Helsingin hallinto-oikeus (Finland) - 116/2024

From GDPRhub
Revision as of 14:39, 24 January 2024 by Fred (talk | contribs) (Created page with "{{COURTdecisionBOX |Jurisdiction=Finland |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=Helsingin hallinto-oikeus (Finland) |Court_Original_Name=Helsingin hallinto-oikeus (Finland) |Court_English_Name=Administrative Court of Helsinki |Court_With_Country=Helsingin hallinto-oikeus (Finland) (Finland) |Case_Number_Name=116/2024 |ECLI= |Original_Source_Name_1=Helsingin hallinto-oikeus |Original_Source_Link_1=https://gdprhub.eu/index.php?title=File:Helsing...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Helsingin hallinto-oikeus (Finland) - 116/2024
Courts logo1.png
Court: Helsingin hallinto-oikeus (Finland) (Finland)
Jurisdiction: Finland
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(c) GDPR
Article 9 GDPR
Article 9(1) GDPR
Article 25(2) GDPR
§ 2(1)(5) Insurance Contracts Act
§ 44(1)(3) Administrative Procedure Act
§ 6(1)(1) Data Protection Act
Decided: 16.01.2024
Published: 16.01.2024
Parties: LähiTapiola Keskinäinen Henkivakuutusyhtiö
National Case Number/Name: 116/2024
European Case Law Identifier:
Appeal from: Tietosuojavaltuutetun toimisto (Finland)
3216/452/17
Appeal to: Unknown
Original Language(s): Finnish
Original Source: Helsingin hallinto-oikeus (in Finnish)
Initial Contributor: fred

The Administrative Court of Helsinki upheld a Finnish DPA decision, which found that a life insurance company had breached Article 5(1)(a) GDPR, Article 5(1)(c) GDPR, Article 9 GDPR and Article 25(2) GDPR as its as its practice was to process the health data of life insurance applicants.

English Summary

Facts

The controller (LähiTapiola Keskinäinen Henkivakuutusyhtiö, a life insurance company) had asked the Administrative Court of Helsinki (the Court) to overturn the Finnish DPA's decision, according to which the controller had no legal basis to process the health data of life insurance applicants and it processed the data unnecessarily.

The controller filed the appeal claiming that it must be able to process health data, because the health status of the insured party and the risks associated with it are at the centre of the risk assessment related to the granting of the insurance.

The controller considered that insurance applicants must also be considered insured parties in accordance with Section 6(1)(1) of the Finnish Data Protection Act, according to which insurance institutions may, despite the general prohibition in Article 9(1) GDPR, process the health data of the insured party and the claimant, which is necessary to determine the liability of the insurance institution.

The controller also stated that the order issued by the DPA, on the basis of which it should assess the time period for which it is necessary to request health data, is vague and unspecified. The controller considered that it must be able to process all health data in order to assess which precise information is ultimately relevant.

Holding

The Court noted that neither the Finnish Data Protection Act nor its preparatory material have defined what is meant by the insured party in connection with the application of the Act. However, in the Court's view, the preparatory material of the Act does not support as an interpretation that the legislator intended to extend the concept of "insured party" to apply also to the applicant an insurance before the conclusion of an insurance contract.

In this respect, the Court also stated that the "insured party" is defined in Section 2(1)(5) of the Finnish Insurance Contracts Act, according to which the insured refers to the party that is currently subject to personal insurance or non-life insurance policy. Thus, the Court considered that this definition could be used as a starting point for interpretation also when applying Section 6(1)(1) of the Finnish Data Protection Act. Meaning that under this Section, the controller could not consider the applicants for an insurance plan as insured parties.

The Court also considered that the DPA had specified the obligations of the controller in its order clearly enough as required by Section 44(1)(3) of the Finnish Administrative Procedure Act.

The Court held that the controller must assess the time period and specify the requests in more detail so that they concern a specific issue, case, illness or symptom that has a factual importance in determining the controller's liability. It was against the principles of fairness, data minimisation and data protection by default that the controller requested health data from health care units for the past five years without a case-by-case assessment of the time period.

