APD/GBA (Belgium) - 109/2024

From GDPRhub
APD/GBA - 109/2024
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 4(11) GDPR
Article 9(2) GDPR
Article 12 GDPR
Article 13 GDPR
Article 16 GDPR
Article 22 GDPR
Article 24 GDPR
Article 32 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 29.08.2024
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: 109/2024
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Dutch
Original Source: APD/GBA (Belgium) (in NL)
Initial Contributor: wp

The DPA found that a data subject’s consent to the processing of their health data by an insurance broker was not freely given since the consent was a condition for a discount on a mortgage’s interest rate.

English Summary

Facts

A data subject received a mortgage offer from a company. The data subject was also offered a discount on the interest rate for the mortgage. However, in order to qualify for the discount, the data subject had to take out a debt balance insurance offered by a broker (the controller).

For taking out the insurance, the data subject had to give consent for the processing of their health data. According to the data subject, the consent covered not only the handling of the insurance contract, but also other purposes, for example, claims processing, fraud prevention, development of pricing and automated decision making. The data subject asked the controller to rephrase the consent, so that it was more specific. However, the controller did not agree.

Since the data subject did not want to lose the discount on the interest rate, they eventually gave the consent for processing their health data.

Afterwards, the data subject sent the controller an email in which they:

  • withdrew the consent regarding the processing of health data and automated decision making;
  • requested restriction of data processing until the legal basis of processing was clarified;
  • requested correction of signed documents.

The controller answered the requests and provided the data subject with a copy of their data.

The data subject filed a complaint with the Belgian DPA (APD/GBA).

Holding

The DPA upheld the complaint.

First, the DPA found the controller failed to obtain valid consent for data processing. Indeed, the consent given by the data subject was not freely given. This was because the data subject would have faced negative consequences if they had not given the consent.

Thus, the controller violated Article 4(11), 7(1), 7(3) and 9(2)(a) GDPR.

Even though the controller violated the GDPR, the DPA decided not to take any corrective measures. The DPA held that the controller was not culpable because the Belgian legislator failed to implement Article 9(2) GDPR insofar it would provide a specific legal basis for the processing of health data in the context of insurance contracts.

Comment

The DPA expressed concerns over lacking specific legal basis referring to insurance contracts in Belgian law.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

1/24

Dispute resolution

Decision on the merits 109/2024 of 29 August 2024

File number: DOS-2022-03909

Subject: Processing of personal data in the context of

mortgage protection insurance

The Dispute Resolution of the Data Protection Authority, composed of Mr

Hielke HIJMANS, chairman, and Mr Dirk Van Der Kelen and Mr Christophe Boeraeve, members;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
on the protection of natural persons with regard to the processing of

personal data and on the free movement of such data, and repealing

Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as the “GDPR”;

Having regard to the law of 3 December 2017 establishing the Data Protection Authority,

hereinafter referred to as “WOG”;

Having regard to the internal rules of procedure, as approved by the Chamber of

Representatives on 20 December 2018 and published in the Belgian Official Gazette on
15 January 2019;

Having regard to the documents in the file;

Has taken the following decision regarding:

Complainant: Mr X, hereinafter referred to as “the complainant”; and

Defendant: Y, represented by Mr Heidi Waem and Mr Simon Verschaeve, both

with offices at 1000 Brussels, Wolstraat 70, hereinafter referred to as “the defendant”. Decision on the merits 109/2024 — 2/24

I. Facts and procedure

1. On 19 September 2022, the complainant lodged a complaint with the Data Protection Authority against the defendant.

2. The complaint concerns the following facts. In December 2021, the complainant obtained a credit offer from the defendant in connection with the purchase of a home. The credit offer provides for a conditional interest rate discount, one of the conditions of which is to take out a credit-linked life insurance policy with the defendant for the amount of the credit. If no mortgage insurance is taken out with the defendant, the interest rate discount will lapse. The complainant states that when applying for the mortgage insurance policy through a broker in March 2022, it emerged that the signing of a consent for the processing of health data is necessary. However, according to the complainant, this consent would not only apply to the medical acceptance for the mortgage insurance in question, but to all processing of health data, such as claims handling, elaboration of pricing, refining of accession and coverage conditions, and detecting and preventing fraud. The complainant adds that this is also linked to consent for automated decision-making based on health data. On 9 March 2022, the complainant receives a response from the insurance broker regarding the consent for the processing of health data. This indicates that it is impossible for the defendant to work with a more specific consent. The complainant states that, nevertheless, only a mortgage insurance is being requested. The complainant notes that the defendant's website prevents the questionnaire from being completed if consent is not granted. Given the risk of missing out on the interest discount, the complainant agrees to the consent document and completes the medical questionnaire on the website. Subsequently, a summary document is obtained that must be signed via the website. However, according to the complainant, this summary document does not contain the same information as what was available in the questionnaire input screens. On 18 July 2022, the complainant exercises his rights by e-mail, partially withdrawing his consent,

also requests a restriction of the processing pending clarification of the legal basis,

withdraws his consent for automated decision-making, and finally requests a correction of the signed

document and adequate integrity protection of the signed document. The complainant receives a copy of his

personal data from the respondent on 12 August 2022. On the same

date, the complainant receives the respondent's response to the other elements of the

request. Decision on the merits 109/2024 — 3/24

3. On 21 October 2022, the complaint is declared admissible by the First Line Service on the basis of

Articles 58 and 60 WOG and the complaint is transferred to the Dispute Chamber on the basis of Article 62, § 1 WOG

.

4. On 17 November 2022, in accordance with Article 96, § 1 WOG, the request of the

Dispute Chamber to conduct an investigation is transferred to the Inspection Service,

together with the complaint and the inventory of the documents.

5. On 3 March 2023, the investigation by the Inspection Service is completed, the report

is added to the file and the file is transferred by the Inspector General to

the Chairman of the Dispute Chamber (Article 91, § 1 and § 2 WOG).

