia, 'prevention, detection and investigation of insurance fraud'. The Litigation Chamber finds here that there is an inconsistency between what the defendant asserts in its conclusion and what the consent form determines and comes back to this when assessing the obligation of transparency that rests on the defendant. 
 
31.	The purpose included in section 8 of point 4.3. of the privacy statement "providing information, whatever the means of communication, on the commercial actions, products and services of the insurance company and of the group to which it belongs", which must be qualified as direct marketing, is also possible on the basis of the legitimate interest, but must be read in conjunction with Article 21.2. AVG which states that the data subject has the right to object at any time to the processing of personal data relating to him/her for direct marketing purposes, including profiling relating to direct marketing. The Disputes Chamber will also return to this matter when assessing the obligation of transparency on the part of the defendant. 
 
32.	For the other purposes included in 4.3. of the privacy statement, the Disputes Chamber is of the opinion that there is no question of a legitimate interest on the part of the defendant that would outweigh the interests and fundamental rights of the complainant to the protection of his personal data. 
 
33.	Recital 47, which states that a legitimate interest may exist where there is a relevant and appropriate relationship between the data subject and the controller, in situations where the data subject is a customer, does not imply, according to the Litigation Chamber, that in the context of that relationship where the complainant is acting as a customer of the defendant, data processing would be possible for any purpose. The defendant does not demonstrate in any way what his legitimate interest would consist of and also fails to demonstrate to what extent his interest would outweigh the interests and fundamental rights of the complainant, although he is obliged to do so by virtue of his accountability (art. 5.2. AVG). 
34.	The Disputes Chamber is therefore of the opinion that the infringement of art. 6.1. AVG is proven, since the data processing for the purposes mentioned in sections 1, 2, 3, 4, 6 and 7 of point 4.3. of the Privacy Statement, without any demonstrated legitimate interest, should be based on the consent of the complainant in the absence of any other potentially applicable legal basis in art. 6.1. AVG. The diversity of the purposes listed in 4.3. of the privacy statement leads the Disputes Settlement Chamber to decide that, for each of these purposes separately, the possibility must be offered to the complainant, and by extension to all data subjects using the service offered by the defendant, whether or not they consent to the processing of their personal data. In this regard, the Chamber of Disputes refers to the Guidelines on consent in accordance with Regulation 2016/679 , which provide that a service may involve multiple processing operations for multiple purposes. In such cases, data subjects should be free to choose which purpose they accept, rather than having to give their consent for a set of processing purposes. In a particular case, according to the AVG, it may be justified to obtain multiple consents before starting to provide a service. 
 
(b) Purposes in point 6. of the Privacy Statement - Ground for processing (Art. 6.1. AVG) 
 
35.	In addition to 4.3. of the privacy statement, the complainant states that also with regard to point 6 of the privacy statement, which deals with the transfer of personal data to third parties, a problem arises because here too he is not offered the choice of whether or not to consent to the transfer of his personal data to third parties. The complainant states that transfers to third parties are not permitted without consent, unless there is a legal obligation to do so. 
 
36.	The defendant claims not only to rely on consent as the legal basis for the transfer of personal data to third parties, but also, on the other hand, to invoke, as the case may be, the performance of the contract, the legitimate interest and the legal obligation and specifies, for each of the categories of third parties mentioned in 6. of the Privacy Statement, the legal basis on which the transfer is based. 
 
37.	The defendant explicitly states that, to the extent that it concerns a transfer of health data, the explicit consent of the data subject is required. This is only the case for the transfer to 'Insurance intermediaries, for data concerning health, in indemnity statements and in the copy of the insurance contract with possible exclusions and/or additional premiums, if the person concerned has given them prior explicit and informed consent' (point 6, second part of the Privacy Statement). For the other transfers mentioned in 6. of the privacy statement, the defendant states that it concerns personal data other than health data, in such a way that the consent of the data subject is not required. 
 
38.	The Disputes Chamber notes that only in a single case health data are processed and the defendant obtains the consent for the transfer mentioned in point 6, second part, in such a way that no problem arises in this respect and the defendant acts in accordance with art. 9.2. a) AVG. 
 
39.	The defendant relies on the performance of the agreement (art. 6.1. b) AVG) as the legal basis for the transfer to the following third parties: "Health insurance funds, for enabling compensation; One or more insurance companies in case of co-insurance, assistance and/or recovery of costs in case of liability of a third party in the occurrence of the damage; Banking institutions; Postal, transport and delivery companies in order to be able to better send our mail" (6., third, fourth, eighth and ninth part of the privacy statement). The Dispute Chamber rules that these transfers are based on a valid legal basis. 
 