In light of this, the Court agreed with the DPA that the processing of special categories of personal data of voluntary insurance applicants carried out by the controller had violated Article 5(1)(a) GDPR, Article 5(1)(c) GDPR, Article 9 GDPR and Article 25(2) GDPR.

Comment

The Administrative Court of Helsinki has issued a similar decision in the case 117/2024.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.

HELSINKI ADMINISTRATIVE COURT

DECISION 116/2024

16.01.2024

ID number 3457/03.04.04.04.01/2022

Thing

A complaint regarding a data protection matter

Appellant

LähiTapiola Mutual Life Insurance Company

Decision to be appealed

Data Protection Commissioner 8.6.2022 dnro 3216/452/17 In 2020 and 2021, the Data Protection Commissioner's office has investigated the procedures of LähiTapiola Keskinäinen Vakuutusyhtiö (the data controller) in situations where the data controller requests data on the health status of registered users from health care units.

In its decision under appeal, the Data Protection Commissioner has held that the data controller cannot process the health data of the applicant for voluntary insurance or the health data of the person for whose death, illness or injury voluntary insurance is being applied for, based on the provisions of section 6, subsection 1, point 1 of the Data Protection Act. For this reason, the data controller cannot also request the health status information of these persons from the health care units during the insurance application phase, pursuant to the provisions of Section 6, Subsection 1, Clause 1 of the Data Protection Act. The processing of the special personal data groups of the voluntary insurance applicant by the controller does not comply with Article 9 of the General Data Protection Regulation.

The Data Protection Commissioner has ordered the data controller pursuant to Article 58, paragraph 2, subsection d of the General Data Protection Regulation to bring the processing operations in line with the provisions of Article 9 of the General Data Protection Regulation, when the data controller processes the health data of the applicant for voluntary insurance or the health data of the person for whose death, illness or injury voluntary insurance is being applied for.

In its decision under appeal, the Data Protection Commissioner has further ordered the data controller, pursuant to Article 58(2)(d) of the General Data Protection Regulation, to bring the processing of personal data into compliance with Article 5(1)(a) and (c) and Article 25(2) of the General Data Protection Regulation, when the data controller requests information about the health status of the data subject from the healthcare unit and processes the information it receives to determine the insurance company's liability. When the data controller requests data on the registered person's health from the unit, based on this regulation, the data controller must assess from which period requesting the data on the data subject's health is necessary to clarify the responsibility of the data controller and, based on the assessment, limit the period from which data on the data subject's health is requested from the health care unit.

The data protection commissioner has left it to the discretion of the data controller to determine more precise appropriate measures, but has ordered to submit a report on the measures taken by July 29, 2022.

In the justifications of the decision under appeal, the following has been stated, among other things, regarding the legality of the processing of health data belonging to special personal data groups:

The provision of section 6, subsection 1, point 1 of the Data Protection Act regarding the processing of the health data of the insured and the claimant in insurance operations cannot be extended to the registered person who is an insurance applicant at the stage of applying for insurance. Registrants must be able to rely on regulations in accordance with the Data Protection Act when applying for insurance. The processing of health data belonging to special personal data groups contrary to the wording regulation is not in accordance with the reasonable expectations of the registered. Due to the need for strong privacy protection related to patient documents, it is also not possible for the data to be processed contrary to the literal regulation.

In connection with the health examination, the general authorization requested by the data controller to request information from different health care units for the processing of the insurance case is not sufficient to fulfill the requirement for the processing of special personal data groups according to Article 9, paragraph 2, subparagraph a of the General Data Protection Regulation.

In the justifications of the decision under appeal, the following has been stated, among other things, about the minimization of data, reasonableness of processing and built-in and default data protection:

Pursuant to the Insurance Contracts Act and the regulation of the General Data Protection Regulation, the data controller must in all cases specify in the request to the health care unit regarding the data on the registered person's health status, which relevant information and for which time period the data controller requests access. This means that the data controller must limit the requested information to a specific issue, case, illness or symptom that is of factual importance in the assessment of the data controller's responsibility. The registrar must also assess from which period it is necessary to request registered health status information from the healthcare unit in order to clarify the responsibility of the registrar and, based on this, limit the period from which the registrant's health status information is requested from the healthcare unit. In the already sent request, the controller must limit the requested information to only necessary information so that the controller is able to demonstrate that it requests from the health care unit only such data on the health status of the registered person that is necessary in the evaluations concerning the clarification of the controller's responsibility.