The report contains findings regarding the subject matter of the complaint and concludes

that:

1. there is no infringement in general of Article 5 GDPR, Article 24.1 GDPR

and Articles 25.1 and 25.2 GDPR;

2. there is an infringement of Article 4, 11) GDPR, Article 7.1 and 7.3 GDPR and Article 9.2.a) GDPR

for the processing of health data;

3. there is an infringement of Article 22.4 GDPR, Article 24.1 GDPR and Article 25.1 GDPR

due to the use of automated individual decision-making for

health data; and

4. there is a breach of Article 12.1 GDPR, Article 13.1 and 13.2 GDPR, Article 24.1

GDPR and Article 25.1 GDPR with regard to the general privacy statement for customers

in the broad sense.

The report also contains findings that go beyond the subject of the complaint.

The Inspection Service determines, in broad terms, that there is no breach of Article

38.1 GDPR and Article 39 GDPR.

6. On 22 March 2023, the Dispute Resolution Chamber decides on the basis of Article 95, § 1, 1° and Article 98
WOG that the file is ready for consideration on the merits.

7. On 22 March 2023, the parties concerned will be notified by registered mail of the provisions as stated in Article 95, § 2, as well as those in Article 98 of the WOG.

They will also be notified of the deadlines for submitting their defences on the basis of Article 99 of the WOG.

As regards the findings relating to the subject matter of the complaint, the

deadline for receipt of the defendant’s response

was set at 5 May 2023, that for the complainant’s response

was set at 26 May 2023
and finally that for the defendant’s response

was set at 16 June 2023. As regards

findings going beyond the subject matter of the complaint, Decision on the merits 109/2024 — 4/24

deadline for receipt of the defendant’s response

was set at 5 May 2023.

8. On 23 March 2023, the complainant electronically accepts all communications concerning the case.

9. On 23 March 2023, the defendant electronically accepts all communication regarding the

case and indicates that she wishes to make use of the opportunity to be heard, in accordance

with Article 98 WOG.

10. On 3 May 2023, the Dispute Chamber receives the conclusion of the

response from the defendant regarding the findings regarding the subject of the

complaint. In the main, the defendant argues that the procedure and the manner in which it

is conducted by the Dispute Chamber and the Inspection Service violate the principles of

good governance. In the subordinate order, the defendant argues that she has

respected the GDPR when processing health data on the basis of explicit

consent. This conclusion also contains the defendant's response

regarding the findings made by the Inspection Service outside the scope of the

complaint. 11. On 24 April 2023, the Dispute Chamber receives the conclusion of the reply from the complainant for

the findings regarding the subject of the complaint. The complainant

requests the Dispute Chamber to deal with the complaint in its entirety, including the

alleged infringements concerning the accuracy of data, the right to rectification and the

integrity of data, although these alleged infringements are not included in the

inspection report. In response to the defendant's main pleas, the complainant

raises the following:

so that, despite any alleged infringements of the principles of public

administration raised by the defendant, the Dispute Chamber can rely on the complaint and all the

elements contained therein for its assessment of the case. In response to the defendant's

subordinate pleas, the complainant argues that the conditions regarding

explicit consent for the processing of health data have not been met. Furthermore, the complainant argues that he considers the infringement of automated decision-making based on health data in the original complaint and the Inspection Report to be sufficiently proven. In addition, the complainant denounces the lack of clarity regarding the basis for the processing of health data and the role of consent. Finally, the complainant also establishes that there are infringements of the accuracy of the processed personal data and the integrity and confidentiality.

12. On 13 June 2023, the Dispute Chamber receives the defendant's reply

with regard to the findings relating to the subject matter of the complaint, in which

it reiterates its positions in its reply. Decision on the merits 109/2024 — 5/24

13. On 22 April 2024, the parties are informed that the hearing will

take place on 3 June 2024.

14. On 3 June 2024, the parties are heard by the Dispute Chamber.

15. On 12 June 2024, the minutes of the hearing are submitted to the parties.

16. On 5 June 2024, the defendant was granted an additional period to take a position

on the following points from the complaint:

a) Possible infringement of Article 5.1.d) GDPR and Article 16 GDPR due to the processing of

incorrect data and the failure to comply with the right to rectify this data,

as the unmentioned conditions are not reflected in the

document to be signed and the defendant did not respond to the complainant's request to

correct this.

b) Possible infringement of Article 5.1.f) GDPR and Article 32 GDPR due to the

failure to adequately guarantee the integrity of the data provided by the use of a

digital signature based on public key cryptography.

17. The deadline for receipt of the defendant's conclusion of reply

regarding the above points is set at 28 June 2024.

18. On 14 June 2024, the Dispute Chamber receives from the complainant some comments

regarding the report, which it decides to include in its deliberations.

19. On 18 June 2024, the Dispute Chamber receives from the defendant some comments

regarding the report, which it decides to include in its deliberations.

20. On 28 June 2024, the Dispute Chamber receives from the defendant the conclusions

regarding the points described in paragraph 16. The defendant reiterates its
arguments from its rejoinder and adds that it complies with the requirements

regarding accuracy and has given adequate response to the exercise of the complainant's right

to rectification (Article 5.1.d) GDPR and Article 16 GDPR) and

that it has taken appropriate security measures when processing personal data

in the context of concluding the mortgage insurance, which means that there is no

infringement of Article 5, paragraph 1, f) GDPR and Article 32 GDPR.

II. Reasons

II.1. Principles of good governance

21. First, the defendant argues that the Inspectorate has violated the principles of good governance, in particular the principle of motivation, the principle of due care, the principle of reasonableness, the principle of proportionality, the principle of impartiality and its

rights of defence.

22. The defendant argues that, on the basis of the principle of motivation, it is necessary that

the allegations contain at least a minimum of motivation in order to understand the full

sequence of the allegations so that it would be able to defend itself properly.

23. According to the defendant, the manner in which the inspection report was drawn up

violates the principle of due care because the Inspectorate has used its investigative powers

disproportionately. Furthermore, the Inspection Service is required to draw up the inspection report with due care so that it is clear to the defendant which infringements are or are not included.

