Datatilsynet (Denmark) - 2020-31-3840

From GDPRhub
Datatilsynet (Denmark) - 2020-31-3840
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 6(1)(b) GDPR
Article 9(2)(f) GDPR
Type: Complaint
Outcome: Rejected
Started:
Decided:
Published: 08.12.2021
Fine: None
Parties: Tryg Forsikring A/S
National Case Number/Name: 2020-31-3840
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Danish
Original Source: Datatilsynet (in DA)
Initial Contributor: Tetyana Porokhonko

The Danish DPA rejected a data subject's complaint because it found that an insurance company had lawfully processed their health data in accordance with Article 9(2)(f) GDPR and Article 6(1)(b) GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

The controller is Tryg Forsikring A/S, an insurance company, and the data subject is one of their policyholders. The data subject requested compensation from the company because of an injury. On 3 September 2020, the data subject lodged a complaint with the DPA against Tryg Forsikring. They claimed that the company had collected and retained their health data of a period dating back ten years, although they only consented for the company to collect health data for a period of five years prior to the injury.

Tryg Forsikring, on the other hand, argued that the health data had been obtained to determine whether the data subject was entitled to compensation. In their opinion, the processing of health data was necessary for the establishment, exercise, or defence of legal claims, and the exception laid down in Article 9(2)(f) GDPR was applicable. Moreover, the company stated that Article 6(1)(b) GDPR was the legal basis for the processing of the data subject's personal data, and therefore did not rely on the data subject's consent.

Holding[edit | edit source]

The DPA concluded that Tryg Forsikring processed the data subject's personal data in accordance with the GDPR. More specifically, the medical records were obtained to determine a possible claim for compensation under the insurance agreement between the data subject and the company. Hence, the DPA found that Tryg Forsikring's processing of the data subject's health data was covered by the exception laid down in Article 9(2)(f) GDPR.

Furthermore, the DPA found that the processing of the data subject's health information was based on legal ground set out in Article 6(1)(b) GDPR, because the processing was necessary for the performance of the insurance contract to which the data subject is a party.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.



Tryg Forsikring meets the requirements within the data protection rules
Date: 08-12-2021
Decision

The Danish Data Protection Agency has assessed that Tryg Forsikring A / S ’collection of health information about a policyholder (complaints) had taken place within the data protection rules. The Authority has further found that the complainant's consent was not a consent covered by the GDPR.