The starting point for processing patient documents is that the data subject can and has been able to expect during the treatment relationship that health data will be processed with respect for the data subject's privacy. The registered person may have dealt with the health care unit for many different reasons, and not all information collected about the registered person in the health care unit is necessarily relevant in terms of assessing the insurance company's responsibility when applying for insurance.

It is the responsibility of the controller to take into account what kind of processing is in line with the reasonable expectations of the data subjects. Due to the serious risk associated with the health status data generated in the health care units, an unnecessarily extensive processing of the default data would be unreasonable from the point of view of the data subjects. It is not reasonable for the data controller to gain access to the data subject's health status on an unnecessarily wide and unlimited basis based on the liability assessment process.

The procedure of the registry keeper is to request health status information, as a rule, from the five years preceding the application. The Data Protection Commissioner considers that, based on the provisions of the Insurance Contracts Act and the General Data Protection Regulation, the data controller must make an assessment regarding the period, in addition to the fact that the data controller identifies the request to the health care unit regarding a specific issue, case, illness or symptom that is of actual importance in assessing the data controller's responsibility.

Claims presented in the appeal

The decision under appeal must be annulled. Alternatively, the matter must be returned to the data protection commissioner's office for re-evaluation. In any case, the data protection commissioner's office must be obliged to compensate the appellant's court and litigation expenses with legal interest.

The appellant is a life insurance company. The appellant thus issues insurance policies, based on which it pays a certain amount of compensation in the event of the insured's death, for example to his spouse. In addition to life insurance, the appellant also grants personal insurance in case of various personal risks, such as illness, inability to work or invalidity. On the basis of the above-described insurances, the appellant pays the compensation according to the insurance contract when the insured event takes place. In life and personal insurances, the health status of the insured and the related risks are at the center of the risk assessment related to the granting of the insurance. These risks affect, for example, whether the insurance can be granted at all, under what conditions the insurance can be granted, and how the insurance is priced.

For this reason, the insurance company, when considering issuing the policy, asks the policyholder for explanations about his state of health. In some situations, it may be necessary for the insurance company to obtain information directly from the health care unit. For these situations, the insurance company needs an authorization or release permit from the insured, which entitles the health care unit to release the information to the insurance company. In this case, it is not the consent referred to in Article 6(1)(a), Article 7 or Article 9(2)(a) of the Data Protection Regulation, but a separate permission related to patient legislation.

The decision under appeal is based on an incorrect interpretation of the law regarding the concept of the insured in the Data Protection Act. The insurance applicant must also be considered insured as referred to in section 6 subsection 1 point 1 of the Data Protection Act.

As such, the definitions of the Insurance Contracts Act cannot mechanically be applied to the interpretation of section 6 subsection 1 point 1 of the Data Protection Act. It is more important to assess the legislator's purpose related to the said legal provision and the appropriateness of the interpretation. Adequate assessment of the health status of the insurance applicant is a very important operating requirement for insurance companies. A regulatory solution that would limit decades of established insurance practice would be radical and potentially mean a fundamental change in the way Finnish insurance companies operate. There should therefore be very compelling reasons for the change. The possibility presented by the data protection authorized office to obtain the consent of the insurance applicant is not a truly appropriate or practically realistic alternative to the processing right according to section 6 subsection 1 point 1 of the Data Protection Act. Since data protection legal consent is not an appropriate option, the review must be based on section 6 subsection 1 point 1 of the Data Protection Act and the legislator's intentions behind it.