24. In addition, according to the defendant, the principle of reasonableness and the principle of proportionality have also been violated because the findings included in the inspection report are not in proportion to the relevant facts and the subject of the complaint.

25. Finally, the defendant argues that the principle of impartiality has also been violated because the Inspection Service did not conduct an investigation for discharge, but

on the other hand clearly and a priori assumed the defendant's guilt.

26. According to the defendant, the Dispute Chamber also violated the principles of good governance,

including the principle of due care, by deciding that the inspection report, which

allegedly conflicts with the principles of good governance, allows the case to be dealt

with on the merits and justifies proceedings on the merits.

27. The defendant is led to state that the rights of defence have been

violated.

28. In this regard, the Dispute Chamber points out that the procedural guarantees

must be fully complied with and, if there was any possibility that the defendant had been

harmed by the manner in which the inspection report was drawn up, this

harm was completely remedied in the subsequent proceedings, so that there can be no question of any

violation of the principles of good governance. The procedural elements put forward by the defendant do not result in the rights of the defence being infringed, since the defendant was given the opportunity to fully present its arguments by means of the reply and rejoinder;

moreover, the defendant was able to fully exercise its right to challenge the proceedings

during the hearing of the Litigation Chamber. The defendant did not therefore suffer any disadvantage and the rights of the defence were thus indeed respected. Decision on the substance 109/2024 — 7/24

II.2. Lawfulness of the processing

II.2.1. Determination of the Inspection Service

29. The Inspection Service notes in its inspection report that the defendant relies on the

explicit consent as a legal basis for the processing of health data

in the context of concluding a mortgage insurance. However, the Inspection Service

concludes that the lawfulness of the processing at issue has not been met

because there is a violation of Article 4, 11) GDPR, Article 7.1 and 7.3 GDPR and Article

9.2.a) GDPR.

30. According to the Inspection Service, the consent requested by the defendant from the complainant via the

“consent to processing health data” form is not freely and

specific, since the form applies to various processing purposes, but that data subjects can only

give consent for all of these processing purposes in their entirety. Consequently, the Inspection Service finds that the
consent requested via the aforementioned form is not freely given and specific,

which means that the consent is not legally valid. Finally, the Inspection Service concludes on

the basis of its investigation that withdrawing the consent given is not as easy as

giving it, since such withdrawal requires the person concerned to read the

privacy statement in advance, which indicates how the withdrawal should be

carried out.

II.2.2. Position of the complainant

31. In his reply, the complainant argues that the consent given is not specific

and not freely given. As regards the lack of specific consent, the complainant

argues that the defendant lists various purposes, such as developing correct

pricing, efficient cost management and refining access and coverage

conditions. She argues that these purposes are inextricably linked to

each other. The complainant disputes this and argues that it is a question of vaguely formulated purposes that

do not specifically relate to the insurance contract in question. According to the complainant, these are general activities that an insurer can perform in its business operations, but which are not necessary to use, possibly on a large scale, all

health data in its possession. The complainant argues that the defendant can also

rely on other elements such as a subset of personal data (i.e. of data subjects who have given specific consent), other

statistical data sources (such as public mortality statistics) or scientific research.

32. The complainant adds that even if all these purposes were inextricably linked,

quodnon, this connection cannot provide grounds for bundling consent for all insurance contracts. The consent is

consequently not specific.

33. The complainant asks why the defendant, prior to completing the

medical questionnaire for the mortgage insurance, did not ask a short consent question

specifically for the mortgage insurance in question and with the necessary divisions

for the different purposes. This method also offers the defendant the

opportunity to point out to the person concerned that already known health data

can also be used in the risk assessment.

34. As regards the free nature of the consent, the complainant points out that there is a

definite disadvantage associated with refusing consent, which goes beyond

merely not being able to obtain insurance. The complainant also denounces that, by

bundling consent for different purposes into one consent, this

consent was not freely obtained.

35. As regards the legal basis for processing health data, within the

context of medical acceptance for mortgage insurance, the complainant requests the

Dispute Chamber to take a position on the legal basis, namely whether there

is a sufficiently specific legal basis for the processing or whether consent is the

applicable legal basis. The complainant states that any imperfections in the

legislation relating to the processing of health data within the context of

medical acceptance for mortgage insurance cannot be blamed on the defendant.

However, according to the complainant, this does not alter the fact that the

defendant must correctly determine the legal basis and if it still relies on explicit

consent as a legal basis, consent must be requested in a valid manner.

II.2.3. Position of the defendant

36. In its conclusions, the defendant argues that it has respected the GDPR when

processing health data on the basis of explicit consent. She argues that

explicit consent is freely given and specific and that withdrawing it is as

easy as giving it.

37. As regards the specific nature of explicit consent, the

defendant argues that the applicable legal framework for (life) insurance

has the consequence that the processing activities or ‘sub-purposes’ set out

by the defendant in the consent form, which the Inspectorate considers to be

separate purposes, are intrinsically linked to one more general purpose, namely

the correct fulfilment of the role of the insurer in offering and

executing insurance contracts. Splitting the purpose of the processing would either Decision on the merits 109/2024 — 9/24

lead to the defendant no longer being able to apply or comply with the legal principles,

or would give the data subject the wrong impression that he or she actually has a

choice to consent or not on a granular basis per processing activity or

‘sub-purpose’, which would be contrary to Article 5.1.a) GDPR, which states that “personal

data must be processed lawfully, fairly and transparently in relation to the data

data subject”. Since the processing of the complainant’s health data took

place for only one general purpose, the explicit consent that the defendant obtained

is indeed specific, in accordance with the conditions that the GDPR imposes on the

processing of personal data on the basis of consent. 38. As regards the free nature of explicit consent, the defendant points out that the legal framework for insurance implies that the processing of health data in question is not ‘unnecessary’ for the correct fulfilment of the role of the insurer in offering and executing insurance contracts, but on the contrary - should be regarded as an essential element. The finding that the defendant makes consent a condition for concluding mortgage insurance does not lead to the conclusion that there is no ‘free’ expression of will by the person concerned and that the consent is therefore invalid by definition. In this context, the defendant points out that explicit consent is used as an exception under Article 9.2.a) GDPR for the processing of special categories of personal data that are necessary for the performance of the contract within the meaning of Article 6.1.b) GDPR. This constitutes a specific issue, particularly in Belgium and particularly for insurance companies. The

defendant points out that consent as the only exception under Article 9.2

of the GDPR may apply in the absence of a national legislative framework. This is in contrast

to other EU countries such as the Netherlands, Spain, Ireland (and the United Kingdom) where

a legal framework has been created for the processing of sensitive personal data by

insurers. In this context, the defendant refers to legislative initiatives from the

insurance sector with the aim of obtaining such a legislative framework, to date

without success.

