HDPA - 6/2020

From GDPRhub
HDPA - HDPA - 6/2020
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 5 GDPR
Article 17(1) GDPR
Article 17(3) GDPR
Article 40(5) GDPR
Article 58(2)(b) GDPR
Article 34 Data Protection Law
Type: Complaint
Outcome: Upheld
Decided: 27.03.2020
Published: n/a
Fine: None
Parties: n/a
National Case Number/Name: HDPA - 6/2020
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Greek
Original Source: HDPA (in EL)
Initial Contributor: {{{Initial_Contributor}}}

The Hellenic Data Protection Authority (HDPA) issued a reprimand to AXA Insurance because it failed to fulfill the right to erasure of personal data collected at the pre-contractual stage. The HDPA reserved its judgement on the lawfulness of the draft Code of Conduct of the Insurance Companies' Association, as requested according to Article 40(5) GDPR, with regard to the five-year retention period of personal data collected at the pre-contractual stage which is foreseen for the prevention of and fight against insurance fraud.

English Summary[edit | edit source]

Facts[edit | edit source]

A data subject complained because an insurance company, AXA Insurance, did not fulfill their request to erase personal data of him and his family members. AXA had collected the data during the pre-contractual phase, but the data subject did not sign the insurance contract.

AXA claimed that the data subject had been informed before providing their personal data, including sensitive data, about the purposes of the processing and the retention period of five years, if the contract would not be signed, or for the entire contractual period, if the contract would be signed. The data subject and his wife consented. Further, AXA claimed that the retention of the data was necessary for the prevention of and fight against insurance fraud and revoked Recital 47 GDPR. Finally, it claimed that following the data subject's request, it anonymised their personal data.

Dispute[edit | edit source]

Holding[edit | edit source]

The HDPA found that AXA should have fulfilled the request for erasure, since the data subject withdrew its consent. Article 34 of the National Data Protection Law that broadens the scope of the exceptions to this right was not applicable in this case. Further, the anonymisation does not substitute the fulfillment of the data subject's right to erasure.

The HDPA found that AXA did not revoke nor prove any legal basis according to the GDPR which would justify its refusal to fulfill the right to erasure. Thus, it found that AXA violated that right. However, it acknowledged the mitigating circumstance that AXA had complied with the draft Code of Conduct of the Insurance Companies' Association regarding the retention of the data.

Thus, the HDPA issued a reprimand according to Article 58(2)(b) GDPR. It reserves its judgement on the lawfulness of the mentioned draft Code of Conduct with regard to the five-year retention period of personal data which was collected at the pre-contractual stage for the prevention of and fight against insurance fraud, as requested according to Article 40(5) GDPR.

Comment[edit | edit source]

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.