For example, even in the Insurance Contracts Act, the concept of the insured is not only used in the narrow sense referred to by the Data Protection Commissioner's Office to mean only the insured of an already issued insurance policy, but in a broader sense. First of all, in Section 2, Subsection 1, Clause 5 of the Insurance Contracts Act, the insured is defined to mean "the person who is the subject of the insurance", without taking an explicit position on the temporal dimension of the concept. A person can be insured even before concluding an insurance contract. Section 11, subsection 2 of the Insurance Contracts Act also emphasizes that the insurance company's liability generally starts already from the submission of the insurance application. Secondly, in Section 22 of the Insurance Contracts Act concerning the right to access to information, the concepts of policyholder and insured are used precisely in connection with the right to access to information, referring to the time before the insurance was granted. It is thus clear that even in the Insurance Contracts Act, the legislator did not intend the concept of the insured to be interpreted narrowly in such a way that it refers to a person only after the insurance has been issued. On the contrary, in the Insurance Contracts Act, the concept of the insured is also used to refer to the applicant for the insurance. Thirdly, in the interpretation of section 6 subsection 1 point 1 of the Data Protection Act, the broader principle expressed by section 22 of the Insurance Contracts Act must be taken into account, i.e. the intention of the legislator to ensure that the insurance company has sufficient access to information even before concluding the insurance contract. Section 6 subsection 1 point 1 of the Data Protection Act must be interpreted in the light of this general principle. In addition, it should be noted that Section 6, Subsection 1, Clause 1 of the Data Protection Act and the legal provisions preceding it have been interpreted in a completely established way in Finland as also applicable to the insurance applicant. The entirety of the insurance system requires that insurance companies can make their choice of liability based on sufficient risk information. When the legislator's purpose in enacting section 6, paragraph 1 of the Data Protection Act was clearly to allow insurance activities, the legal section must also be interpreted against these aspects.

The decision under appeal is based on an incorrect interpretation of the law regarding the minimization principle. The order issued by the Data Protection Commissioner, on the basis of which the appellant must assess from which period it is necessary to request the health status information of the registered person, is very vague. The appellant has already assessed the matter and considered his current operating model to be appropriate and in accordance with the law. However, if the data protection commissioner's office considers that this assessment should be changed somehow, it should specify what this concretely requires. The decision therefore does not contain specific information about what the appellant is obliged to do, as required by section 44, subsection 1, point 3 of the Administrative Law.

Secondly, the data protection commissioner's office has pointed out that in the already sent request, the complainant should limit the requested information to only necessary information, so that the complainant is also able to demonstrate that it is requesting from the health care unit only such information on the health status of the registered person as is necessary in the evaluations concerning the clarification of the complainant's responsibility. In this respect, the appellant refers to Section 22 of the Insurance Contracts Act, according to which the insured's obligation to provide information and the insurance company's right to access information apply to information that may be relevant in terms of assessing the insurer's liability. This embodies the broader principle that the insurance company must be able to assess which exact material is ultimately relevant to the insurance matter. In terms of the right of access to information, the only requirement is that the information can be relevant.

The decision of the data protection authorized office is therefore based on an incorrect interpretation of the law, when the decision apparently aims to limit the insurance company's access to information only to a period that is known in advance to be relevant and not to a period that may be relevant.

Case handling and investigation

The Data Protection Commissioner has issued a statement.

The appellant has given a counter-explanation.

Administrative law solution

The administrative court rejects the appeal.

The administrative court extends the deadline set for the complainant by the decision of the data protection commissioner to submit the report on the measures taken until March 1, 2024

The administrative court rejects the claim for reimbursement of court costs.

Reasoning

Lawfulness of processing

Applicable legal guidelines and law preparation material

According to Article 9(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons in the processing of personal data and on the free movement of such data and the repeal of Directive 95/46/EC (General Data Protection Regulation), the processing of personal data that reveals race or ethnicity origin, political opinions, religious or philosophical beliefs or trade union membership and the processing of genetic data, the processing of biometric data for the purpose of unambiguous identification of a person or the processing of information about health or information about the sexual behavior and orientation of a natural person is prohibited.

According to Article 9(2)(g) of the General Data Protection Regulation, Section 1 above does not apply if the processing is necessary for an important public interest reason based on Union law or the legislation of a Member State, provided that it is proportionate to the objective, it respects the right to the protection of personal data in key respects and it provides for appropriate and specific measures to protect the fundamental rights and interests of the data subject.