II.2.4. Assessment by the Dispute Resolution Chamber

39. The question arises whether the defendant can validly rely on the

explicit consent for the processing of personal data in the context of concluding

a mortgage insurance policy.

40. Article 5.1.a) of the GDPR requires that personal data “be processed

lawfully, fairly and transparently in relation to the data subject (“lawfulness,

fairness and transparency”).” The principle of lawfulness is one of the main principles of the GDPR and is a prerequisite for the application of the other principles of the GDPR with regard to the processing of personal data.

41. It is up to the controller to determine which legal basis is appropriate in relation to the purpose of the processing. Since different consequences result from one or the other legal basis, in particular with regard to the rights of the data subjects, the controller is not allowed to rely on one or the other legal basis, depending on the circumstances.

Once a particular legal basis has been chosen, another legal basis cannot be chosen at a later stage. Nor can it be relied upon to use another legal basis for the same processing activity, for the same purposes, when the chosen legal basis ceases to apply. 2

42. Under Article 9.1 GDPR, the processing of health data is in principle

prohibited. In the event that processing of categories of special personal data

takes place in accordance with Article 9.1 GDPR, the controller must indicate a legal basis

in accordance with Article 6 GDPR and an exception under Article 9.2 GDPR in order

to be able to speak of a lawful processing. This combination of legal grounds under Article 6 and 9.2

GDPR stems from, among other things, the Meta judgment (C-252/21) of the Court of Justice in which

the Court expressly ruled that the processing of sensitive personal data is

only permitted if such processing can be regarded as lawful under Article 6.1 GDPR. Opinion 2/2019 of the European Data Protection Board (hereinafter

4 5
“EDPB”) and Opinion 06/2014 of the Article 29 Data Protection Working Party also refer

consistently to the application of both Article 6 GDPR and Article 9 GDPR in the case of

processing a category of special personal data. Recital 51 GDPR

finally clearly indicates that Article 6 GDPR must always be applied.

43. No applicable legal basis can be found in national legislation either. Neither

the Act of 30 July 2018 on the protection of natural persons with

regard to the processing of personal data, nor the Act of 4 April 2014 on

insurance, nor any national law contains a processing ground on the basis of which

health data in the context of entering into insurance contracts

1 See also decision 77/2023, §74, of the Dispute Resolution Chamber. 2
See, for example, decisions 38/2021, 54/2023 and 77/2023 of the Litigation Chamber.
3CJEU Judgment of 4 July 2023, Meta, C-252/21, ECLI:EU:C:2023:537, para. 90.
4
Opinion 2/2019 (EDPB) on the questions and answers on the interaction between the Clinical Trials Regulation (CTR) and the General Data Protection Regulation (GDPR) (Article 70(1)(b)) of 23 January 2019.

5 Opinion 06/2014 (WP 29) on the concept of “legitimate interest of the controller” in Article 7 of Directive 95/46/EC.

6BS 5 September 2018.
7
BS 30 April 2014. Decision on the substance 109/2024 — 11/24

processed. Consequently, the defendant must find a legal basis in the

GDPR.

44. The EDPB Guidelines 05/2020 state that Article 9.2 GDPR does not provide for the

necessity of the performance of the contract as an exception to the general

prohibition of processing in Article 9.1 GDPR. In this context, the

controller must investigate whether one of the specific exceptions in Article 9.2(b) to

j) could apply to such a situation.

If none of the exceptions in subparagraphs b - j apply, obtaining explicit consent in accordance with the conditions for valid consent laid down in the GDPR is the only possible legal exception on the basis of which the controller could process personal data belonging to special categories of personal data.

45. As already mentioned above and as indicated by the defendant in its submissions, Belgian national legislation does not provide specific legal grounds for the processing of health data in the context of insurance contracts. Also, the exceptions provided for in Article 9.2 b)-j) GDPR cannot apply to the processing at issue.

46. Consequently, the defendant refers to Article 9.2.a) GDPR, namely explicit consent,

as the basis for the processing of health data.

47. According to Article 9.2.a) GDPR, the prohibition on the processing of special

categories of personal data does not apply if the data subject has given his or her

explicit consent to the processing of the personal data in question

for one or more specific purposes. According to Article 4.11) GDPR,

"consent" of the data subject means any freely given, individualised,

informed and unambiguous indication of the data subject's wishes by which he or she,

by making a statement expressing agreement or by taking an action

clearly indicating his or her agreement, signifies his or her acceptance of the

processing of his or her personal data. 48. The element “freely” implies real choice and control for the data subject. As a general rule, the GDPR prescribes that if a data subject has no real choice, he/she will feel forced to give consent or it will have negative consequences for him/her.

If he/she does not consent, the consent is not valid.

8EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, 4 May 2020, v.1.1 available
at https://www.edpb.europa.eu/sites/default/files/files/file1/edpb guidelines 202005 consent en.pdf. 9EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, 4 May 2020, v.1.1, p.8, available at https://www.edpb.europa.eu/sites/default/files/files/file1/edpb guidelines 202005 consent nl.pdf. Decision on the merits 109/2024 — 12/24

49. As is apparent from the complaint, the credit offer in question provides for a conditional

interest rate reduction, one of the conditions of which is to take out a credit-linked

life insurance policy, the aforementioned mortgage protection insurance, with the defendant in

the amount of the credit. If no mortgage protection insurance is taken out with the

defendant, the interest rate reduction will lapse. In addition, the Dispute Chamber also refers to

the social desirability of mortgage insurance, namely the benefits for

partners or heirs who are protected by taking out mortgage insurance.