40.	The same applies to transfers to third parties that are based on a legal obligation (art. 6.1. c) AVG), i.e. transfers to third parties: "The insurance ombudsperson in the event of a dispute; Tax and social administrations, because of the statutory obligations of the health care insurer; The public supervisory and controlling authorities, because of the statutory obligations of the insurance company' (section 6., seventh, tenth, eleventh and twelfth sections of the privacy declaration). 
 
41.	For the transfer to 'Insurance intermediaries for statistical purposes of encrypted data which they will explain and produce at the request of the person concerned' (point 6, first part of the Privacy Statement), the defendant argues that it would be purely statistical information which does not contain personal data. The Chamber of Disputes does not have any document to the contrary. 
 
42.	However, the Litigation Chamber finds that for both the transfer to 'The W companies to which the insurance company belongs, for monitoring and reporting' and the transfer to 'Subcontractors in the European Union or abroad, responsible for processing activities defined by the insurance company', the defendant relies on its legitimate interest as the legal basis for the processing. 
 
43.	However, the defendant does not demonstrate in any way what his legitimate interest would consist of and also fails to show to what extent his interest would outweigh the interests and fundamental rights of the complainant, although he is obliged to do so by virtue of his duty of accountability (Articles 5.2 and 24 AVG). In this connection, the Disputes Chamber also reiterates the requirements for the use of the processing basis justified interest arising from the aforementioned case law of the European Court of Justice. 
 
44.	The Disputes Chamber is therefore of the opinion that also with regard to the transfer of personal data to third parties, the infringement of article 6.1. AVG has been proven, since the data processing for the transfers to third parties mentioned in sections 5 and 6 under 6. of the privacy statement, without any demonstrated legitimate interest, should be based on the consent of the complainant in the absence of any other potentially applicable legal basis in art. 6.1. AVG. 
 
 
(c) Transparent information (Articles 5(1)(a), 12(1), 13(1) and 13(2). AVG) 
 
 
	- 	Point 4.3. privacy statement 
 
45.	Pursuant to the AVG, the data controller is obliged to inform the data subject in a concise, transparent, comprehensible and easily accessible form and in clear and simple language (Articles 5.1. a), 12.1. and 13.1. AVG). The Disputes Chamber finds that, with regard to 4.3. and 6. of the Privacy Statement, the defendant is in breach of that obligation. 
 
46.	First of all, the defendant fails to make a clear distinction between the processing of health data on the one hand, and the processing of other 'ordinary' personal data on the other hand, both for each of the purposes of 4.3. of the privacy statement, and for each of the transfers of 6. of the privacy statement. However, such a distinction is of fundamental importance in order to determine on what legal basis the processing can be based for a specific purpose or transfer to a third party (art. 13.1. c) AVG). 
 
47.	The defendant states in 4. of the privacy statement: 'Personal data are processed for the following purposes:' However, health data are also personal data, so it can be deduced, as the complainant states, that section 4.3. relates to health data. Indeed, consent is sought for the processing of health data and then the defendant invokes in 4.3. of the Privacy Statement the legitimate interest in processing 'personal data' for the purposes stated therein. The defendant makes no distinction in 4.3. between 'ordinary' personal data and health data. 
 
48.	Moreover, the defendant creates ambiguity by claiming not to process health data for the purpose 'prevention of abuse and fraud' referred to in 4.3. the consent form, however, states that explicit consent is sought to process health data for, inter alia, 'prevention, detection and investigation of insurance fraud'. 
 
 
49.	In addition, the privacy statement only states that for the purposes mentioned in 4.3. personal data will be processed on the basis of the legitimate interest of the defendant without indicating exactly what this legitimate interest would consist of, whereas Article 13(1)(d). AVG does require that the controller is obliged to provide the data subject with information about his or her legitimate interests if the processing is based on Article 6(1)(f). 
 
50.	The Litigation Chamber also refers to the Guidelines on Transparency in accordance with Regulation (EU) 2016/679 , which emphasise the need to identify the specific interest in question for the benefit of the person concerned. 
 