According to Section 6, Subsection 1, Clause 1 of the Data Protection Act, Article 9, Section 1 of the Data Protection Regulation does not apply to information obtained in the course of insurance operations processed by the insurance institution about the insured's and claimant's state of health, illness, or disability, or information about the treatment measures directed at him or comparable actions that are necessary to determine the insurance institution's liability.

In the government's proposal regarding the Data Protection Act (HE 9/2018 vp), it is stated in the detailed justifications for section 6, subsection 1, point 1, that the section would specify the processing situations regarding the processing of special groups of personal data with regard to the processing of data obtained in the insurance operations of insurance institutions. This is possible under Article 9(g) of the General Data Protection Regulation. The clarification of section 1 would be necessary so that insurance institutions could continue to process information obtained in the insurance business about the insured's and claimant's state of health, illness or disability, or the treatment measures applied to him or comparable information. - - According to paragraph 1, Article 9, paragraph 1 of the General Data Protection Regulation would not prevent the insurance institution from processing certain personal data belonging to special personal data groups in order to clarify its liability. The insurance institution could thus process information about the insured's and claimant's state of health, illness or disability, or the treatment measures or comparable measures applied to them. Paragraph 1 of Article 9 of the General Data Protection Regulation covers, among other things, information about health. The information referred to in Section 6 of the Data Protection Act is health information.

According to Section 2, Subsection 1, Clause 5 of the Insurance Contracts Act, in this Act, the insured means the person who is the subject of personal insurance or for whose benefit the damage insurance is valid.

In the government proposal concerning the Insurance Contracts Act (HE 114/1993 vp), it is stated in the detailed justifications for section 2, subsection 1, point 5, that in personal insurance, the insured means the person who is the subject of the insurance. The insured person of life insurance is a person whose death or life insurance has been taken out. The insured of accident insurance is a person whose insurance has been taken out in case of accidental injury or death. -- In non-life insurance, the insured is the person for whom the insurance is valid. The insured is a person whose property or other benefit is the subject of the insurance. In liability insurance, the insured is the person for whom the insurance has been taken out in case of liability for damages.

Legal assessment regarding the legality of the processing In the case, it is to be assessed whether the appellant has been able to process the health information of the applicant for voluntary insurance or the health information of the person for whose death, illness or injury the insurance is being applied for (hereinafter the applicant) pursuant to section 6 subsection 1 point 1 of the Data Protection Act, and whether the appellant the processing of special personal data groups carried out by the voluntary insurance applicant was in accordance with Article 9 of the General Data Protection Regulation.

The appellant has considered that the processing of the registered person's personal data regarding the state of health is permitted under Section 6, Subsection 1, Clause 1 of the Data Protection Act, in order to ascertain the liability of the insurance company already when applying for insurance, and that the data protection commissioner has interpreted the concept of the insured in the relevant legal section incorrectly.

According to Section 6, Subsection 1, Clause 1 of the Data Protection Act, Article 9, Clause 1 of the Data Protection Regulation does not apply to data obtained in the course of insurance operations when the insurance company processes information about the insured. The Data Protection Act or its preambles do not define what is meant by the insured in connection with the application of the Data Protection Act. According to Section 2, Subsection 1, Clause 5 of the Insurance Contracts Act, in the aforementioned law, the insured means the person who is the subject of personal insurance or for whom the damage insurance is valid, and this definition can, in the opinion of the Administrative Court, be used as a starting point for interpretation also when applying Section 6, Subsection 1, Clause 1 of the Data Protection Act . According to the wording of the mentioned legal section, it is not justified to interpret the concept of the insured in such a way that it would also cover the applicant for insurance before the conclusion of the insurance contract, which interpretation is also supported by the preambles concerning section 2, subsection 1, point 5 of the Insurance Contracts Act. There is no reason to evaluate the matter differently because of the point brought up by the appellant in his appeal, that the concept of the insured has not been used completely consistently in all the provisions of the Insurance Contracts Act. There is no reason to evaluate the matter differently either because, according to the complaint, the interpretation deviates from the previously followed practice or because consent as a basis for processing is not without problems. There is no support for the interpretation that the legislature intended to extend the concept of insured to apply to the applicant for insurance, or that this was considered necessary in order to determine the liability determined on the basis of the insured event. Consequently, the appellant has not been able to process the health information of the applicant for voluntary insurance pursuant to section 6, subsection 1, item 1 of the Data Protection Act before concluding the insurance contract.