50. Given the negative consequences associated with not taking out mortgage insurance

in question, the Dispute Chamber is of the opinion that the consent

was not freely given. Since the condition of free consent has not been met,

the other conditions do not need to be tested, given their cumulative nature,

in order to assess the lawfulness of the consent in question. Consequently,

there is an infringement of Article 4, 11) GDPR and Article 9.2 GDPR.

51. However, the Dispute Chamber points out that this infringement

is not attributable to the defendant. The Dispute Chamber wishes to draw attention to the broader

problem associated with the complaint, namely the collection of health data by insurers from potential policyholders via their

explicit consent (Article 9.2. a) GDPR) in the context of concluding and executing

an insurance policy, in this case a mortgage insurance policy, and the associated question

to what extent the consent of those policyholders can be freely given. The question arises whether,

other than explicit consent, there are other possible processing grounds on the basis of

which the health data can be processed by the defendant in the execution of the

insurance contract.

52. The aforementioned Act of 30 July 2018 on the protection of natural persons

with regard to the processing of personal data, which implements the

GDPR, does not contain any specific provisions further regulating the processing of sensitive

personal data in the context of insurance. Nor does it contain any other

national legislation. The defendant notes that a national legislative framework is lacking in this respect, despite several attempts to do so, including at the initiative of the insurance sector itself. The Dispute Chamber can only comment on this position and note that the legislator should intervene in this regard to provide a legal basis specifically for the insurance sector that allows health data to be collected within well-defined limits in the context of the (pre-)contractual relationship between the insurer and the policyholder. 10 The Dispute Chamber refers to Article 30.3.b for

10
See also Decision 24/2020 of 14 May 2020, paragraphs 74 and 75. Decision on the merits 109/2024 — 13/24

illustration. of the Dutch Implementation Act General Data Protection Regulation

in which such a legal basis was provided:

53. Article 30.3 Implementation Act General Data Protection Regulation: “In view of Article

9, paragraph 2, section h, of the Regulation, the prohibition on processing health data

does not apply if the processing is carried out by:

a. […]

b. insurers as referred to in Article 1:1 of the Financial Supervision Act or financial

service providers who mediate in insurance as referred to in Article 1:1 of that Act, to the extent that the processing is

necessary for:

1°. the assessment of the risk to be insured by the insurer and the

data subject has not objected; or

2°. the execution of the insurance contract or assistance with the

management and execution of the insurance.

54. Article 30.4 Dutch Implementation Act General Data Protection Regulation:

“4. If the first, second or third paragraph is applied, the

data shall only be processed by persons who are obliged to maintain confidentiality by virtue of their office, profession or

legal requirement or by virtue of an agreement. If

the controller processes personal data and is not already subject to a duty of confidentiality

by virtue of their office, profession or legal requirement, they shall be

obliged to maintain confidentiality of the data, except insofar as the law obliges them to

disclose them or their task requires the data to be communicated to others who are

authorised to process them by virtue of the first, second or third paragraph.”

55. Despite the various initiatives to provide a specific legal basis for the

processing of health data in the context of insurance contracts, the Belgian legislator has not yet

followed up on this. 56. The Dispute Resolution Chamber considers that this situation is undesirable for all actors involved in concluding such insurance contracts and urges that a solution be found, preferably at European level. Consequently, the Dispute Resolution Chamber will inform the EDPB of this decision and, in consultation with the GBA Management Board, other competent authorities at national and European level. 

1In full: Law of 16 May 2018, containing rules implementing Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016, L 119) (General Data Protection Regulation Implementation Act). Decision on the substance 109/2024 — 14/24

II.3. Automated individual decision-making (Article 22 GDPR)

II.3.1. Determination by the Inspection Service

57. In the Inspection Report, the Inspection Service does not establish any infringements with regard to the

use of automated individual decision-making for ordinary personal data.

58. With regard to the use of automated individual decision-making for

health data, the Inspection Service establishes that Article 22.4 GDPR has not been complied with

since the consent requested by the defendant on the basis of Article 9.2.a)

GDPR was not validly obtained. Consequently, the Inspection Service establishes that the

defendant has committed an infringement of Article 22.4 GDPR and Article 24.1 GDPR and Article 25.1

GDPR with regard to the use of automated individual decision-making

concerning health data.

II.3.2. Position of the complainant

59. The complainant states that the infringement in connection with automated decision-making based on

health data was already sufficiently proven in the original complaint and was also

confirmed by the Inspectorate.

II.3.3. Position of the defendant

60. The defendant points out that the infringement of Article 22.4 GDPR

established by the Inspectorate is a ‘derivative’ infringement that follows from the

infringement of Article 9.2.a) GDPR established by the Inspectorate, and that no

further infringements were formulated of other conditions of Article 22.4 GDPR. Furthermore, the

Inspectorate found that the defendant fully complies with the conditions of Article 22 GDPR

with regard to ‘ordinary’ personal data. Consequently, the defendant argues that if the

Dispute Chamber were to rule that the explicit consent was lawfully given,

the infringement established by the Inspection Service with regard to Article 22.4 GDPR must be rejected.

61. During the hearing, the defendant was asked to further clarify its position on the

finding regarding automated individual decision-making. The defendant explained that this method of decision-making is a

conscious choice by the defendant, not least to protect the confidentiality and integrity of the

medical data. When this processing produces a positive result for the customer, there is no

human control. If a potential problem arises (also known as a flashing light), the file is sent to an employee for

Decision on the merits 109/2024 — 15/24

control of the decision-making. Insurance is therefore never refused without the

decision-making having been checked by an employee of the defendant.

