Datatilsynet (Denmark) - 2020-31-2757

From GDPRhub
Datatilsynet - 2020-31-2757
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 15(1) GDPR
Type: Complaint
Outcome: Rejected
Started:
Decided:
Published: 20.08.2020
Fine: None
Parties: Velliv, Pension & Livsforsikring A/S
National Case Number/Name: 2020-31-2757
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Danish
Original Source: Datatilsynet (in DA)
Initial Contributor: n/a

The Danish DPA (Datatilsynet) held that an insurance company acted in accordance with Article 15 GDPR by not disclosing to a data subject the name of the medical consultant who had prepared an assessment related to the complainant, as well as the company's correspondence with its lawyer regarding the case initiated by the data subject.

English Summary

Facts

A data subject complained to the Danish DPA that his former insurance company, Velliv, Pension & Livsforsikring A/S, did not provide him with all his personal data in the course of an Article 15 data subject access request. In particular, the data subject complained that he did not receive the name of the medical consultant who had prepared a medical assessment of the complainant. The DPA did not consider the name of the medical consultant to represent personal data related to the data subject, and therefore did not find grounds for initiating a complaint.

The data subject then contacted the Datatilsynet once again and stated that he still believes that there was more information to which he was entitled, and which the controller did not provide to him. The insurance company then informed the DPA that it had not provided the data subject with an internal working document, which contained the controller's legal assessment as well as correspondence with the company's lawyer as a preparation for an upcoming lawsuit notified by the complainant. In addition to the legal assessment, the internal document also contained extracts of medical information and an observation which had previously been handed over to the data subject in complete versions.

Dispute

Was the controller obliged to provide the data subject with the name of the medical consultant pursuant to Article 15 GDPR?

Holding

The Datatilsynet held that the insurance company did act in line with Article 15 GDPR. The DPA did not consider the name of the medical consultant to represent personal data related to the data subject, and highlighted that the information contained in the internal working document had already been accessed by the data subject.

With regards to the company's correspondence with the lawyer, the Datatilsynet considered that this did not contain information covered by the data subject's right to access in Article 15 GDPR. In this context, the DPA made a reference to the fact that data controllers may, depending on the circumstances, refuse to grant data subjects insight into e.g. a note assessing whether a particular lawsuit against a customer can be won.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.

Complaint of lack of insight
Published 20-08-2020
DecisionPrivate companies
This was in line with the data protection rules, as an insurance company did not give a previous customer insight into all the documents that he or she believed he or she was entitled to receive.

Journal number: 2020-31-2757

Resume
The Danish Data Protection Agency handles many complaints where the data subject believes that he has not gained sufficient insight into his personal data. As an example of this, the Danish Data Protection Agency made a decision in August 2020 in a case where a citizen complained that he had not received all the personal information that his former insurance company Velliv, Pension & Livsforsikring A / S (Velliv), processed about him.

The citizen had i.a. complained to the Danish Data Protection Agency that Velliv, in connection with answering his requests for insight, had not provided the name of the medical consultant who had prepared a medical consultant assessment of complaints. The Danish Data Protection Agency did not find grounds for initiating a complaint, as the name of the medical consultant in the Data Inspectorate's opinion as the clear starting point did not constitute personal information about complaints, and as complainants in their inquiries to the Authority had not stated circumstances that gave grounds for deviating from this starting point.  

Complainant then again contacted the Danish Data Protection Agency and stated that he still believed that there was information to which he was entitled, which Velliv had not given him insight into.

Velliv informed the Danish Data Protection Agency that the company had failed to send an internal working document, which contained the company's legal assessments of the case, as well as correspondence with Velliv's lawyer, which was relevant for the preparation of an upcoming lawsuit notified by complainants. In addition to legal assessments of the case, the working document according to the information contained i.a. extracts of medical information and a performed observation of complaints which had previously been handed over to complainants in complete versions.

In its decision, the Danish Data Protection Agency assumed that the personal data contained in the internal working document had already been accessed by complaints, and that the material, including the correspondence with the lawyer, also did not contain information on complaints covered by his right of access. In this connection, the Danish Data Protection Agency referred to the fact that the data controller may, depending on the circumstances, refuse insight into e.g. a note assessing whether a particular lawsuit against a customer can be won. 

You can read more about the right to access and the exceptions to it in the Danish Data Protection Agency's guidelines on the data subjects' rights.

Decision
The Danish Data Protection Agency hereby returns to the case, where on 13 February 2020 you complained to the Authority that Velliv, Pension & Livsforsikring A / S (hereinafter “Velliv”) has not provided you with insight into all information that Velliv processes about you.

Decision
After reviewing the case, the Danish Data Protection Agency finds that Velliv's processing of personal data has taken place in accordance with the rules in the Data Protection Regulation [1] , cf. Article 15.

Below is a more detailed review of the case and a justification for the Danish Data Protection Agency's decision.

2. Case presentation
It appears from the case that your insurance coverage at Velliv was terminated on 1 February 2019. The revocation was then brought before the Board of Appeal for Insurance, which upheld Velliv's termination of your insurance. 

At the beginning of December 2019, you requested insight into the correspondence between Velliv and you. Subsequently, you requested insight into all material that Velliv processes about you. Velliv sent the complete case files in printed form by letter dated 16 January 2020.

On 12 January 2020, you contacted the Danish Data Protection Agency with a complaint that Velliv had refused to disclose the name of the specialist medical consultant who, among other things, had prepared a medical consultant assessment of you.

On 13 February 2020, you contacted the Danish Data Protection Agency again with a complaint that Velliv had not complied with your request for insight into the internal documentation in your case.