Based on the above, the Data Protection Commissioner has been able to consider that the processing of the special personal data groups of the voluntary insurance applicant carried out by the appellant is not in accordance with Article 9 of the General Data Protection Regulation. The Data Protection Commissioner has been able to order the appellant, pursuant to Article 58, paragraph 2, subparagraph d of the General Data Protection Regulation, to bring the processing operations in line with the provisions of Article 9 of the General Data Protection Regulation, when the data controller processes the health data of the applicant for voluntary insurance.

Fairness of processing, data minimization and built-in and default data protection

Applicable legal guidelines and law preparation material

According to Article 5, Paragraph 1 of the General Data Protection Regulation, the following requirements must be met with respect to personal data, among others: a) they must be processed legally, appropriately and transparently from the point of view of the data subject ("lawfulness, reasonableness and transparency"); c) they must be appropriate and relevant and limited to what is necessary in relation to the purposes for which they are processed ("data minimization");

According to Article 25, paragraph 2 of the General Data Protection Regulation, the controller must implement appropriate technical and organizational measures to ensure that by default only personal data necessary for each specific purpose of the processing is processed. This obligation applies to the amount of personal data collected, the extent of processing, storage time and availability. With the help of these measures, it must be ensured in particular that personal data is not, by default, made available to an unlimited number of people without the contribution of a natural person.

According to Section 22 of the Insurance Contracts Act, before the insurance is issued, the policyholder and the insured must give correct and complete answers to the questions posed by the insurer, which may be relevant in terms of assessing the insurer's liability. In addition, during the insurance period, the policyholder and the insured must, without undue delay, correct any information they have provided to the insurer that they find to be incorrect or incomplete.

According to Section 69 of the Insurance Contracts Act, the applicant for compensation must provide the insurer with such documents and information as are necessary to clarify the insurer's liability and which can reasonably be required of him, also taking into account the insurer's possibilities to obtain a statement.

Legal assessment regarding reasonableness of processing, data minimization and built-in and default data protection

The issue in the case is whether the personal data processing activities carried out by the appellant have been contrary to the requirements of the Data Protection Regulation regarding the reasonableness of the processing, data minimization and built-in and default data protection, when the appellant requests information about the health status of the registered person from the health care unit and processes the information received in order to determine the liability of the insurance company, and whether the decision under appeal contains Administrative Law 44 In the manner required by subsection 1, section 3, individualized information about what the appellant is obligated to do.

The appellant requests information on the health status of the voluntary insurance applicant from the health care unit in order to clarify his liability according to the Insurance Contracts Act. According to Section 22 of the Insurance Contracts Act, the policyholder's and the insured's obligation to provide information before the insurance is issued is limited to information relevant to the assessment of the insurer's liability. Likewise, when applying for compensation, the insurer must be given the information necessary to determine the insurer's liability under Section 69 of the Insurance Contracts Act.

In his report to the Data Protection Commissioner on September 30, 2020, the appellant has stated, among other things, that the health report and the related authorization to receive health status information from treatment facilities is part of the insurance application in insurances where the conclusion of the insurance contract requires a medical choice of liability. If it is necessary to make a request for information from the treatment facility in connection with the health examination, the requested information will be limited to only the health information necessary for the processing of the insurance application. Requests for information are limited based on the answers given by the insured in the health examination. In the health examination and in the treatment facility inquiry, which is carried out as needed, information about the state of health from the last five years is requested. The information is requested from the period in question, because information older than this is considered unnecessary in terms of responsibility selection. In very exceptional cases, information can also be requested from the treatment facility for a longer period of time, if information is needed for an insurance application about an illness that started within the last five years. The information request form is as follows: "According to the information provided, person X has been examined or treated in your treatment facility for illness Y. In order to process the insurance application, we ask you to provide us with copies of medical records or doctor's reports, which show the background information of the aforementioned diseases, symptoms, examinations or procedures, as well as any previous visits and examination results. We are requesting the aforementioned information from the last five (5) years."

