Helsingin hallinto-oikeus (Finland) - 117/2024: Difference between revisions

Helsingin hallinto-oikeus - 117/2024
Court:	Helsingin hallinto-oikeus (Finland)
Jurisdiction:	Finland
Relevant Law:	Article 9 GDPR Article 9(1) GDPR § 2(1)(5) Insurance Contracts Act § 6(1)(1) Data Protection Act
Decided:	16.01.2024
Published:	16.01.2024
Parties:	OP-Henkivakuutus Oy
National Case Number/Name:	117/2024
European Case Law Identifier:
Appeal from:	Tietosuojavaltuutetun toimisto (Finland) 4680/182/18
Appeal to:	Pending appeal Korkein hallinto-oikeus (Finland)
Original Language(s):	Finnish
Original Source:	Helsingin hallinto-oikeus (in Finnish)
Initial Contributor:	fred

The Administrative Court of Helsinki upheld a Finnish DPA decision ordering a life insurance company to change its processing operations. The controller was found to have breached Article 9 GDPR as its practice was to process the health data of life insurance applicants.

English Summary

Facts

The controller (OP-Henkivakuutus Oy, a life insurance company) had asked the Administrative Court of Helsinki (the Court) to overturn the Finnish DPA's decision, according to which the controller had no legal basis to process the health data of life insurance applicants.

The controller filed the appeal claiming that it must be able to process the health data because the health status of the insured party and the risks associated with it are at the centre of the risk assessment related to the granting of the insurance.

The controller also considered that insurance applicants must also be considered insured parties in accordance with Section 6(1)(1) of the Finnish Data Protection Act, according to which insurance institutions may, despite the general prohibition in Article 9(1) GDPR, process the health data of the insured party and the claimant, which is necessary to assess the risks of the insurance institution.

Holding

The Court noted that neither the Finnish Data Protection Act nor its preparatory material have defined what is meant by the insured party in connection with the application of the Act. However, in the Court's view, the preparatory material of the Finnish Data Protection Act does not support as an interpretation that the legislator intended to extend the concept of "insured party" to apply also to the applicant of an insurance before the conclusion of an insurance contract.

In this respect, the Court also stated that the "insured party" is defined in Section 2(1)(5) of the Finnish Insurance Contracts Act, according to which the insured refers to the party that is currently subject to personal insurance or non-life insurance policy. Thus, the Court considered that this definition could be used as a starting point for interpretation also when applying Section 6(1)(1) of the Finnish Data Protection Act. Meaning that under this Section, the controller could not consider the applicants for an insurance plan as insured parties.

In light of this, the Court agreed with the DPA that the processing of special categories of personal data of voluntary insurance applicants carried out by the controller had violated Article 9 GDPR.

Comment

The Administrative Court of Helsinki has issued a similar decision in case 116/2024.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.

HELSINKI ADMINISTRATIVE COURT

DECISION 117/2024

16.01.2024

ID number 3463/03.04.04.04.01/2022

Thing

A complaint regarding a data protection matter

Appellant

OP-Life Insurance Ltd

Decision to be appealed

Data Protection Commissioner 8 June 2022 ID number 4680/182/18

In 2020 and 2021, the Office of the Data Protection Commissioner investigated the procedures of OP-Henkivaukutus Oy (the data controller) in situations where the data controller requests data on the health status of registered users from health care units.

In its decision under appeal, the Data Protection Commissioner has held that the data controller cannot process the health data of the applicant for voluntary insurance or the health data of the person for whose death, illness or injury voluntary insurance is being applied for, based on the provisions of section 6, subsection 1, point 1 of the Data Protection Act. For this reason, the data controller cannot also request the health status information of these persons from the health care units during the insurance application phase, pursuant to the provisions of Section 6, Subsection 1, Clause 1 of the Data Protection Act. The processing of the special personal data groups of the voluntary insurance applicant by the controller does not comply with Article 9 of the General Data Protection Regulation.