IO
Athens, 27-03-2020C/ΕΞ/2297/27-03-2020
PERSONAL DATA PROTECTION AUTHORITY
DECISION 06/2020
The Personal Data Protection Authority met, at the invitation of its President, to a regular meeting at its headquarters on Tuesday 25.02.2020, 10: 00, in order to examine the case referred to in the previous record. The President of the Authority, Konstantinos Penohydros and the regular members of the Authority, Spiridon Vlopoulos, Konstantinos Lamprinyoudakis, Eleni Martsoukou and Grigorios Thelos, alternate member of the Authority, as rapporteur, in place of the regular member Charalambos Antonopoulos, who was duly summoned to attend, because he was prevented from attending, were present. It was present, without the right to vote, was Charthios Lamsitos, legal auditor — lawyer, assistant rapporteur and Irini Papageorgopoulou, Administrator in the Administrative Cases Board, as secretary.
The Authority took into account the following:
With effect from 23.07.2019 (and ref. Complaint C/ΕΙΣ/5141/23.07.2019) Complaint, as supplemented by 09.10.2019 (and ref. no. Out C/ΕΙΣ/6110/10.09.2019) an application, A complains that the NFC insurance company has not granted the right to erasure to personal data concerning him or her. In particular, he complains that the insurance company did not comply with his request from... concerning the removal from the records of the company of the personal data of himself and members of his family, which were collected by the insurance company concerned by virtue of its insurance request at the pre-contractual stage of the insurance contract, which, ultimately, because of the conditions laid down in the insurance policy, did not accept and never signed. In its examination of the complaint, the Authority, 
 by letter ref. noLetter ref. c/ΕΞ/5141-1/10.09.2019 from the undertaking AG, the insurance company concerned, as it submitted explanations on the persons concerned and, in particular, the reasons for not complying with the entitlement to remission submitted by Mr A by e-mail from...In response to the above letter from the Authority, the insurance company SA from 27.09.2019 (ref. noA request to clarify that the complainant lodged his/her... health insurance application of his/her spouse and their two minor children and that he and his wife were submitted both individually and on behalf of his minor children to specific questions by Advance Medical Health Care Management Services S.A. (the processing operation), which has contracted with the undertaking an insurance company to assess the insurance risk of the health programmes by means of an interview carried out by telephone and recorded with the consent of the prospective insured person concerned. According to the undertaking (a) an insurance company, during the telephone interview, personal data and in particular special categories are collected (health data), the data subject is informed of the processing of the data and its consent is explicitly requested. In particular, prior to the start of the interview, the prospective insured person is informed, inter alia, of the purpose of the collection of the personal data, the recipients of the data, the period of retention (that is to say, for a period of 5 years, and in the case of the conclusion of a contract for the entire period of validity of the data), and of their rights, including the right to erasure. The response of the candidate insured shall also be recorded in the event of refusal, without any additional personal data being collected. Thus, according to the SA an insurance company, the obligation to obtain the consent of the data subject is fulfilled, as the recording is a document with the probative force attributed to it by law (Article 444 (1) (c) of the Code of Civil Procedure).According to the NFC insurance company, both the complainant and his wife consented to this in the processing of their personal data and were informed — in the case of an insurance application that is not an evolving insurance contract — to keep them for 5 years. Subsequently, due to the exceptions to the coverage of the abovementioned insurance scheme, A refused to take out insurance and by email... requested the deletion of his personal data and his/her family, which 
 had been collected in accordance with the above, at the pre-contractual stage. The... Insurance Company replied to its request by e-mail, informing it again about the personal data retention policy, the purposes of processing, including the avoidance and the fight against insurance fraud, and the retention of data for a period of 5 years in case no insurance contract was concluded. Ultimately, on... the CSA, by e-mail, sent the following reply to A: “ Further to our telephone conversation, I reiterate, and in writing, that in accordance with our company’s policy, the personal data of our clients’ insurance clients are kept for five (5) years from the date of their application for insurance, in order to prevent any insurance fraud. This information has already been received and obtained orally in the processing of your personal data. In any case and in order to respond to your request, we would like to inform you that we will proceed to the anonymisation of your application, i.e. the removal of any staff on board.”According to the insurance company’s claims, the retention of the complainant’s data was necessary, in accordance with Article 17 (1) (a) of the GDPR, to meet the objective  of “avoiding and fighting insurance fraud”.It invokes, in particular, the insurance company  ‘Code of Conduct for the processing of personal data by insurance companies’ submitted by the Association of Insurance Companies in Greece and is pending before the Authority for approval. In addition, the insurance company concerned, relying on Article 34 (3) of Law 4624/2019, claims that five years may be understood as a contractual retention period, since by giving the consent of the complainant to the recorded interview in the context of an application for an insurance product, a contract was concluded between the parties concerning the conditions for the processing of personal data in accordance with the provisions of Article 192 of the Civil Code. Furthermore, the assurance company invokes recital 47 of the GDPR 2016/679, according to which  “(...) the processing of personal data, insofar as strictly necessary for the purposes of preventing fraud, also constitutes a legitimate interest of the data controller concerned (...)”.In the light of the above, the NFC insurance undertaking concludes that the right of the complainant has been duly granted, since the anonymisation of the personal data 