In his report to the Data Protection Commissioner on January 12, 2021, the appellant has stated that if a decision cannot be made on the application based on the insurance application and the health report alone, the expert handling the application will use the decision guidelines to assess what additional information is needed for the decision. Additional information is requested either directly from the insured or from treatment facilities authorized by the insured. Hospital inquiries are always made on a case-by-case basis only if it is necessary in the case. The inquiry is individualized to only those diseases or symptoms that are relevant for the execution of the contract. As a rule, information is requested from the five years preceding the application. Since the insured cannot be assumed to have the medical judgment to be able to provide all relevant information about the illness or its severity for the execution of the insurance contract, it is often necessary to request the relevant information from treatment facilities authorized by the insured.

As a result of the appeal, it is first to be assessed whether the decision under appeal contains, as required by section 44, paragraph 1, point 3 of the Administrative Act, the specific information about what the appellant is obliged to do. In the decision under appeal, the appellant has been given an order in accordance with Article 58, paragraph 2, subparagraph d of the General Data Protection Regulation to bring the processing operations in accordance with Article 5, paragraph 1, subparagraphs a and c, and Article 25, paragraph 2 of the General Data Protection Regulation, when the appellant requests information about the health status of the registered person from the health care unit and processes what he receives. information to clarify the insurance company's liability. In this context, the decision under appeal has also stated that when the appellant requests data on the health status of the registered person from the health care unit, the appellant must assess from which period requesting the health status information of the registered person is necessary in order to clarify the responsibility of the controller and, based on the assessment, limit the period from which the health status information of the registered person is requested from the health care unit. In the reasons for the decision, it has been stated that the Data Protection Commissioner does not consider it necessary to use the remedial powers in accordance with Article 58, paragraph 2 of the General Data Protection Regulation with regard to limiting the sent information requests related to illness or symptoms. The order therefore only applies to the temporal dimension of information requests. The appellant has been given a deadline by 29 July 2022 to submit to the data protection commissioner's office a report on what measures it has taken as a result of the decision.

The Administrative Court states that the decision under appeal, as required by section 44, paragraph 1, point 3 of the Administrative Act, sufficiently clearly discloses the individualized information, what the appellant is obliged to do and how the matter was otherwise resolved. The decision under appeal must therefore not be considered illegal on the basis that it does not indicate what the appellant is obligated to do.

As a result of the complaint, it must then be assessed whether the appellant's processing actions have been contrary to the requirements of the Data Protection Regulation regarding the reasonableness of processing, data minimization and built-in and default data protection, so that the data protection commissioner could have issued the above-mentioned order to bring personal data processing operations into compliance with the General Data Protection Regulation.

The administrative court considers, like the data protection commissioner, that the data controller must make an assessment regarding the period based on the provisions of the Insurance Contracts Act and the Data Protection Regulation, in addition to the fact that the data controller identifies the request to the health care unit regarding a specific issue, case, illness or symptom that is of factual importance in assessing the data controller's responsibility. When the appellant has pointed out that he requests health information from the health care units, as a rule, for the last five years without a case-by-case assessment of the period, the data protection commissioner was able, based on the report received, to consider that the processing of personal data is in this respect contrary to the requirements of Article 5, paragraph 1, subparagraphs a and c of the General Data Protection Regulation regarding the reasonableness of the processing , on data minimization and contrary to the regulation of Article 25 paragraph 2 on built-in and default data protection, and gives the appellant an order to bring the processing operations in line with the General Data Protection Regulation in this respect.

Result

Based on the above, the Administrative Court considers that there is no reason to change the regulations issued by the Data Protection Commissioner.
Due to the passage of time, the deadline set in the decisions is changed in the way that appears in the part of the decision.

Cost

Considering the outcome of the case, it is not unreasonable that the appellant has to bear his own legal costs.

Applied legal guidelines

Those mentioned in the justifications

Act on proceedings in administrative matters § 95 subsection 1
Appeal

This decision may be appealed by appealing to the Supreme Administrative Court, if the Supreme Administrative Court grants permission to appeal.

The notice of appeal is attached (HOL appeal permit 30).