51.	As a best practice, the controller may also, prior to the collection of personal data from the data subject, provide the data subject with information on the consideration to be given to use Article 6(1)(f) as the legal basis for the processing. In order to avoid information fatigue, this information may be included in a tiered privacy statement/notification.  The information provided to data subjects should make it clear that they can receive information on the balancing upon request. This is essential for effective transparency where data subjects have doubts about the fairness of the assessment made or wish to lodge a complaint with a supervisory authority. 
 
52.	In addition, the Disputes Chamber finds that the privacy statement does not mention the possibility for the data subject to exercise their right of objection. This constitutes an infringement of article 12.1. AVG which stipulates that the data controller must take appropriate measures to inform the data subject about, among other things, the right to object guaranteed in article 21.2. AVG. 
 
53.	For the purpose included in section 8 of 4.3. of the privacy statement 'the provision of information, irrespective of the means of communication, about the commercial actions, products and services of the insurance company and of the group to which it belongs', which must be qualified as direct marketing, Article 21.2. AVG requires that the data subject has the right to object at any time to the processing of personal data relating to him/her for direct marketing purposes, including profiling relating to direct marketing. No document shows that the complainant has been informed of his or her right to object to the processing of his or her personal data for direct marketing. This constitutes an infringement of Article 13.2. b) AVG. 
 
	- 	Point 6. privacy statement 
 
54.	Also point 6. of the privacy statement does not always mention the legal basis for the transfer to each of the different categories of third parties. Only in point 6, second part, is consent mentioned as a legal basis (art. 6.1. a) AVG); in point 6, tenth part, consent is mentioned as a legal basis. 
and eleventh part refers to the defendant's legal obligations, point 6., twelfth part refers to the legal obligation to which the person concerned is subject for the payment of the international tax, if any (Art. 
6.1. (c) AVG). 
 
55.	In other cases of transfers to third parties, point 6. of the privacy statement does not mention the legal basis. 
 
56.	This is, however, the case in the conclusion provided by the defendant in the context of the proceedings before the Dispute Settlement Chamber, in which the processing basis is stated for each transfer mentioned in 6. of the privacy statement. For the sake of transparency, the processing basis for all transfers must be stated in the privacy statement in order for the defendant to comply with his obligation under art. 13.1 c) AVG. However, this is not the case, so that the Disputes Chamber is of the opinion that there is a breach of art. 13.1 c) AVG. 
13.1. (c) AVG. 
 
57.	Also with regard to 6. the privacy statement, the defendant does not indicate in its reasoning what its legitimate interest, invoked by the defendant, would be in processing personal data of the complainant for the purpose of transfer to 'The W companies to which the insurance company belongs, for monitoring and reporting purposes' and 'Subcontractors in the European Union or abroad, responsible for processing activities defined by the insurance company'. However, Art. 13.1. d) requires AVG does require the controller to provide the data subject with information about his or her legitimate interests if the processing is based on Article 6(1)(f). The Chamber of Disputes refers again to the Guidelines on transparency in accordance with Regulation (EU) 2016/679  and the above. 
 
58.	As a result of all these findings, the Disputes Chamber is of the opinion that the defendant has failed to fulfil its obligations under Article 13.1(c) and (d) AVG, as well as Article 13.2. b) AVG by failing to provide the required information to the complainant and by failing to take the appropriate measures to ensure that the complainant would receive the information referred to in Article 13 and the communication referred to in Article 21.2 AVG in connection with the processing, as required by Article 12.1. AVG. 
 
59.	It follows that the defendant has not respected the basic principle that personal data must be processed in a way that is lawful, adequate and transparent in relation to the data subject (Art. 5.1(a) AVG). Moreover, to the extent that the defendant invokes his legitimate interest as a legal basis for the data processing operations specified above, he does not comply with his accountability obligation (Art. 5.2 AVG) and thus the legitimate interest cannot be considered as a valid legal basis within the meaning of Art. 6.1. AVG. 
 
(d) Data protection impact assessment 
 
60.	The complainant wishes to have access to the data protection impact assessment (hereinafter GBEB) of the defendant. According to the complainant, a GBEB is mandatory for the Respondent as it concerns processing operations that involve a high risk to the rights and freedoms of natural persons. 
 
61.	However, the defendant stresses that it is not obliged to carry out an EIO, since it has a long history of processing health data in the context of its insurance activities, and EIOs are, in principle, required only if the risks to the rights and freedoms of natural persons change after 25 May 2018. The defendant argues that there has been no such change. The defendant relies on the Recommendation of the Data Protection Authority No 01/2018 of 28 February 2018 on data protection impact assessments and prior consultation , and the Guidelines on data protection impact assessments and determining whether a processing operation is 'likely to present a high risk' within the meaning of Regulation 2016/679 . 
 