 contained in its application makes it impossible to identify it. In addition to the above reply, the insurance company SA from 03.10.2019 (ref. noAn appeal C/ΕΙΣ/6671/04.10.2019) informed the Authority of:‘{...} Using the customer identification (name, tax number and insurance request number), we found in the company’s back offices, CRM) records, all records relating to the client’s application and the technical tools of each system carried out the anonymisation. All the identification data of the customer and its dependent members containing alphabetical letters have been replaced by “XXX...” and those containing alphabetical numbers have been replaced by “999.”.Identifying the customer in our company’s information systems with any identification is now impossible. The anonymisation process took place on....Furthermore, the complainant has been re-informed today... to meet his or her request (...)”.The Authority then replied to this letter. A letter from the assurance company SA, C/ΕΞ/5141-2/18.10.2019, to provide additional explanations on specific issues. In response, the undertaking (a) an insurance company with those of 04.11.2019, 05.11.2019 and 05.11.2019 (and ref. no. The Authority informed, inter alia, the Authority that the sole legal basis for the processing is the consent of the data subject pursuant to Article 9 (2) (a) of the GDPR ΕΙΣ/7564/05.11.2019 and the invocation of recital 47 of the GDPR 2016/679, inter alia, informed the Authority that the sole legal basis for processing was the consent of the data subject pursuant to (a) of the GDPR 2016/679 and the reference to recital of the GDPR ΕΙΣ/7573/05.11.2019 aimed to further explain the purpose of the processing, which was to avoid and to combat insurance fraud and legality, and that the company has never used any other legal basis other than consent. Furthermore, according to the SA an insurance company: ‘(...) 2. The avoidance and the fight against insurance fraud is the avoidance of a future insurance claim by the same data subject using false (otherwise differentiated) data in relation to the original application for insurance data. This constitutes a fraud of the insurance undertaking in order to obtain the insurance risk, which would be exempt from insurance if the data subject had submitted a true data or the taxable person would pay a premium for that cover. The above practice is detrimental not only to the insurance undertaking but also to all (bona fide) insured persons, since the amount of the annual premium for each insurance scheme is determined each time on the basis of the amount of losses 
 sustained by the insurance undertaking in the previous year. In the case of the maintenance of personal data obtained at the pre-contractual stage, the above purpose is attained, since if the person concerned returns to a future year and submits a new insurance application with insurance data differentiated from those submitted in the first year, the insurance undertaking may recognise insurance fraud and refuse insurance.’(...) 6. The data subject shall be given the opportunity to withdraw his/her consent even at the pre-contractual stage of the application for insurance. Such information shall be provided in the insurance request form (...) and in the oral information received during the recorded telephone medical interview (...) 7. Our company informed the data subject of the reasons for choosing the anonymisation of its data instead of erasure by contacting the Data Protection Officer of our Company. This shall also be demonstrated by the content of the data subject’s complaint, which refers to such communication and the information of the data subject of the process of anonymisation (...)’.
Subsequently, the Authority also replied toC/ΕΞ/5141-4/12.12.2019 and C/¬ ΕΞ/5141 3/12.12.2019 invited the insurance company concerned and complainant A respectively, as presented at a meeting of the Authority on Tuesday 21.01.2020 at 10: 00 to discuss the above-mentioned complaint. In response to the above-mentioned call, A informed the Authority of the letter dated 29.12.2019 (and ref. no. Request C/ΕΙΣ/53/07.01.2020) for not to be present at the above meeting. At the Authority meeting of 21, at the Authority meeting, in 01.2020, Aikaterini Pafli, a lawyer representing the insurance company, was represented as counsel for the insurance company, as counsel for the insurance company, which gave the company’s views and provided clarifications following questions from the members, while Mikhail Dermitzakis, lawyer, Data Protection Officer of the insurance company, was also present.
At the meeting, the NFC insurance company received, on request, a deadline of 10 in 02.2020 for the submission of a memorandum paper. Consequently, the insurance company SA submitted to the Authority within the deadline of 10.02.2020 (and ref. no. ECL C/ΕΙΣ/1087/10.02.2020) document written by, inter alia, informing the Authority of the company’s personal data retention policy in general, and providing information on the technique
anonymisation as adopted in response to A’s delisting request.
After examining the documents in the file, after hearing the rapporteur and the details provided by the assistant rapporteur, who attended the hearing without the right to vote and left after the hearing of the case and prior to the deliberation and the taking of a decision, after a thorough discussion,
AFTER DUE CONSIDERATION
1.	It follows from the provisions of Articles 51 and 55 of the General Data Protection Regulation (Regulation 2016/679) and Article 9 of Law 4624/2019 (Government Gazette, Series I, No 137) that the Authority is competent to supervise the application of the provisions of the GDPR, that law and other provisions relating to the protection of individuals with regard to the processing of personal data. In particular, it follows from the provisions of Article 57 (1) (f) of the GDPR and Article 13 (1) (g) of Law 4624/2019 that the Authority has the competence to deal with the complaint against the insurance company concerned against the insurance company for failure to comply with the right to erasure of personal data concerning him and to exercise, respectively, the powers conferred on it by the provisions of Article 58 of the GDPR and Article 15 of Law 4624/2019.
2.	As Article 5 of the GDPR defines the processing principles for the processing of personal data. In particular, it is specified in paragraph 1 that the personal data, including:“(a) be processed fairly and lawfully in a transparent manner with respect to the data subject (“lawfulness, objectivity, transparency”), (b) collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes (...), (c) is appropriate, relevant and limited to what is necessary for the purposes for which they are processed (“data minimisation”), (...) (e) maintained in a form which permits identification of data subjects for no longer than is necessary for the purposes of the processing of personal data; personal data may be stored for longer periods when personal data will only be processed for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) and if the appropriate technical and organisational measures required by this Regulation are applied to safeguard the rights and freedoms of the data subject (“storage limitation”) {...}”.
3.	Because, in accordance with the provisions of Article 5 (2) of the GDPR, the controller is responsible and must be able to demonstrate compliance with the principles of treatment established in Article 5 (1).As the Authority has stated  , the GDPR has introduced a new model of compliance, the central size of which is the principle of accountability in which the controller is obliged to design, implement and generally take the necessary measures and policies so that data processing is in line with the relevant legislative provisions. In addition, the controller has the further duty to demonstrate on its own and at any time compliance with the principles of Article 5 (1) GDPR.
4.	As, in accordance with the provisions of Article 4 (c) (d).1 GDPR is personal data  “any information relating to an identified or identifiable natural person (“data subject”); An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’ 2.See also Article 4 (c) (d).5 of GDPR 2016/679 is defined as pseudonymisation: “the  processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, where such additional information is kept separately and is subject to technical and organisational measures to ensure that they are not attributed to an identified or identifiable natural person” .
5.	Since, in accordance with Article 8 (1) of the Charter of Fundamental Rights of the European Union, Article 9a of the Constitution and Recital 4 of the GDPR, the right to the protection of personal data is not an absolute right, but must be assessed in relation to its functioning in society and balanced with other fundamental rights, in accordance with the principle of proportionality. The GDPR respects all fundamental rights and observes the freedoms and principles recognised by the Charter, in particular the respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, the freedom to conduct a business, the right to an effective remedy and to a fair trial, and cultural, religious and linguistic diversity.
6.	As with regard to the right to erasure, Article 17 of the GDPR provides, inter alia: ‘1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies: (a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (b) the data subject withdraws the consent on which the processing is based pursuant to Article 6(1)(a) or Article 9(2)(a) and there is no other legal basis for the processing (...)”.Next, the provision in paragraph 3 of that article provides for derogations from the right to erasure, including: ‘3.Paragraphs 1 and 2 shall not apply to the extent that processing is necessary: (...) (b) for compliance with a legal obligation which requires processing under Union law or the law of a Member State to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of a public authority vested in the controller, (c) for reasons of public interest in the area of public health in accordance with Article 9(2) (h) and (i), as well as Article 9(3) (d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1), where the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing, or (e) for the establishment, exercise or defence of legal claims”.
Accordingly, Article 34 of Law No 4624/2019 introduces, under Article 23 of the GDPR, restrictions on the right to erasure and provides: ‘1. If deletion in case of manual processing due to the particular nature of storage is not possible or only with disproportionate effort and the interest of the data subject for erasure is not considered significant, there is no right of the data subject and the controller’s obligation to erase personal data in accordance with Article 17(1) of the GDPR, except for the exceptions referred to in Article 17(3) of the GDPR.In this case, the deletion is replaced by the restriction of processing in accordance with Article 18 of the GDPR.The above subparagraphs shall not apply where the personal data have been processed unlawfully. (...) 3. In addition to Article 17(3)(b) of the GDPR, paragraph 1 applies accordingly in the case of Article 17(1)(a) of the GDPR, if the deletion would conflict with statutory or contractual retention periods.”