62. As regards the infringements of Article 24.1 GDPR and Article 25.1 GDPR, the

defendant argues that these are in any case unfounded due to a lack of motivation from the

Inspection Service (see II.1). If the Dispute Resolution Chamber were nevertheless to proceed to assess

the substance of an infringement of these articles, the defendant argues that it has taken

all appropriate technical and organisational measures to achieve the objectives intended by the

GDPR. A dysfunction in a rare case does not of course mean that the necessary

procedures and processes would not have been implemented in general, which the Inspectorate

also found in the context of its initial assessment, the defendant states. Consequently, the

defendant has complied with the conditions for automated individual decision-making in

accordance with the requirements arising from Article 22.4 GDPR, Article 24.1 GDPR and

Article 25.1 GDPR.

II.3.4. Assessment by the Dispute Resolution Chamber

63. When personal data are used to reach a specific decision and this

decision is based solely on automated processing of personal data,

this constitutes automated individual decision-making. Under Article 22.1

GDPR, data subjects have the right not to be subject to a decision based solely on

automated processing (including profiling), which either produces legal effects concerning

them or significantly affects them in another way.

64. However, the foregoing does not apply if the decision: a) is necessary for

entering into, or the performance of, a contract between the data subject and a

controller; b) is authorised by Union or Member State law to which the controller is

subject and which also lays down suitable measures to safeguard the data subject’s

rights and freedoms and legitimate interests; or c) is based on the data subject’s

explicit consent (Article 22.2 GDPR).

65. According to Article 22.4 GDPR, automated individual decisions may not be

based on special categories of personal data unless they are based on the explicit consent of the data subject, or the use is

necessary for an important public interest under Union or Member State law. In both cases,

appropriate measures must be taken to safeguard the legitimate interests of the data subject. In the first

situation, the controller shall take such measures himself, in the second situation they shall be

prescribed by law. Decision on the substance 109/2024 — 16/24

66. As argued by the defendant, automated individual decision-making

is based on explicit consent as prescribed by Article 9.2.a) GDPR.

In the present case, the Dispute Resolution Chamber held that the express

consent had not been validly obtained, but that this infringement was not attributable

to the defendant (see section II.2). Consequently, the defendant may rely on Article

22.2.c) GDPR in conjunction with Article 22.4 GDPR, if it meets the applicable conditions.

67. Since the defendant relies on Article 22.2.c) GDPR in conjunction with Article 22.4 GDPR, it must

take the necessary appropriate measures to protect the rights of the data subject. These measures must include at least the

following: the right to human intervention, the right for the data subject to make his or her

point of view known and the right to challenge the decision. 68. Based on the defendant's statement and the privacy statement regarding automatically

taken decisions as submitted by the defendant, the Dispute Chamber

establishes that the defendant has taken various measures. Automated

individual decision-making without human intervention is only taken in the

case of a positive decision. In the event that various indicators go off and

a negative decision may have to be taken, the file will in any case be

assessed by an employee for verification. The person concerned can object to

profiling, which means that the decision to qualify for credit and

associated mortgage insurance cannot be made automatically. If a person concerned does not

agree with the automated individual decision, he or she can, in accordance with the

privacy statement, contact the defendant in various ways to let

know why he or she does not agree with the decision and to ask

to review the decision taken. 69. In view of the above, the Dispute Chamber finds, on the basis of the statements of

the defendant and the applicable privacy statement, that the defendant legitimately bases

the automated individual decision-making based on health data on explicit consent and has taken the necessary

appropriate measures to protect the rights of the data subject. Since the

Dispute Chamber finds no indications in the Inspection Report or in the

conclusions of the complainant that would refute this finding, the Dispute Chamber finds that

there is no infringement of Article 22 GDPR, Article 24 GDPR and Article 25 GDPR.

Decision on the merits 109/2024 — 17/24

II.4. Information obligations in the privacy statement

II.4.1. Findings in the Inspection Report

70. The Inspection Service finds that the general privacy statement regarding customers in the broad sense

does not always contain concise, transparent and comprehensible information (Article 12.1

GDPR) and does not contain all the information required under Article 13 GDPR.

71. With regard to the information that is not always concise, transparent and comprehensible, the

Inspection Service finds that the statement in the privacy statement that the defendant is part

of a group of companies has no added value. Furthermore, the

Inspection Service points out that the words personal data and data are not synonyms that are

used interchangeably. Furthermore, the privacy statement contains long, complex sentences with jargon on several occasions, which may be unclear to

the defendant's customers who are not familiar with the subject matter.

72. The Inspectorate considers the privacy statement to be incomplete, since the direct telephone number of the data protection officer is not included in the privacy statement (Article 13.1.b) GDPR). Furthermore, the privacy statement lacks transparent information on what the appropriate or suitable safeguards are, how a copy can be obtained or who can be consulted when transferring personal data by the defendant to third countries for which there is no adequacy decision by the European Commission (Article 13.1.f) GDPR). The Inspectorate also notes a lack of transparent information on whether the data subject is obliged to provide the personal data and what the possible consequences are if personal data are not provided if the provision of personal data is based on a legal or contractual obligation or a necessary condition for concluding a contract (Article 13.2.e) GDPR).

II.4.2. Position of the defendant

73. The defendant disputes the findings of the Inspectorate regarding the privacy statement

and refutes them in its conclusions.

74. With regard to the findings regarding the not always concise, transparent and
comprehensible information, the defendant points out that references to the group of

which it is part are functionally important to explain to the data subject how his or

her personal data may be used within the group. With regard to the

use of the terms data and personal data, the defendant argues that it does make it

clear to the data subject that the privacy statement relates to personal

data. The word personal data appears no less than 130 times in the privacy

statement. She also points out that the use of the word data does not in any way limit the scope of the Decision on the merits 109/2024 — 18/24

privacy statement, since the word

‘data’ can be considered broader in normal language and under the GDPR than the term

‘personal data’. Next, concerning the use of language in the

privacy statement, the defendant argues that the Inspectorate does not reproduce the targeted passages

in their original context, as a result of which the information that clarifies these

passages has been omitted. In addition, the defendant states that it uses the most common

language possible, but that, given the nature of its activities and the

legal framework in which it operates, it is forced in certain cases to use specific

names and terms. The information to the data subject must be

in accordance with Article 12.1 GDPR not only clear but also concise, whereby an appropriate balance must be found between adding additional

explanation on the one hand and including information in summary form on the other.