The Data Protection Commissioner has ordered the data controller pursuant to Article 58, paragraph 2, subsection d of the General Data Protection Regulation to bring the processing operations in line with the provisions of Article 9 of the General Data Protection Regulation, when the data controller processes the health data of the applicant for voluntary insurance or the health data of the person for whose death, illness or injury voluntary insurance is being applied for.

The data protection commissioner has left it to the discretion of the data controller to determine more precise appropriate measures, but has ordered to submit a report on the measures taken by July 29, 2022.

Among other things, the following has been stated in the reasons for the decision under appeal:

The provision of section 6, subsection 1, point 1 of the Data Protection Act regarding the processing of the health data of the insured and the claimant in insurance operations cannot be extended to the registered person who is an insurance applicant at the stage of applying for insurance. Registrants must be able to rely on the verbatim regulation of the Data Protection Act when applying for insurance. The processing of health data belonging to special personal data groups contrary to the wording regulation is not in accordance with the reasonable expectations of the registered. Due to the need for strong privacy protection related to patient documents, it is also not possible for the data to be processed contrary to the literal regulation.

In connection with the health examination, the general authorization requested by the data controller to request information from different health care units for the processing of the insurance case is not sufficient to fulfill the requirement for the processing of special personal data groups according to Article 9, paragraph 2, subparagraph a of the General Data Protection Regulation.

Claims presented in the appeal

The decision under appeal must be annulled. Alternatively, the matter must be returned to the data protection commissioner's office for re-evaluation. In any case, the data protection commissioner's office must be obliged to compensate the appellant's court and litigation expenses with legal interest.

The appellant is a life insurance company. The appellant thus issues insurance policies, based on which it pays a certain amount of compensation in the event of the insured's death, for example to his spouse. In life insurance, the health status of the insured and the related risks are at the center of the risk assessment related to the granting of the insurance. These risks affect, for example, whether the insurance can be granted at all, under what conditions the insurance can be granted, and how the insurance is priced.

In order to assess the conditions for granting life insurance, the insurance company asks the insurance applicant for reports on his health. In some situations, it may be necessary for the insurance company to obtain information directly from the health care unit, in which case the insurance company needs authorization or a release permit from the insured, which entitles the health care unit to hand over the information to the insurance company. In this case, it is not the consent referred to in Article 6(1)(a), Article 7 or Article 9(2)(a) of the Data Protection Regulation, but a separate permission related to patient legislation. The decision under appeal is based on an incorrect interpretation of the law regarding the concept of the insured in the Data Protection Act. The insurance applicant must also be considered insured as referred to in section 6 subsection 1 point 1 of the Data Protection Act.

As such, the definitions of the Insurance Contracts Act cannot mechanically be applied to the interpretation of section 6 subsection 1 point 1 of the Data Protection Act. It is more important to assess the legislator's purpose related to the said legal provision and the appropriateness of the interpretation. Adequate assessment of the health status of the insurance applicant is a very important operating requirement for insurance companies. A regulatory solution that would limit decades of established insurance practice would be radical and potentially mean a fundamental change in the way Finnish insurance companies operate. There should therefore be very compelling reasons for the change.

For example, even in the Insurance Contracts Act, the concept of the insured is not only used in the narrow sense referred to by the Data Protection Commissioner's Office to mean only the insured of an already issued insurance policy, but in a broader sense. First of all, in Section 2, Subsection 1, Clause 5 of the Insurance Contracts Act, the insured is defined to mean "the person who is the subject of the insurance", without taking an explicit position on the temporal dimension of the concept. A person can be insured even before concluding an insurance contract. Secondly, in Section 22 of the Insurance Contracts Act concerning the right to access to information, the concepts of policyholder and insured are used precisely in relation to the right to access to information, referring to the time before the insurance was granted. It is thus clear that even in the Insurance Contracts Act, the legislator did not intend the concept of the insured to be interpreted narrowly in such a way that it refers to a person only after the insurance has been issued. On the contrary, in the Insurance Contracts Act, the concept of the insured is also used to refer to the applicant for the insurance. Thirdly, in the interpretation of section 6 subsection 1 point 1 of the Data Protection Act, the broader principle expressed by section 22 of the Insurance Contracts Act must be taken into account, i.e. the legislator's intention to secure sufficient access to information for the insurance company even before concluding the insurance contract. Section 6 subsection 1 point 1 of the Data Protection Act must be interpreted in the light of this general principle. In addition, it should be noted that Section 6, Subsection 1, Clause 1 of the Data Protection Act and the legal provisions preceding it have been interpreted in a completely established way in Finland as also applicable to the insurance applicant. The entirety of the insurance system requires that insurance companies can make their choice of liability based on sufficient risk information. When the legislator's purpose in enacting section 6, paragraph 1 of the Data Protection Act was clearly to allow insurance activities, the legal section must also be interpreted against these aspects.