7.	Whereas, in the case at hand, it is apparent from the documents in the file that the undertaking (a) an insurance company, as the controller, in accordance with the provisions of Article 4 (a) (d).7 of the GDPR, it was in principle required to satisfy a request from A that concerned the deletion from the records of the personal data company and members of his family, which were collected in the name of the personal data company himself and members of his family, which were collected in the name of the complainant himself by the insurance company concerned with his consent, in accordance with the provisions of Article 9 (2) (a) of the GDPR, by virtue of her... application at the pre-contractual insurance contract, which, ultimately, due to the relevant terms of the insurance contract, the complainant did not accept and never signed. In the present case, an insurance company, as the controller, should, as the controller, have, in accordance with the provisions of Article 17 (1) (b) of the GDPR, to satisfy the request for removal referred to above, since the latter by  its... claim in essence revoked the positive declaration of intent which he had provided to that insurance company to collect his personal data for the purpose of the insurance request and there is no other legal basis for such processing. Furthermore, there is no legal derogation from the right of erasure for the retention of personal data, in accordance with the provisions of Article 17 (3) of the GDPR, nor can the exercise of the right of erasure in the present case be substituted by any anonymisation of the personal data collected. Furthermore, it must be rejected as unfounded the claim made by the undertaking concerned with regard to the contractual retention period for the data at issue, pursuant to Articles 34 (3) of Law 4624/2019 and 192 of the Civil Code, in so far as the abovementioned provision of Law No 4624/2019 relating to erasure in the event of manual processing, is not applicable in the present case to the automated processing carried out by the AB in its information systems.
8.	As then, the Authority, taking into account, inter alia, in particular, the Opinions 15/2011 “ on the definition of consent” and 5/2014 “ on anonymisation techniques” and the guidelines  “on the consent under Regulation 2016/679” of the Article 29 Working  Party, as well as the relevant European Network and Information Security Agency (ENISA)  guidance, considers that in this particular case there has been a violation of the right to delete A referred to in Article 17 of the GDPR in the insurance company concerned. Furthermore, irrespective of the question of the link between the deletion and anonymisation of personal data without the possibility of identifying the individual concerned , however, as the controller, it does not prove or rely on the existence of a reason, based on the GDPR, for the lack of satisfaction of the right to erasure of personal data and the substitution of erasure by anonymisation of personal data as a controller. Nor does such a ground constitute, on the one hand, the relevant provision and reliance on the policy on the management of personal data in so far as it has no basis in the GDPR, and, on the other hand, the choice of the technical specifications of the IT system of the insurance company in so far as it is not supported by the GDPR.When exercising its corrective power, the Authority, when exercising its corrective power, in such a way as to impose, if applicable, the effective, proportionate and dissuasive measure in accordance with Article 83 of the GDPR, in line with the Guidelines “on the application and setting of administrative fines for the purposes of Regulation 2016/679” of the Article 29  Working Party, when assessing the data in order to select the appropriate corrective measure, takes into account, in particular, that the specific infringement related to the processing of a special category of personal data (health data) is an individual case (Article 83 (2) (a)) and assesses as a mitigating circumstance (Article 83 (2) (k)) the fact that the insurance company has followed a practice in harmony with the provision of the Draft Code of Conduct of the Association of Insurance Companies for the retention of personal data of the candidate insured for a period of five years, in case of a failure to conclude an insurance contract, which, however, because it has not been approved by the Authority, cannot be used as an element to prove its compliance with the GDPR (Article 24 (3)).The Authority will assess the legality of the above provision of the draft Code when examining the Code as a whole.
FOR THESE REASONS
A herring
(a) considers that the NFC insurance, as the controller, has violated the 
 exercise of the right to delete A in accordance with the provisions of Articles 5 and 17 of the GDPR and, pursuant to Article 58 (2) (b) of the GDPR, addresses the insurance company concerned with a reprimand to the insurance undertaking in breach of these provisions; and
reserves the right to decide on the lawfulness of the retention of personal data of prospective insured persons for a period of five years from their collection at the pre-contractual stage for the purpose of avoiding and combating insurance fraud in the context of the examination of the draft Code of Conduct of the Association of Insurance Companies which has been submitted to the Authority for approval, in accordance with the provisions of Article 40 (5) of the GDPR.
 Office of the Minister for Rural Development and Food 





 
Konstantinos Menukos
 
 peace Papageorgopoulou