75. As regards the finding that the privacy statement contains incomplete information, the defendant puts forward arguments to refute this finding.

Regarding the lack of mention of the direct telephone number of the data protection officer in the privacy statement, the defendant clarifies that it has chosen not to mention this telephone number in view of the defendant's reputation in the Belgian market and the size of the company. After all, it receives a significant number and a wide variety of requests and questions from data subjects. It would not be feasible for the data protection officer to be called directly with these requests.

Data subjects can, however, contact the defendant's helpdesk by telephone. If necessary, the helpdesk agents will forward questions about data protection to the Group Data Protection Unit, of which the data protection officer is a member. As regards the information on

appropriate safeguards for transfers, the defendant states that it explains the relevant transfers

and provides detailed information on the processors it cooperates with. It also provides clear information to the data subject on how to

contact it and how to exercise rights. In its

privacy statement, the defendant firstly confirms its intention to transfer

personal data to recipients who may be located outside the European Economic

Area in certain situations, secondly in which countries the processors are located

through which transfers may take place and thirdly that for certain

countries to which transfers may take place there is no adequacy decision by the European

Commission and that, where appropriate, appropriate safeguards will be invoked, including

standard contractual clauses and control mechanisms

to ensure the level of protection. Finally, the defendant points out that it does indeed state in detail in its privacy statement when the provision of personal data is a legal or contractual obligation.

II.4.3. Assessment by the Dispute Resolution Chamber

76. In implementation of the principle of transparency in Article 5.1.a) GDPR, the controller shall take appropriate measures to ensure that the data subject receives the information referred to in Articles 13 and 14 and the communication referred to in Articles 15 to 22 and Article 34 in connection with the processing in a concise, transparent,

intelligible and easily accessible form, and in clear and plain language.

77. Taking into account the findings of the Inspection Service and after assessing the

argumentation of the defendants and the privacy statement enclosed with the documents, the

Dispute Chamber rules that there is no infringement of Article 12.1 GDPR in conjunction with Articles 13.1 and 13.2 GDPR.

II.5. Accuracy of the data and right to rectification (Article 5.1.d) GDPR and Article 16 GDPR)

II.5.1. Position of the complainant

78. In his complaint, the complainant states that the medical questionnaire is completed via the

website of the defendant, where the user is guided through the questionnaire via a series of

screens. Before completing the questionnaire, the user is informed that the information buttons in the questionnaire

must always be used to avoid unnecessary information being included. For each section of the questionnaire there is a list of conditions that should not be mentioned. At the end, this completion process results in a summary document that must be signed. However, this summary document lacks the list of conditions that should not be mentioned, which, according to the complainant, makes the questionnaire open to discussion. In this regard, the complainant states that the question may arise whether a specific condition was concealed by the applicant or whether the respondent herself had indicated that it was not necessary to mention that specific condition. Consequently, there is a possibility that the completed data may be subject to different interpretations. In this regard, the complainant points out that a possible discussion about the completed data between the respondent as insurer and the beneficiaries of the insurance may arise after the death of the insured. However, these beneficiaries did not complete this list, and

are also unaware of the original questions and the difference between the questionnaire

and the resulting summary document. According to the complainant, the accuracy of the

information, given the context of the mortgage protection insurance, is extremely important,

among other things because of the high financial stake. Although the complainant requested this, the

Decision on the merits 109/2024 — 20/24

defendant did not, according to him, make any corrections to the final document in order to

accurately reflect the questionnaire.

II.5.2. Position of the defendant

79. In its conclusions, the defendant argues that, in order to help the customer

complete the digital medical questionnaire and avoid the collection of unnecessary data (and

thus ensure data minimisation), it provides a limited number of ‘information buttons’

in some free text fields of its digital medical questionnaire. These information buttons

indicate conditions that in any case have no influence on the risk of death and

are therefore by definition not relevant when completing the questionnaire.

80. The defendant emphasizes that the purpose of the medical questionnaire is to be able to correctly estimate the risk of death of the insured. The defendant may, on the basis of the insurance legislation, only request information on conditions that may entail an increased risk of death with her medical questionnaire for a mortgage loan, referring to Article 5.1° of the Royal Decree of 10 April 2014 regulating certain insurance contracts to guarantee the repayment of the capital of a mortgage loan 12 ("Royal Decree on Mortgage Loan Insurance"). This article stipulated, among other things, the following condition for the medical questionnaire: "the questions asked are precise and relate exclusively to events that may substantiate the increased nature of a health risk for the candidate insured".

81. The defendant adds that, as a guarantee with regard to the insured, the legislator subjects the medical questionnaire of each insurer to external supervision.

The questionnaire used by the defendant is subject to the prior approval of the Follow-up agency subject, pursuant to article 4 of the Royal Decree

13
Mortgage protection insurance.

82. The defendant then refers to article 5.1.d) GDPR, which states that personal data

must be correct and updated if necessary. All reasonable measures must be

taken to erase or rectify without delay personal data that are inaccurate,

having regard to the purposes for which they are processed. Pursuant to article 16 GDPR,

the data subject has the right to obtain from the controller without delay rectification

of incorrect personal data concerning him.