62.	The Disputes Chamber is of the opinion that to the extent that the defendant is processing health data, it is indeed an existing processing operation with a high risk, but that there is no indication that the risks to the rights and freedoms of natural persons have changed after 25 May 2018, taking into account the nature, scope, context and purposes of the processing, which would necessitate a GBE. There is therefore no question of any infringement of art. 35 and/or art. 36 AVG. 
 
63.	However, the Chamber of Disputes adds that, on this point too, it will apply the abovementioned 
Guidance on data protection impact assessments follows, which states that 
it is good practice to continuously review and regularly reassess a data protection impact assessment. Therefore, even if a data protection impact assessment is not required on 25 May 2018, it is necessary that the controller carries out a data protection impact assessment at the appropriate time as part of its overall accountability. 
 
64.	With regard to the complainant's request to receive the GBEB in question, the Disputes Chamber points out that the AVG contains no obligation for the data controller to publish a GBEB. The data controller decides autonomously whether or not to publish the GBEB, with the aim of creating confidence in the data controller's processing and to demonstrate accountability and transparency without, however, publishing the full GBEB . However, the Litigation Chamber considers that it is particularly good practice that data controllers consider publishing at least parts, such as a summary or a conclusion of their data protection impact assessment. 
 
65.	The fact that there is no obligation to communicate the GBEB under the defendant and, as a result, there is no right for the complainant to have access to a GBEB, cannot therefore be accepted by the Dispute Chamber as a result of which the complainant could obtain the GBEB. 
 
(e) Breaches of the AVG and penalties to be imposed
 
66.	The consequences of the failure to fulfil the responsibilities as controller constitute a risk to the rights and freedoms of the complainant. Recital 75 of the AVG states that any 'social disadvantage' resulting from the processing of personal data can be considered relevant under the AVG. 
 
67.	The Disputes Chamber finds that an infringement of art. 5.1. a), art. 5.2., art. 6.1., art. 12.1., art. 13.1. c) and d) and 13.2. b) AVG has been proven and it is appropriate to order that the processing be brought into conformity with these articles of the AVG (Art. 58.2.d) AVG and art. 100, §1 9° WOG), as well as to impose an administrative fine in addition to this corrective measure (art. 83.2. AVG; art. 100, §1, 13° WOG and art. 101 WOG). 
 
 
68.	More specifically, the Chamber of Disputes finds the following infringements:    
 
•	Infringement of Article 6.1. AVG : 
o	the data processing for the purposes mentioned in sections 1, 2, 3 4, 6 and 7 of point 4.3. of the Privacy Statement, without any demonstrated legitimate interest, is wrongly not based on the consent of the complainant in the absence of any other potentially applicable legal basis in Article 6.1. AVG. 
o	the data processing for the transfers to third parties mentioned in sections 5 and 6 under 6. of the privacy statement, without any demonstrated legitimate interest, is wrongfully not based on the consent of the complainant in the absence of any other potentially applicable legal basis in article 6.1. AVG. 
•	Infringement of the principles set out in Article 5.2. AVG in so far as the defendant invokes its legitimate interest as a legal basis for the data processing operations specified above.   
•	Infringement of Articles 12(1), 13(1)(c) and (d) AVG and 13(2)(b) AVG in so far as the defendant failed to provide the complainant with the required information and failed to take the appropriate measures to ensure that the complainant would receive the information referred to in Article 13 and the communication referred to in Article 21(2) AVG in connection with the processing, in particular. 
o	points 4.3 and 6 of the privacy statement do not make a clear distinction between the processing of health data on the one hand, and the processing of other 'ordinary' personal data on the other hand. 
o	no information is given to the data subject about his or her legitimate interests. 
o	no appropriate measures have been taken to inform the person concerned of 
a.o. the right of objection guaranteed in art. 21.2. AVG. 
o the processing basis for all transfers is not mentioned in the privacy statement. 
•	Infringement of the basic principle laid down in Article 5(1)(a) that personal data must be processed in a way that is lawful, adequate and transparent in relation to the data subject. 
 