The possibility presented by the data protection authorized office to obtain the consent of the insurance applicant is not a truly appropriate or practically realistic alternative to the processing right according to section 6 subsection 1 point 1 of the Data Protection Act. Since data protection legal consent is not an appropriate option, the review must be based on section 6 subsection 1 point 1 of the Data Protection Act and the legislator's intentions behind it.

Case handling and investigation

The Data Protection Commissioner has issued a statement.

The appellant has given a counter-explanation.

Administrative law solution

The administrative court rejects the appeal.

The administrative court extends the deadline set for the complainant by the decision of the data protection commissioner to submit the report on the measures taken until March 1, 2024

The administrative court rejects the claim for reimbursement of court costs.

Reasoning

Applicable legal guidelines and law preparation material

According to Article 9(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons in the processing of personal data and on the free movement of such data and the repeal of Directive 95/46/EC (General Data Protection Regulation), the processing of personal data that reveals race or ethnicity origin, political opinions, religious or philosophical beliefs or trade union membership, and the processing of genetic data, the processing of biometric data for the purpose of unambiguous identification of a person or the processing of information about health or information about the sexual behavior and orientation of a natural person is prohibited.

According to Article 9(2)(g) of the General Data Protection Regulation, Section 1 above does not apply if the processing is necessary for an important public interest reason based on Union law or Member State legislation, provided that it is proportionate to the objective, it respects the right to the protection of personal data in key respects and it provides for appropriate and specific measures to protect the fundamental rights and interests of the data subject.

According to Section 6, Subsection 1, Subsection 1 of the Data Protection Act, Article 9, Subsection 1 of the Data Protection Regulation does not apply to information obtained in the course of insurance operations handled by the insurance institution regarding the health, illness, or disability of the insured and the claimant, or to treatment measures directed at him or to comparable actions that are necessary to determine the liability of the insurance institution.

In the government's proposal regarding the Data Protection Act (HE 9/2018 vp), it has been stated in the detailed justifications for section 6, subsection 1, point 1, that the section would specify the processing situations regarding the processing of special groups of personal data with regard to the processing of data obtained in the insurance operations of insurance institutions. This is possible under Article 9(g) of the General Data Protection Regulation. The clarification of section 1 would be necessary so that insurance institutions could in the future process information obtained in the insurance business about the health status, illness or disability of the insured and the claimant, or about the treatment measures applied to him or comparable information. - - According to paragraph 1, Article 9, paragraph 1 of the General Data Protection Regulation would not prevent the insurance institution from processing certain personal data belonging to special personal data groups in order to clarify its liability. The insurance institution could thus process information about the insured's and claimant's state of health, illness or disability, or the treatment measures or similar measures applied to them. Paragraph 1 of Article 9 of the General Data Protection Regulation covers, among other things, information about health. The information referred to in Section 6 of the Data Protection Act is health information.

According to Section 2, Subsection 1, Clause 5 of the Insurance Contracts Act, in this Act, the insured means the person who is the subject of personal insurance or for whose benefit the damage insurance is valid.

In the government proposal concerning the Insurance Contracts Act (HE 114/1993 vp), it is stated in the detailed justifications for section 2, subsection 1, point 5, that in personal insurance, the insured means the person who is the subject of the insurance. The insured person of life insurance is a person whose death or life insurance has been taken out. The insured of accident insurance is a person whose insurance has been taken out in case of accidental injury or death. -- In non-life insurance, the insured is the person for whom the insurance is valid. The insured is a person whose property or other benefit is the subject of the insurance. In liability insurance, the insured is the person for whom the insurance has been taken out in case of liability for damages.

Legal assessment

In the matter, it is to be assessed whether the appellant has been able to process the health status data of the applicant for voluntary insurance or the health status data of the person whose death, illness or injury insurance is being applied for (hereafter the applicant), pursuant to section 6 subsection 1 point 1 of the Data Protection Act, and whether the voluntary insurance implemented by the appellant was in accordance with the applicant's special the processing of personal data groups was in accordance with Article 9 of the General Data Protection Regulation.

The appellant has considered that the processing of personal data concerning the health status of the registered person is permitted under Section 6, Subsection 1, Clause 1 of the Data Protection Act in order to ascertain the liability of the insurance company already when applying for insurance, and that the Data Protection Commissioner has interpreted the concept of the insured in the relevant legal section incorrectly.

According to Section 6, Subsection 1, Clause 1 of the Data Protection Act, Article 9, Clause 1 of the Data Protection Regulation does not apply to data obtained in the course of insurance operations when the insurance company processes information about the insured. The Data Protection Act or its preambles do not define what is meant by the insured in connection with the application of the Data Protection Act. According to Section 2, Subsection 1, Clause 5 of the Insurance Contracts Act, in the aforementioned law, the insured means the person who is the subject of personal insurance or for whom the damage insurance is valid, and this definition can, in the opinion of the Administrative Court, be used as a starting point for interpretation also when applying Section 6, Subsection 1, Clause 1 of the Data Protection Act . According to the wording of the mentioned legal section, it is not justified to interpret the concept of the insured in such a way that it would also cover the applicant for insurance before the conclusion of the insurance contract, which interpretation is also supported by the preambles concerning section 2, subsection 1, point 5 of the Insurance Contracts Act. There is no reason to evaluate the matter differently because of the point brought up by the appellant in his appeal, that the concept of the insured has not been used completely consistently in all the provisions of the Insurance Contracts Act. There is no reason to evaluate the matter differently either because, according to the complaint, the interpretation deviates from the previously followed practice or because consent as a basis for processing is not without problems. There is no support for the interpretation that the legislature intended to extend the concept of insured to apply to the applicant for insurance, or that this was considered necessary in order to determine the liability determined on the basis of the insured event. Consequently, the appellant has not been able to process the health information of the applicant for voluntary insurance pursuant to section 6, subsection 1, item 1 of the Data Protection Act before concluding the insurance contract.

Based on the above, the Data Protection Commissioner has been able to consider that the processing of the special personal data groups of the voluntary insurance applicant carried out by the appellant is not in accordance with Article 9 of the General Data Protection Regulation. The Data Protection Commissioner has been able to order the appellant, pursuant to Article 58, paragraph 2, subparagraph d of the General Data Protection Regulation, to bring the processing operations in line with the provisions of Article 9 of the General Data Protection Regulation, when the data controller processes the health data of the applicant for voluntary insurance.

Based on the above, the administrative court considers that there is no reason to change the order issued by the data protection commissioner.

Due to the passage of time, the deadline set in the decisions is changed in the way that appears in the part of the decision. In other respects, the data protection commissioner's decision will not be changed.

Cost

Considering the outcome of the case, it is not unreasonable that the appellant has to bear his own legal costs.

Applied legal guidelines

Those mentioned in the justifications
Act on proceedings in administrative matters § 95 subsection 1

Appeal

This decision may be appealed by appealing to the Supreme Administrative Court, if the Supreme Administrative Court grants permission to appeal.

The notice of appeal is attached (HOL appeal permit 30).