Journal number: 2020-31-3840.
The Danish Data Protection Agency hereby returns to the case, where on 3 September 2020 you complained about Tryg Forsikring A / S ’processing of information about you.
The Danish Data Protection Agency has understood your inquiry as a complaint that Tryg Forsikring A / S has collected information about you in the form of medical records 10 years ago, even though you had only given consent for the company to collect information for a period of up to 5 years prior. for the time of injury.
Summary
The Danish Data Protection Agency has made a decision in a case where a citizen [complainant] has complained that Tryg Forsikring - for the purpose of assessing a claim for compensation made by complainants - had obtained information about him in the form of medical records.
The Danish Data Protection Agency found that Tryg Forsikring's collection of health information about complaints had taken place in accordance with the data protection rules.
The Danish Data Protection Agency emphasized that Tryg Forsikring's collection of information about complaints took place with the purpose of determining whether the complainants were entitled to compensation in accordance with the insurance conditions that applied to the insurance contract. The Authority further emphasized that the collection of the information took place with a view to fulfilling the agreement between Tryg Forsikring and the policyholder in order to determine a possible claim for payment in accordance with the insurance agreement.
The Danish Data Protection Agency also found no basis for overriding Tryg Forsikring's assessment that they had collected the information that was necessary for them as an insurance company to process the reported damage.
Finally, the Danish Data Protection Agency noted that the consent which the complainants in the case had given to Tryg Forsikring was not a consent under data protection law covered by the rules of the Data Protection Ordinance.
Decision
After a review of the case, the Danish Data Protection Agency finds that Tryg Forsikring A / S ’processing of information about you has taken place within the framework of the rules in the Data Protection Ordinance [1], cf. Article 9 (1). And Article 6 (2). 1.
Below is a more detailed review of the case and a justification for the Danish Data Protection Agency's decision.
2. Case presentation
It appears from the case that you have reported a claim to Tryg Forsikring A / S, where you are insured.
On 30 May 2020, you signed a declaration that Tryg Forsikring A / S in connection with the processing of your claims case had to obtain and pass on the information that was necessary for the company's assessment of your case. The consent included information for a period of up to 5 years prior to the time of the injury or the time of the onset of the illness and up to the time when Tryg Forsikring A / S had taken a position on your case.
2.1. Your comments
You have stated that you have only given consent for Tryg Forsikring A / S to obtain information about you, including health information, for a period of five years prior to the time of the injury, and that Tryg Forsikring A / S has nevertheless collected information about you who go back 10 years.
You have further stated that it must be considered unnecessary that Tryg Forsikring A / S has collected information about you that goes back 10 years. In this connection, you have referred to the fact that the Data Protection Regulation and the Data Protection Act state that no more information may be obtained about the individual than is relevant and sufficient for the fulfillment of the objective purposes for which the information is obtained.
2.2. Tryg Forsikring A / S ’comments
Tryg Forsikring A / S has stated that Tryg Forsikring A / S has obtained information about you from your doctor in order to assess whether the damage reported by you is covered by the insurance's conditions, and whether compensation must be paid for a permanent injury, including the size of a possible permanent injury.
The information that Tryg Forsikring A / S has collected about you consists of health information in the form of a medical record 5 years prior to the time of injury, as well as a functional certificate which contains information about current genes and any genes 10 years prior to the time of injury. The medical information is necessary for Tryg to calculate the claim for compensation from you. The collection of information has taken place on the basis of the legal requirement rule in Article 9 (1) of the Data Protection Regulation. Article 6 (2) (f) 1, letter b) for policyholders and letter f) for insured persons under the insurance.
Tryg Forsikring A / S has further noted that the consent obtained in the case does not constitute the processing authority for Tryg Forsikring A / S 'processing of personal data for use in the compensation statement.
Finally, Tryg Forsikring A / S has stated that the collection of information about you has taken place in accordance with the basic principles for the processing of personal data in Article 5 of the Data Protection Ordinance. Tryg Forsikring A / S has hereby emphasized that the collection of information is necessary for , that Tryg as an insurance company can treat your reported damage. Information about your health history helps to determine whether you are entitled to compensation in accordance with the insurance conditions that apply to the insurance contract. Here it is i.a. decisive whether the reported damage is due to consequences of pre-existing or present injuries / diseases.
Justification for the Danish Data Protection Agency's decision
The Danish Data Protection Agency assumes that you have taken out insurance with Tryg Forsikring A / S, and that the information in the case concerns Tryg Forsikring A / S 'treatment of a reported damage.
Pursuant to Article 9 (1) of the Data Protection Regulation 1, there is in principle a ban on the processing of health information. However, the prohibition shall not apply if one of the exceptions in Article 9 (1) 2 shall apply.
It is clear from Article 9 (1) 2, letter f, that the prohibition on processing does not apply if the processing is necessary for legal claims to be established, asserted or defended.
When processing information covered by Article 9 (1) There must also be a legal basis for the processing in Article 6 (1) of the Data Protection Regulation.
It follows from Article 6 (1) of the Data Protection Regulation 1, letter b, that personal data may be lawfully processed if the processing is necessary for the fulfillment of a contract to which the data subject is a party.
The Danish Data Protection Agency finds that Tryg Forsikring A / S ’processing of your health information is covered by the exception to the prohibition in Article 9 (1) of the Data Protection Ordinance. 2, letter f.
The Danish Data Protection Agency has hereby emphasized that Tryg Forsikring A / S collected information about you from your doctor for the purpose of determining whether you are entitled to compensation in accordance with the insurance conditions that apply to the insurance agreement.
Furthermore, the Danish Data Protection Agency finds that the processing could take place on the basis of Article 6 (1) of the Data Protection Regulation. 1, letter b.
The Danish Data Protection Agency has hereby emphasized that the said information was obtained with a view to fulfilling the agreement with you as the policyholder in order to determine a possible claim for payment in accordance with the insurance agreement.
Against this background, the Danish Data Protection Agency finds that Tryg Forsikring A / S ’processing of your health information took place in accordance with Article 9 (1) of the Data Protection Ordinance. Article 2 (2) (f) and Article 6 (2) 1, letter b.
The Danish Data Protection Agency also finds that there is no basis for overriding what Tryg Forsikring A / S stated that Tryg Forsikring A / S has collected the information about you that is necessary for Tryg Forsikring A / S, as an insurance company, can process your reported damage in accordance with Article 5 (1) of the Data Protection Regulation. 1, letter c. (Principle of data minimization).
The Danish Data Protection Agency presupposes that Tryg Forsikring A / S, in fulfilling its duty to provide information pursuant to Articles 13 and 14 of the Data Protection Ordinance, has stated the grounds on which Tryg Forsikring A / S bases its processing in connection with the assessment of a reported damage, and that It appears that the processing of personal data is carried out on the basis of Article 6 (1) of the Data Protection Regulation. 1, letter b, and 9, para. 2, letter f.
It is noted that the consent given in the statement in question for use in Tryg Forsikring A / S 'collection of health information about you is not a data protection law consent covered by the rules of the Data Protection Ordinance and does not form the basis for processing information in connection with your reported damage.

[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General data protection regulation).