69.	In addition to the corrective measure to bring the processing in line with Articles 5.1. a), 5.2., 6.1., 12.1., 13.1. c) and d) and 13.2. b) AVG, the Disputes Settlement Chamber also decides to impose an administrative fine that is not intended to end a violation committed, but to enforce the rules of the AVG vigorously. As can be seen from Recital 148, the AVG requires that, in the case of serious infringements, penalties, including administrative fines, should be imposed in addition to or instead of appropriate measures.  The Disputes Chamber does this in application of Article 58.2(i) AVG. The instrument of an administrative fine is therefore in no way intended to bring infringements to an end. To this end, the AVG and the WOG provide for a number of corrective measures, including the orders referred to in Article 100, §1, 8° and 9° WOG. 
 
70.	Taking into account article 83 AVG and the case law of  the Market Court, the Disputes Chamber justifies the imposition of an administrative sanction in concrete terms: 
-	Seriousness of the infringement: the above reasoning shows the seriousness of the infringement. 
-	The duration of the infringement: the defendant's submissions in the proceedings before the Chamber of Disputes do not show that the infringement has ceased and thus continued until 25 January 2020. In doing so, the Disputes Chamber does not take into account adjustments made after the debates concerning the findings have been closed.   
-	The necessary deterrent effect to prevent further infringements. 
71.	With regard to the nature and seriousness of the infringement (Article 83(2)(a) of the CPC), the CPC stresses that compliance with the principles laid down in Article 5 of the CPC - in particular the principles of transparency and lawfulness, as well as accountability in the present case - is essential, since they are fundamental principles of data protection. The Chamber therefore considers the defendant's breach of the principle of lawfulness laid down in Article 6 of the CPC and the principle of transparency laid down in Articles 12 and 13 of the CPC as a serious breach. 
 
72.	Although no health data of the data subjects are processed without the express consent required for that purpose and the defendant invokes a different processing legal basis with regard to the data not covered by a special protection regime in the AVG, the Disputes Chamber is of the opinion that the relatively large impact of the observed infringements concerning all insured persons who have joined the insurance company via a hospitalisation insurance must be taken into account when determining the administrative fine. 
 
73.	All the elements set out above justify an effective, proportionate and dissuasive sanction as referred to in art. 83 AVG, taking into account the assessment criteria set out therein. The Chamber of Disputes points out that the other criteria of art. 83.2. AVG in this case are not of the nature that they result in an administrative fine other than that established by the Disputes Chamber in the context of this decision. 
 
 
(f) Legislative framework: relationship between free consent and provision of health data in the context of hospitalisation insurance 
 
74.	For the sake of completeness, the Disputes Chamber wishes to draw attention to the broader issue that must be raised in connection with the complaint, namely the collection of health data by insurers from potential policyholders via their explicit consent (art. 9.2. a) AVG) in the context of taking out and carrying out hospitalization insurance and the associated question to what extent the consent of those policyholders may be free. The question arises whether, other than explicit consent, there are other possible processing grounds on the basis of which the health data can be processed by the defendant in the execution of the hospitalization insurance. 
 
75.	Article 9(4) of the AVG provides that Member States may impose additional conditions on the processing of, inter alia, health data. The Act of 30 July 2018 on the protection of individuals with regard to the processing of personal data, which implements the AVG, does not contain any specific provisions regulating the processing of sensitive personal data in the context of insurance. The defendant notes that there is no national legislative framework in this respect. At the moment, the Disputes Chamber can only endorse this position and note that the legislator should intervene in that respect in order to provide a legal basis specifically for the insurance sector that allows for the collection of health data within well-defined limits in the context of the (pre)contractual relationship between the insurer and the policyholder. 
 
(g) Publication of the decision 
 
76. Given the importance of transparency in relation to the decision of the Disputes Chamber, this decision is published on the website of the Data Protection Authority. However, it is not necessary for the identification of the parties to be published directly for this purpose. 
 
 
FOR THESE REASONS, 
 
the Data Protection Authority's Litigation Chamber, after deliberation, shall decide: 
-	Pursuant to art. 100, §1, 9° WOG, order the defendant to bring the processing into conformity with art. 5.1.a); art. 5.2, art. 6.1, art. 12.1. and 13.1. c) and d) and 13.2. b) AVG. 
-	to impose an administrative fine of EUR 50,000 on the basis of Article 100, §1, 13° WOG and Article 101 WOG. 
 
This decision may be appealed against under Article 108 §1 of the WOG within a period of thirty days from the date of notification to the Cour des Markten, with the following notice 
Data protection authority as defendant. 
 
 
 
(get.) Hielke Hijmans 
President of the Chamber of Disputes