By decision of 5 March 2020, the Danish Data Protection Agency refused to initiate a complaint in connection with your complaint, as the medical consultant's name is not covered by your right of access. Furthermore, the Danish Data Protection Agency did not find grounds to conclude that Velliv processed information about you that you had not received insight into.

On 25 March 2020, you again contacted the Danish Data Protection Agency with a request to resume the case. On that basis, the Danish Data Protection Agency assessed that there were grounds for initiating a case with regard to the question of whether Velliv had disclosed all information about you.

On 2 April 2020, the Danish Data Protection Agency requested Velliv for an opinion for use in the case, which Velliv issued on 23 April 2020.

On 1 May 2020, you submitted comments on Velliv's statement.

2.1. Your comments
You have generally stated that you have not gained full insight into the personal data that Velliv has processed about you in the period from 6 February 2018 to 10 January 2019.

In this connection, you have stated that after 6 February 2018, Velliv initiated a comprehensive investigation of you, where you, among other things, was observed for twice three days and examined on social media, which also appears from a case presentation from Velliv of 9 January 2019.

You claim that as a result of this investigation, Velliv must have processed information about you and that you have the right to insight into this information. You also claim that Velliv may process additional information about you that you have not gained insight into, including minutes of telephone conversations. You are i.a. has been informed by an employee at Velliv that she would make a record of your telephone conversation. This report does not appear from the material that you have received from Velliv or Velliv's lawyer.

You have also stated that you believe that you have the right to insight into Velliv's employees' job descriptions. 

2.2. Velliv, Pension & Livsforsikring A / S 'comments
Velliv has generally stated that your request for access has been answered adequately, as there is no further material or information about you that is covered by the right of access pursuant to Article 15 of the Data Protection Regulation. According to Velliv, the request for access was received on 2 December 2019 and replied on 16 January 2020 by sending the dossiers in printed form.

Velliv has stated that in connection with the response to the request for access, Velliv excluded information that is not covered by the right of access, cf. section 22 of the Data Protection Act.

Velliv has stated that Velliv, pursuant to section 22 of the Data Protection Act, exempted information about you contained in an internal working document with Velliv's legal assessments for use in Velliv's preparation of the lawsuit that you have notified. In Velliv's opinion, the information contained in the legal assessments is not covered by the right of access, as it is not personal information, but an assessment of the burden of proof, etc.

Velliv has further stated that the internal working document also contains extracts from the medical files and the medical consultant's answers, minutes of your answers to Velliv, a summary of files obtained by internet examinations and the observation made of you, and that this material has been accessed in complete versions. .

Velliv has stated that the working document in question thus does not contain additional personal information which is covered by your right of access.

Velliv has further stated that the correspondence between Velliv and Velliv's lawyer regarding the preparation and presentation of evidence in the case is exempt from the right of access.

Velliv has also stated that the names and job descriptions of employees at Velliv do not constitute personal information about you and are therefore not covered by your right of access under Article 15 of the Data Protection Regulation.

Velliv has also stated that there are no further notes or written communication between Velliv and you that you have not already gained insight into. Velliv has pointed out in this connection that notes are not made in all cases regarding telephone conversations with customers. Velliv has emphasized that no further material from the completed investigation is stored, in addition to the material that you have gained insight into. Velliv has stated that during the actual observation, recordings have been deleted that either do not show information about you. or which are useless, e.g. due to vibrations. Thus, these recordings do not exist.

Justification for the Danish Data Protection Agency's decision
3.1.
Pursuant to Article 15 (1) of the Data Protection Regulation 1, the data subject has the right to insight into the processing of information that is considered to be information about the person in question.

The term "personal data" is defined in Article 4 (1) of the Data Protection Regulation as any kind of information about an identified or identifiable natural person. Information about other persons, including name and job title, is thus not covered by the right of access under Article 15 of the Data Protection Regulation.

3.2.
It follows from the Data Protection Act [2] § 22, para. 1, that Article 15 of the Regulation does not apply if the data subject's interest in the information is found to give way to decisive considerations of private interests, including the interests of the data subject himself.

Of the special remarks to section 22, subsection 1, appears i.a. that the data controller may, depending on the circumstances, refuse insight into e.g. a note assessing whether there is a prospect that a particular lawsuit against a customer may be won. [3]

It appears from the case that the internal working document and the correspondence with Velliv's lawyer partly contain extracts of information about you, which have been accessed to you in complete versions, and partly legal assessments for use in the notified lawsuit, which does not contain personal information about you. 

3.3.
After a review of the case, the Danish Data Protection Agency finds that Velliv was entitled to exempt the internal working document and correspondence with Velliv's lawyer, cf. section 22 (1) of the Data Protection Act. 1.

The Danish Data Protection Agency has hereby emphasized that Velliv has stated that the personal information contained in the material in question has already been accessed by you, and that the material also does not contain information about you which is covered by the right of access.

The Danish Data Protection Agency also finds that there is no basis for overriding Velliv's information to the supervision that Velliv does not in addition process further information about you covered by the right of access than the personal information that has already been given insight into.

The Danish Data Protection Agency also notes that it is not possible to gain insight into information that the data controller has deleted.

On that basis, the Danish Data Protection Agency does not find grounds for expressing criticism of Velliv, as Velliv's processing of personal data has taken place within the framework of the rules in Article 15 of the Data Protection Ordinance and section 22 (1) of the Data Protection Act. 1.

 

[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General data protection regulation).

[2]   Act No. 502 of 23 May 2018 on supplementary provisions to Regulation on the protection of natural persons in connection

with the processing of personal data and on the free exchange of such data (the Data Protection Act).

[3]  Bill to Act No. 502 of 23 May 2018, Bill No. L 68, the special remarks to § 22.