1BS 10 June 2014.
13
Art. 4 Royal Decree on Mortgage Protection Insurance: “An insurance company may only use a medical questionnaire

when processing an application for mortgage protection insurance on condition that the formulation of the questions

has been approved in advance by the Follow-up Agency. The Monitoring Office shall decide within one month of receipt on the approval of the wording of the questions. The decision by the Monitoring Office shall be taken by a simple majority of votes.” Decision on the substance 109/2024 — 21/24

83. The defendant states that the medical questionnaire, including the information buttons, and the answers provided are stored on its secure IT system, which means that the personal data are ‘correct’ within the meaning of Article 5.1.d) GDPR. The subsequent possibility that the defendant offers to download the questions and answers in a PDF document does not affect the foregoing and does not entail that the personal data stored in the defendant’s systems are therefore incorrect and would give the complainant the right to ‘rectify’ those data accordingly within the meaning of Article 16 GDPR.

84. It also follows from the text of the GDPR that the accuracy of the personal data must be

assessed in light of the purposes for which they are processed, as the defendant argues. The fact that the medical questionnaire is intended to allow the defendant

to assess the risk of death of the prospective policyholder – for which

conditions without an influence on the risk of death that are indicated in the

information button are irrelevant – means that the personal data as shown in the

downloadable PDF document must also be considered as correct in light of the

aforementioned purpose of the processing.

85. Consequently, the defendant concludes, it can hardly be said that the complainant's right to rectification was disregarded, since, firstly, the personal data must indeed be considered correct and, secondly, the defendant responded to the complainant's request within the period provided for by the GDPR and requested clarification in this regard, to which it did not receive a response from the complainant.

II.5.3. Assessment by the Dispute Resolution Chamber

86. On the basis of the elements provided by the defendant in the conclusions, with reference

to the documents, the Dispute Resolution Chamber concludes that the defendant has made the necessary efforts

to demonstrate that the accuracy of the personal data is guaranteed and that it has responded to the complainant's request

for rectification in a timely and correct manner, so that there is no infringement of Article 5.1.e) GDPR and Article 16 GDPR.

II.6. Integrity and confidentiality (Article 5.1.f) GDPR)

II.6.1. Position of the complainant

87. The complainant states that after completing the aforementioned questionnaire when applying for the

mortgage insurance, a document is offered for signature, the above-

summary document. This signature must be done via the mobile application

of the defendant and is an essential part of guaranteeing the integrity of the

substantive decision 109/2024 — 22/24

personal data. The complainant argues that, without proper

signature, there is a possibility that the defendant will subsequently change the data. The

complainant also points out that the defendant, as an insurer, has a conflicting interest

with respect to the data subjects (the beneficiaries).

88. In assessing whether the security is appropriate, the complainant submits that

the sensitivity of the personal data in question and the impact of a change, i.e. a breach of the integrity, of the data, should be taken into account. The complainant argues that

although appropriate technology is available to ensure the integrity of the data and to provide evidence of this

to third parties, the respondent does not use it. According to the complainant, the integrity of the document is not

guaranteed by a digital signature based on public key cryptography, or this signature

is in any case not visible to the complainant. In the absence of such a signature, the

integrity of the document is not sufficiently guaranteed.

II.6.2. Position of the defendant

89. The defendant disputes the complainant's allegations and states that it has indeed taken appropriate

technical and organisational measures "to ensure a level of security appropriate to the risk",

in accordance with what Article 5.1.f) GDPR and

Article 32 GDPR require. Article 32 GDPR also expressly

makes it clear that the GDPR does not prescribe one specific security

measure, but that the assessment of the level of security is based on the totality of

technical and organisational measures taken, as well as on the need to take into

account "the state of the art, the costs of implementation, and the nature, scope,

context and purposes of the processing and the varying likelihood and severity of the

risks to the rights and freedoms of individuals".

90. As regards the integrity of the digital medical questionnaire, the

defendant has implemented an appropriate combination of technical and organisational

measures. After the digital medical questionnaire has been completed, all answers entered by the prospective policyholder are automatically transferred by the system to the document that is presented to the person concerned for signature. After

signing, these data can no longer be modified in the defendant's systems.

This is technically built into the database. Even if an employee is granted access to the stored medical questionnaire under the strict

access policy, that employee cannot modify the stored answers of the prospective policyholder to the medical

questionnaire in the system.

91. The defendant then sets out the main security measures concerning the integrity of the data from the medical questionnaire. This includes strong Decision on the merits 109/2024 — 23/24

authentication within the highly secured banking environment of the defendant, the

signature with a secret PIN code or via facial recognition, the time stamp of the

signature, the isolated storage systems where the completed questionnaires are

stored in an isolated database, separate from other files and

processing systems of the defendant, access control for employees with a very

strict access policy, no possibility of changing the completed answers

for employees; the completed medical questionnaires can never be consulted by

agencies or offices, and the internal policy includes specific guidelines for the

processing of medical data within the defendant, such as the management of

access to medical data and of the authorisation for certain applications and the storage of

medical data. The defendant emphasises that these technical and organisational

measures are closely monitored and adjusted if necessary. 92. The defendant also points out that, apart from all the previous measures, the

candidate policyholder can also save the completed medical questionnaire on

his/her own device. The alleged – and purely hypothetical – risk of modification by

the defendant that the plaintiff refers to can simply be countered in this way,

the defendant states. In such a scenario, the downloaded copy would enable the

plaintiff to demonstrate a modification and provide counter-evidence,

the defendant explains. If desired, the person concerned can also subsequently

ask the defendant for a copy of the medical questionnaire, as the plaintiff did in this

case.

93. Finally, the defendant argues that there are no special legal requirements for the

signing of medical questionnaires regarding the type of signature required, neither under the

EU eIDAS Regulation, nor under Belgian law, nor under the GDPR. The totality of the organisational and technical measures taken

guarantee a sufficient level of security appropriate to the risk in accordance with the

requirements of Article 5.1.f) GDPR in conjunction with Article 32 GDPR, the defendant concludes.

II.6.3. Assessment by the Dispute Chamber

94. Based on the elements provided by the defendant in the conclusions, with reference

to the documents, the Dispute Chamber concludes that the defendant has made the necessary efforts

to demonstrate that the required technical and organisational measures

have been taken to ensure secure data processing, so that there is no infringement

of Article 5.1.f) GDPR in conjunction with Article 32 GDPR.

14Full version: Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC.