Helsingin hallinto-oikeus (Finland) - 5398/2023: Difference between revisions

From GDPRhub
(Created page with "{{COURTdecisionBOX |Jurisdiction=Finland |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=Helsingin hallinto-oikeus (Finland) |Court_Original_Name=Helsingin hallinto-oikeus (Finland) |Court_English_Name=Administrative Court of Helsinki |Court_With_Country=Helsingin hallinto-oikeus (Finland) (Finland) |Case_Number_Name=5398/2023 |ECLI= |Original_Source_Name_1=Helsingin hallinto-oikeus |Original_Source_Link_1=https://gdprhub.eu/index.php?title=File:Helsin...")
 
mNo edit summary
 
(One intermediate revision by the same user not shown)
Line 4: Line 4:
|Court-BG-Color=
|Court-BG-Color=
|Courtlogo=Courts_logo1.png
|Courtlogo=Courts_logo1.png
|Court_Abbrevation=Helsingin hallinto-oikeus (Finland)
|Court_Abbrevation=Helsingin hallinto-oikeus
|Court_Original_Name=Helsingin hallinto-oikeus (Finland)
|Court_Original_Name=Helsingin hallinto-oikeus (Finland)
|Court_English_Name=Administrative Court of Helsinki
|Court_English_Name=Administrative Court of Helsinki
|Court_With_Country=Helsingin hallinto-oikeus (Finland) (Finland)
|Court_With_Country=Helsingin hallinto-oikeus (Finland)


|Case_Number_Name=5398/2023
|Case_Number_Name=5398/2023
Line 64: Line 64:
|Appeal_To_Link=
|Appeal_To_Link=


|Initial_Contributor=fred
|Initial_Contributor=[https://gdprhub.eu/index.php?title=User:Fred fred]
|
|
}}
}}
Line 73: Line 73:


=== Facts ===
=== Facts ===
The Finnish Motor Insurers' Centre (the controller) had asked the Administrative Court of Helsinki (the Court) to overturn the Finnish DPA's decision, according to which the controller had been fined €52,000 for processing and requesting unnecessary patient information from healthcare providers.
The Finnish Motor Insurers' Centre (the controller) had asked the Administrative Court of Helsinki (the Court) to overturn [[Tietosuojavaltuutetun toimisto (Finland) - 4431/161/21|the Finnish DPA's decision]], according to which the controller had been fined €52,000 for processing and requesting unnecessary patient information from healthcare providers.


The controller filed the appeal claiming that it could not determine in advance whether certain information was necessary to settle a claim. The controller considered that under [https://www.finlex.fi/fi/laki/ajantasa/2016/20160460#L7P82 Section 82 of the Finnish Motor Liability Insurance Act], various information could be considered necessary, and therefore it had to process information other than that directly related to the traffic accident.
The controller filed the appeal claiming that it could not determine in advance whether certain information was necessary to settle a claim. The controller considered that under [https://www.finlex.fi/fi/laki/ajantasa/2016/20160460#L7P82 Section 82 of the Finnish Motor Liability Insurance Act], various information could be considered necessary, and therefore it had to process information other than that directly related to the traffic accident.

Latest revision as of 13:55, 21 March 2024

Helsingin hallinto-oikeus - 5398/2023
Courts logo1.png
Court: Helsingin hallinto-oikeus (Finland)
Jurisdiction: Finland
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(c) GDPR
Article 25(2) GDPR
§ 82 Motor Liability Insurance Act
Decided: 02.10.2023
Published: 02.10.2023
Parties: The Finnish Motor Insurers' Centre
National Case Number/Name: 5398/2023
European Case Law Identifier:
Appeal from: Tietosuojavaltuutetun toimisto (Finland)
4431/161/21
Appeal to: Pending appeal
Korkein hallinto-oikeus (Finland)
Original Language(s): Finnish
Original Source: Helsingin hallinto-oikeus (in Finnish)
Initial Contributor: fred

The Administrative Court of Helsinki overturned a DPA decision, by which the Finnish Motor Insurers' Centre was fined €52,000 for processing and requesting unnecessary patient information from healthcare providers.

English Summary

Facts

The Finnish Motor Insurers' Centre (the controller) had asked the Administrative Court of Helsinki (the Court) to overturn the Finnish DPA's decision, according to which the controller had been fined €52,000 for processing and requesting unnecessary patient information from healthcare providers.

The controller filed the appeal claiming that it could not determine in advance whether certain information was necessary to settle a claim. The controller considered that under Section 82 of the Finnish Motor Liability Insurance Act, various information could be considered necessary, and therefore it had to process information other than that directly related to the traffic accident.

The controller argued that it must evaluate both facts in favour of liability for damages and facts directly or indirectly against it, as well as other information necessary to assess the credibility of the evidence. In the controller's view, healthcare professionals would not ultimately be in a position to assess the legal question of what information is necessary to settle a claim.

Holding

The Court noted that much of the injured party's health data may be necessary to assess the contribution of another injury to the occurrence of the relevant injury. Consequently, other health-related information necessary to settle a claim may sometimes be needed long before the traffic accident.

In this respect, the Court considered that the information relating to healthcare appointments must, in principle, be considered as information necessary to establish the causation of the injury in order to settle a claim. Thus, the tasks related to the assessment of the claim belong to the core tasks of the insurance company and cannot be transferred, even partially, to the responsibility of the healthcare provider.

The Court stated that the investigation carried out by the DPA could not be considered sufficient to prove that the controller had systematically collected and processed more information than it was entitled to do under Section 82 of the Finnish Motor Liability Insurance Act. The Court also found that the DPA had not specified with sufficient precision what the unnecessary information could be.

In light of this, the Court held that there was no reason to believe that the controller had systematically requested too extensive medical records or processed unnecessary patient information. The Court therefore concluded that the controller had not acted contrary to the principles of fairness or data minimisation, or to the requirements of data protection by design and default. As a result, the Court overturned the contested decision and removed the administrative fine imposed on the controller.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.

HELSINKI ADMINISTRATIVE COURT DECISION

02.10.2023

5398/2023

ID number 365/03.04.04.04.01/2022

Case A complaint regarding a data protection case

Appellant Liikennevakuuskuskeskus

Decision to be appealed

Data protection commissioner and sanctions panel 16.12.2021 dnro 4431/161/21, which has been corrected by the decision of 21.12.2021

On March 20, 2017, a case was initiated in the Data Protection Commissioner's office, in which the initiator stated that, in his opinion, the Motor Insurance Center has obtained more information from health care than was necessary to resolve the compensation case. In connection with the processing of this individual case, the data protection commissioner's office has also investigated the systematic operation of the Motor Insurance Agency (the data controller) when it requests patient data from the health service for the processing of the compensation case. This decision of the Data Protection Commissioner concerns the systematic operation of the Motor Insurance Agency.

In its decision under appeal, the Data Protection Commissioner has considered that the data controller has not complied with Article 5, paragraph 1, subparagraph a (reasonableness of processing), Article 5, paragraph 1, subparagraph c (minimization of data) and Article 25, paragraph 2 (built-in and default data protection) of the General Data Protection Regulation.

The Data Protection Commissioner has given the data controller an order in accordance with Article 58, paragraph 2, subparagraph d of the General Data Protection Regulation to comply with the principle of data minimization, the principle of reasonableness and the obligation regarding built-in and default data protection when acquiring patient data, and to bring the processing operations into compliance with data protection regulations.

The Data Protection Commissioner has given the data controller an order in accordance with Article 58, paragraph 2, subparagraph d of the General Data Protection Regulation to comply with the principle of data minimization, the principle of reasonableness and the obligation regarding built-in and default data protection when acquiring patient data, and to bring the processing operations into compliance with data protection regulations.

The Data Protection Commissioner has given the data controller an order in accordance with Article 58, paragraph 2, subparagraph d of the General Data Protection Regulation to comply with the principle of data minimization, the principle of reasonableness and the obligation regarding built-in and default data protection when acquiring patient data, and to bring the processing operations into compliance with data protection regulations.

The Data Protection Commissioner has presented the following as reasons for his decision, among other things:

Section 82 of the Motor Insurance Act provides for the right of access to information for the insurance company and the Motor Insurance Agency. Based on the report obtained in the matter, the registrar has interpreted the regulation of the Motor Insurance Act in its operation in such a way that the Liikennevakuustuskeskus can, as a general rule, ask the registrar of patient documents to provide it with the full extent of the patient document entries of the claimant instead of a statement. However, the legal provision cannot be interpreted as entitling to direct access to all patient document entries, but access to information must be necessary in accordance with section 82, subsection 3. Therefore, the collected information should always be limited to what is necessary for solving the compensation case. The intention of the legislator can be considered to have been to limit the Motor Insurance Agency's right to access information to the information assessed and identified as necessary on a case-by-case basis.

The obligations according to the General Data Protection Regulation require that the information acquired in order to resolve the compensation case be limited to only the information necessary for the purpose of processing. In order to comply with the minimization principle and the obligations regarding built-in and default data protection, the entity receiving personal data must endeavor to limit the requested data appropriately, delete unnecessary data if such data is disclosed to it, and ensure that the measures related to the processing of personal data in question are structured in such a way that only personal data necessary for the purpose of processing are processed.

In the report received in the matter, the Liikennevakuutuskeskus has said that collecting visit notes in its entirety is its usual way of working. Requesting the entire visit records cannot be considered a legal starting point for collecting data for the basis of a compensation decision, because in doing so, the insurance company inevitably collects, in addition to the necessary data, personal data that does not belong to it by law. On the other hand, the necessity of obtaining information cannot be justified by the need brought up by the data controller to go through the texts in order to find out whether there is anything relevant in the entries, or to ensure that the party providing the information has not knowingly or through lack of understanding omitted to provide information. The task of the registrar of patient data registers - not the insurance company - is to screen the necessary information before handing it over to the insurance company.

In the data protection commissioner's report to the office, the controller has also justified his procedure by the fact that, according to its experience, treatment facilities bill insurance companies for visits that are not related to the investigation or treatment of a traffic injury. However, billing issues between the care facility and the insurance company must be resolved by means other than the systematic, large-scale collection of patient data.

The Data Protection Commissioner considers it justified that the information should be requested and disclosed primarily in the form of a statement. Such a method of operation is in accordance with the principle of minimizing personal data and protects the patient's privacy, for example, in a situation where the visit logs contain information other than what is clearly necessary for processing the compensation case.

According to the report obtained in the case, presenting extensive information requests for patient document entries has been a systematic method of operation of the registrar, which the registrar has deemed justified based on the regulation of the Motor Insurance Act. In acting in this way, however, the data controller has not taken into account the data limitation requirements contained in the Motor Insurance Act, and the controller's method of operation is not compatible with the requirements of Article 5(1)(a), Article 5(1)(c) or Article 25(2) of the General Data Protection Regulation.

In its decision under appeal, the Sanctions Board of the Office of the Data Protection Commissioner has imposed an administrative sanction fee of 52,000 euros on the Motor Insurance Center based on Article 58, Section 2 Subsection i and Article 83 of the General Data Protection Regulation.

Claims presented in the appeal

The decisions under appeal or at least the penalty payment decision must be annulled. Secondarily, the penalty payment decision must be changed so that the administrative penalty payment becomes 1,000 euros or another euro amount significantly lower than the current payment. At the very least, the matter must be returned to the data protection commissioner's office to be processed again. In any case, the office of the Data Protection Commissioner must be obliged to reimburse the Finnish Transport Insurance Agency's legal and litigation expenses with legal interest.

The matter at hand has great principled importance. It's not just about the Transport Insurance Center. If the right of access to information is restricted or, as proposed by the Data Protection Commissioner, only the treatment unit is assigned the task of assessing the extent of material that is "necessary" in terms of tort law, the processing of all compensation applications will become significantly more burdensome than it is now and less secure in terms of the legal protection of the insured.

The decisions have been made in an illegal procedure, because the processing by the data protection commissioner's office has lasted almost five years, and the requests for clarification and the decisions of the entire case have been, in their essential parts, given to the Motor Insurance Center for information during vacations or holidays, even though Section 21 of the Constitution, Sections 6 and 23 of the Administrative Act and the principles of good administration require that matters will be processed without undue delay and within a reasonable time, and the principles of proportionality and appropriateness will be followed in the investigation, so that the legal protection of the party concerned is not unnecessarily hindered.

The Office of the Data Protection Commissioner has assumed that the collection of patient visit records in their entirety is a standard way of working for the Motor Insurance Agency. In reality, the Finnish Transport Insurance Agency only processes a minority of cases in this way, when there are case-specific grounds for doing so, and even then it does not request information in its entirety, but only in parts relevant to the accident, i.e. the treatment of the injury and the notes of related investigations. The person handling the case evaluates what materials are requested in the light of the facts of the case. If necessary, the handler consults a lawyer or a medical expert of the Transport Insurance Center on the scope of the required report and evidence. Basically, according to its standard models, the Motor Insurance Center only asks for the following: "copies of medical records related to the injury from [relevant date]". Only if, based on this material, there is a need for a broader examination of the case, the person handling the case can request more extensive material. The data protection commissioner's office has not even evaluated the facts related to these concretely, but only through general assumptions. In the decisions, it has not been shown at the level of identified facts that Liikennevakuutuskeskus has concretely acted illegally in any way or what this illegality has concretely been. As such, it is true that as part of the overall investigation of the case, the data protection commissioner's office has previously also issued one decision concerning a specific person. However, the decisions under appeal are not tied to the previous decision in question or to its facts.

Regarding the violation, the data protection commissioner has only invoked general principles and, in addition, has ordered the Motor Insurance Agency to only generally comply with the general data protection regulation and some of its general principles, even though the principle of legality requires that sanctions be tied to a procedure that violates the rules, not general principles, and even though Sections 44 and 45 of the Administrative Law require that the decision clearly states the reasons for the decision and what the party concerned is obliged to do. The obligation to comply with the general principle cannot be considered a clear, well-defined or enforceable provision.

The decisions are based on an incorrect interpretation of necessity and the entity responsible for the necessity assessment. Necessity must be assessed primarily in relation to determining the insurance company's compensation liability. The extent of the required medical examination varies from case to case and depends on, for example, the quality and severity of the personal injury and the other health condition of the injured party. Necessary material is not only limited to medical reports, but also applies to original data. Liikennevakuutuskeskus makes a legal necessity assessment as the controller of the processing operations in question. The expertise of the treatment unit is primarily medical, not tort law. Health care professionals would ultimately not know how to assess the legal question of which information is relevant to resolve tort liability.

In the light of the regulation of damage compensation and insurance law, the principles of good administration, the legal protection requirements according to § 21 of the Constitution and the real facts affecting the case, the Motor Insurance Center must have the right to receive and familiarize itself with all the evidence of the case and assess its relevance to the claim for compensation. In this way, necessary information can be both facts in favor of and against liability for compensation, as well as so-called evidentiary facts related to these, i.e. facts related to the existence of other facts. The General Data Protection Regulation does not change these general principles of damages and procedural law. It is not possible to definitely define in advance whether a certain piece of information is necessary or not, because this is only resolved in its full legal context when processing a claim for compensation.

Section 82, subsection 1, point 3 of the Motor Insurance Act provides the insurance company and the Motor Insurance Center with extensive access to information, including health information. Section 82 of the Motor Insurance Act is not only limited to separately prepared medical reports, but also applies to other information in patient documents. However, the right of access to information is limited by section 82, subsection 3 of the Motor Insurance Act, according to which the right of access to information requires that the information is necessary for the resolution of the insurance or compensation case under consideration or otherwise necessary for the performance of the duties stipulated in this law. However, it is clear from the examples of the preliminary works of the legal section that a fairly wide range of information can be considered necessary in this way, and the right to information therefore also applies to information and medical reports other than those directly related to the accident.

Necessity is assessed in relation to the assessment of the liability of the insurance company or the Transport Insurance Agency. It is therefore not a question of whether obtaining information is necessary or desirable from the point of view of the person himself, for example, but rather whether obtaining information is necessary in order to assess the insurance company's compensation liability. It is also necessary to evaluate both the facts in favor of liability for compensation and those that speak directly or indirectly against it, as well as other information needed to evaluate the credibility of the evidence.

In any case, the penalty fee cannot be considered necessary at all, taking into account the procedure and position of the Motor Insurance Agency, and its amount must be considered excessive, taking into account the points referred to in Article 82, paragraph 3 of the General Data Protection Regulation.

Case handling and investigation

In its statement, the Office of the Data Protection Commissioner has stated, among other things, that if the administrative court considers that the question of the interpretation of the General Data Protection Regulation is unclear in the case, the administrative court must submit a preliminary ruling request to the Court of Justice of the European Union to ensure uniform application of European Union law.

The complaint filed in the Office of the Data Protection Commissioner in 2017 concerned a case in which the Finnish Transport Insurance Agency had collected all the patient document entries regarding the psychotherapy discussions of a person who had been involved in a traffic accident, over the course of several years of therapy. The information had not been screened by health care or the Motor Insurance Agency, and the Motor Insurance Agency considered all information necessary for handling the compensation case. On August 24, 2020, the Motor Insurance Center has been asked to clarify whether it is a question of its systematic way of operating when it obtains information from health care for the basis of a compensation case. In its statement on August 31, 2020, the Motor Insurance Center has stated that similar activities are still usual for it.

The Motor Insurance Center has stated in its report on October 12, 2020 that it normally requests patient visit records from the health care to ensure that the health care has not billed the Motor Insurance Center for a visit other than a compensation matter. The intention of the legislator cannot be considered to have been that the insurance company would collect and review patient reports to ensure that the health care does not bill it for visits other than those necessary due to the traffic accident case, or otherwise collect information other than necessary.

When it is necessary for the insurance company to obtain excerpts from the patient's records, the entity responsible for the patient's care can look in particular at which information is not related to the treatment related to the compensation case, as well as evaluate the extent and content of the visit records to be handed over against the requirement of necessity.

The procedure presented in the complaint, where the health care does not screen patient data before handing it over to the Motor Insurance Center, but where the Motor Insurance Center reviews the data itself, cannot be considered in accordance with Section 82 of the Motor Insurance Act, Article 5(1)(c) or Article 25(2) of the General Data Protection Regulation. On the other hand, when operating in accordance with the procedure presented by the Motor Insurance Center, other than necessary information ends up, and the Motor Insurance Center's right of access to information does not extend to this information. A procedure in which the health care does not screen patient data before handing it over to the insurance company, or where the health care performs the screening incompletely, is already fundamentally against data protection regulations.

When the Motor Insurance Agency processes health data, the starting point must be that the data subject can expect that his health data will be processed in accordance with the confidentiality regulations related to patient documents, and the Motor Insurance Agency will not process data other than necessary, for example to ensure the correctness of invoicing. During the visit, the patient must also be able to discuss with the healthcare professional about matters other than those related to the claim for compensation made to the insurance company, without the information about these matters going to the insurance company. Based on the registered legislation, it cannot be assumed that other than necessary information regarding the compensation matter ends up being used by the insurance company.

The Transport Insurance Center has issued a counter-explanation. In addition to what was stated earlier, the decisions have been made in an illegal procedure, because according to its statement, the data protection commissioner's office has, in order to resolve the case and to assess the liability of the Motor Insurance Agency, received reports from the Ministries of Social Affairs and Health and partly from the Patient Insurance Agency, regarding which it has not consulted the Insurance Agency.

In its statement, the Office of the Data Protection Commissioner is surprised by the fact that the Motor Insurance Center stated on 12 October 2020 that it requests visit records to ensure that the health care has not billed for a visit other than a compensation matter. In these situations, it is about the injured person demanding compensation for the treatment event in question. In order for the care event to be covered by the motor insurance, it must of course be causally connected to the damage event according to the principles of tort law. The Motor Insurance Center has the right to receive information about the medical event for which compensation is required.

The Motor Insurance Center makes a specific request to the health care unit. The case in question and its facts guide the content of the request. It is the responsibility of the health care unit to assess which information corresponds to this request. It is not that the Motor Insurance Center requests all the patient's information in general, but that the Motor Insurance Center requests information related to a specific matter in different, if necessary, case-specific formats.

The Office of the Data Protection Commissioner has submitted a statement regarding the counter-explanation, which has been sent to the Transport Insurance Center for information.

Administrative law solution

The administrative court rejects the data protection commissioner's request for a preliminary ruling.

The administrative court rejects the appeal with regard to the grounds of appeal regarding procedural errors.

The Administrative Court annuls the decisions under appeal and removes the fine imposed on the Transport Insurance Centre.

The administrative court obliges the data protection authorized office to compensate the legal costs of the Motor Insurance Agency with 18,000 euros, including default interest. The default interest is determined according to the interest rate referred to in Section 4 of the Interest Act, starting from when one month has passed since the decision of this administrative court was issued. The administrative court mostly rejects the claim regarding court costs.

Reasoning

Request for a preliminary ruling

According to Article 267 of the Treaty on the Functioning of the European Union (TFEU), the Court of Justice of the European Union has the authority to issue preliminary rulings on, among other things, the interpretation of the Treaty and the act of the Union institution. It appears from the jurisprudence of the Court of Justice of the European Union that it is not necessary to make a request for a preliminary ruling as referred to in Article 267 TFEU if there is no real doubt in the national court about the possibility of applying the existing jurisprudence of the Court of Justice to the case or if it is completely clear how Union law must be properly applied in the situation in question.

Taking into account the reasons for the decision of the administrative court that appear below, no question regarding the interpretation of Union law has arisen in the case, which would make it necessary to submit a request for a preliminary ruling.

Grounds for appeal regarding mishearing

According to Section 34, subsection 1 of the Administrative Law, before the case is resolved, the party involved must be given an opportunity to state his opinion on the matter and to give his explanation of such demands and explanations that may affect the resolution of the case.

The Finnish Transport Insurance Agency has considered a hearing error in the case, because the data protection commissioner's office has received reports from the Ministries of Social Affairs and Health and the Patient Insurance Agency, regarding which it has not consulted the Finnish Transport Insurance Agency. The Office of the Data Protection Commissioner has stated that the decisions were not based on the aforementioned information, but rather on the considerations presented in the statement given to the Administrative Court.

In the case, there has been no reason to consider that the reports in question would have been the kind of reports obtained by the data protection commissioner or the sanctions panel before the decision was made, and the Motor Insurance Center should have been consulted about them. In its counter-explanation, the Finnish Transport Insurance Agency was able to state what was presented in the statement of the Data Protection Commissioner's Office in these respects as well. Consequently, there has been no hearing error in the case, which is why the decisions should be overturned and the case returned to the data protection commissioner for further processing.

Other appeal grounds apply to the procedure

The Norwegian Motor Insurance Center has considered that when taking into account the substantial delays in the processing of the case and the almost systematic way of the data protection authorized office scheduling the measures in connection with the holiday season, the decisions must be considered to have been made in an illegal procedure in such a way that the decisions must be annulled.

The Administrative Court states that the requirement according to Section 23, subsection 1 of the Administrative Law, that the case be processed without undue delay, is not in itself one, due to the neglect of which the decision can be considered to have been made in an illegal procedure, so that it should be annulled. The law also does not stipulate that the authority cannot notify statements and other requests in connection with the holiday season. Consequently, the decisions have not been made in an illegal procedure in such a way that they should be annulled based on a procedural error.

Issue

Applicable legal guidelines and law preparation material

According to Article 5(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons in the processing of personal data and on the free movement of this data and repealing Directive 95/46/EC (General Data Protection Regulation), the following requirements must be met with respect to personal data, among others: a) they must be processed lawfully, properly and transparently from the point of view of the data subject ("lawfulness, reasonableness and transparency"); c) personal data must be relevant and relevant and limited to what is necessary in relation to the purposes for which it is processed ("data minimization");

According to Article 25, paragraph 2 of the General Data Protection Regulation, the controller must implement appropriate technical and organizational measures to ensure that by default only personal data necessary for each specific purpose of the processing is processed. This obligation applies to the amount of personal data collected, the extent of processing, storage time and availability. With the help of these measures, it must be ensured in particular that personal data is not, by default, made available to an unlimited number of people without the contribution of a natural person.

According to Section 82, Subsection 1, Clause 3 of the Motor Insurance Act, the insurance company has the right, notwithstanding the obligation of confidentiality and other restrictions on access to information, to obtain from a doctor and other professionals referred to in the Act on Health Care Professionals, the health care operational unit referred to in Section 2, Clause 4 of the Act on the Status and Rights of the Patient, the injured party statements and other information about patient documents, health status, work capacity, treatment and rehabilitation prepared by the body implementing rehabilitation, other health care operations unit and social service provider or treatment facility. According to subsection 3, the insurance company's right to access information referred to in subsection 1 above requires that the information is necessary for the resolution of the insurance or compensation case under consideration or is otherwise necessary for the performance of the duties stipulated in this law.

In the government's proposal regarding the Motor Insurance Act (HE 123/2015 vp), it is stated in the detailed justifications for section 82, subsection 1, that in order to decide on compensability and determine the amount of compensation, accurate information is needed, among other things, on the injuries caused to the injured party, the treatment measures caused by them, and limitations on work ability. Information about the injured party's health other than the immediate consequences of the traffic accident is necessary when assessing the contribution of another injury or illness to the occurrence of the personal injury or the effect of the personal injury on the reduction of work ability. These other health-related information, which are necessary for solving the compensation case, can sometimes be needed for a long time before the traffic accident, in some cases even for the entire lifetime of the injured party. The right of access to information according to the proposed section would include not only medical reports drawn up for applying for compensation, but also other necessary information, such as medical reports, examination results and expert reports regarding rehabilitation. Also based on this section, the right of access to information would be limited to information necessary for the individual case in order to carry out the tasks referred to in section 1, which is why efforts should be made to identify the information.

In the detailed justifications of the mentioned board's proposal, it has been further stated with regard to subsection 2 (now subsection 3) of the same section that the right to access information would require that the information be necessary to resolve the compensation case at hand. In the current law, the right of access to information applies to information necessary for the performance of tasks stipulated in the Motor Insurance Act. In contrast to the current law, the right of access to information would focus on necessary information, as the information needed by insurance companies cannot be exhaustively specified, as it should be possible to do in the case of necessary information as required by the Constitutional Law Committee's statements (PeVL 14/2002 vp, PeVL 30/2005 vp). The insurance company should try to identify the information it needs as far as possible. In order to decide on compensability and determine the amount of compensation, you need accurate information about, for example, the injuries suffered by the injured party, the treatment measures caused by them, and the limitations of work ability. Information about the injured person's health other than the immediate consequences of the traffic accident is necessary when assessing the contribution of another injury or illness to the occurrence of the personal injury or the effect of the personal injury on the reduction of work ability. These other health-related information, which are necessary for solving the compensation case, can sometimes be needed for a long time before the traffic accident, in some cases even for the entire lifetime of the injured party.

Question formulation

The Data Protection Commissioner has considered that, according to the report received in the case, submitting extensive information requests for patient document entries has been a systematic method of operation of the Motor Insurance Agency, and that the Motor Insurance Agency, as the registrar, has therefore not complied with the data limitation requirements included in the Motor Insurance Act, and Article 5, Section 1, subparagraphs a and c of the General Data Protection Regulation and 25 Article 2, i.e. the requirements of processing reasonableness, data minimization and built-in and default data protection. The Data Protection Commissioner has especially considered that requesting the entire visit record is not a legal starting point for collecting data on the basis of a compensation decision, because in doing so, the insurance company inevitably collects, in addition to necessary data, personal data that does not belong to it by law. The Data Protection Commissioner has deemed it justified that the information should be requested and disclosed primarily in the form of a statement.

The decision under appeal is based on a report given to the Data Protection Commissioner by the Finnish Transport Insurance Agency. Therefore, the administrative court has to assess whether, based on the report provided by the Motor Insurance Agency, it can be considered that the Motor Insurance Agency has not complied with the requirements of the General Data Protection Regulation regarding the reasonableness of processing, data minimization and built-in and default data protection.

The statement given by the Finnish Transport Insurance Agency to the Data Protection Commissioner

In its report on August 31, 2020, which was issued as a result of a complaint initiated in 2017, the Motor Insurance Center has stated that the reimbursement of medical treatment and rehabilitation costs requires attendance records of treatment and examination visits. The information is necessary so that the Motor Insurance Center can assess, among other things, the effectiveness of the treatment and whether the need for treatment is due in whole or in part to factors independent of the traffic accident. Insufficient information for the assessment of compensation liability leads to no compensation being paid. In terms of motor insurance claim processing, it is essential that the insurance company has an understanding of the claimant's overall state of health, which includes all factors that may affect the claimant's ability to work or function. This is because the traffic insurance covers only the part of the reduced work and functional capacity caused by the traffic accident. Therefore, it is necessary that the medical report also reveals illnesses or injuries unrelated to the traffic accident that limit the claimant's right to compensation from the traffic insurance.

The question of what constitutes a relevant statement of health in terms of compensation processing is a matter of insurance law. For example, in the case of brain injuries, it is often necessary to find out to what extent the claimant's psychological or neuropsychological symptoms are due to an organic brain injury and to what extent to psychological factors independent of the brain injury. The Motor Insurance Center has stated, based on the questions raised in the clarification request, that similar activities are still usual in data collection at the Motor Insurance Center and in other insurance companies engaged in motor insurance. In compensation activities carried out under the Motor Insurance Act and the Work Accidents and Occupational Diseases Act, medical reports are, as a rule, patient documents. Separate medical reports are only requested if it is necessary for the compensation process.

The Motor Insurance Center has further stated in its additional report of 12 October 2020, which was issued as a result of a complaint initiated in 2017, that in personal injury compensation processing, the medical assessment of the case is based, as a rule, on medical documents drawn up about the claimant. Without the aforementioned documentation, it is impossible to process the claim and pay compensation. In compensation processing for traffic injuries, an overall picture of the claimant's health is needed, not just the limitations caused by the traffic accident injury. The documentation regarding the state of health must be comprehensive enough for the Motor Insurance Center to be able to fulfill its statutory obligations regarding claims handling. The content and structure of patient documents are precisely defined in legislation. Therefore, in principle, it can be assumed that the patient documents have been recorded objectively and to a sufficient extent, among other things, for each patient's service event, the totality of which must show the reason for the result, background information, current status, observations, examination results, problems, diagnosis of disease or health risk, conclusions, treatment planning, implementation and follow-up , the course of the disease and the final statement. On the other hand, there are no regulations regarding the content or structure of a separate statement prepared for the motor insurance company, which means that there is no certainty about the content or quality of the statement. Practice has shown that, unfortunately, the statements prepared for the insurance company are only copied verbatim from the entries made in the patient documents, or essential information from the patient documents that has been relevant for the compensation case has been left or omitted.

Health care professionals do not, and do not need to know, the statutory motor insurance claim processing and benefits legislation in such a way that they would be able to assess which part of the information contained in the patient documents is essential for solving the claim case. Separate statements rarely have added value in compensation processing and are therefore often unnecessary. A separate statement prepared for insurance companies (so-called E-statement) is only requested if it is considered necessary on a case-by-case basis. The separate statements prepared for the insurance company are not sufficient reports on the state of health on their own.

Furthermore, it has been stated in the report that information is collected only to the extent that it is necessary for compensation processing. To be reimbursed from motor insurance For the requested treatment or examination, visit notes are always requested in principle, if the treatment facility has not provided them on its own initiative, because only on the basis of visit notes can it be assessed whether the invoiced visit is related to a traffic accident or not. Practice has shown that treatment facilities also bill insurance companies for visits that are not related to the investigation or treatment of a traffic injury. The above-mentioned contradiction cannot be clarified other than on the basis of visit records. In addition, under the Motor Insurance Act, the definition of compensation subjects to be evaluated ex officio requires information obtained from patient documents. Insofar as the Motor Insurance Center deems it necessary to exceptionally request visit records other than those related to examination or treatment visits that are sought to be reimbursed from motor insurance, the necessity assessment is always carried out on a case-by-case basis. In accordance with the principle of data minimization, the aim is to identify the information request as accurately as possible considering the circumstances and to limit it to only the information necessary for processing, for example by limiting the temporal scope of the request (from which time period the information is requested) or by specifying which medical specialty records the request applies to.

In the matter in question, the Data Protection Commissioner has now submitted a request for consultation and additional clarification to the Motor Insurance Agency, to which the Motor Insurance Agency has responded on August 12, 2021. The answer states, among other things, that Liikennevakuutuskeskus always follows the principle of data minimization. The obligation of treatment facilities to submit visit records related to the treatment or examination to be reimbursed from motor insurance is based on the law. Requesting information beyond this is exceptional and is based on case-by-case consideration. Even in this case, the Transport Insurance Center does not unnecessarily require attendance records.

Legal evaluation

The Transport Insurance Center processes the health data of the registered persons in order to find out the compensation liability for the traffic damage and to resolve the compensation case. The Motor Insurance Center has the right to receive statements and other information on patient documents, health status, work capacity, treatment and rehabilitation prepared by entities engaged in health and medical care activities pursuant to section 82 subsection 1, paragraph 3 of the Motor Insurance Act. The right of access to information is limited by subsection 3 of the section, according to which the insurance company's right to access information requires that the information is necessary for the resolution of the insurance or compensation case under consideration or is otherwise necessary for the performance of tasks stipulated in the Motor Insurance Act.

It is clear from the mentioned pieces of law and the proposals concerning them that in order to resolve the compensation case, accurate information is needed, for example, about the injuries caused to the injured party, the treatment measures caused by them, and the limitations of the ability to work. Furthermore, in preliminary works, it has been considered that information about the injured party's health other than the immediate consequences of the traffic accident may be necessary when assessing the contribution of another injury or illness to the occurrence of the personal injury or the impact of the personal injury on the reduction of work ability. According to the preliminary works, other information regarding the state of health and necessary for solving the compensation case may sometimes be needed long before the traffic accident.

The Motor Insurance Center has said that it always requests the visit notes related to examination or treatment visits that are applied for reimbursement from motor insurance. In the decision under appeal, it has been considered that, in accordance with the procedure described by the Motor Insurance Agency, other than necessary personal data, to which the right to access information does not extend, is received, and the Data Protection Commissioner has therefore considered the Motor Insurance Agency's procedure to be in violation of the Motor Insurance Act and data protection regulations. However, the decision under appeal does not specify in more detail what this other than necessary information is. The Data Protection Commissioner has considered that the task of the registrar of the patient data registers - not the insurance company - is to screen the necessary information before handing it over to the insurance company. The data protection commissioner has still considered that verifying the correctness of the billing does not entitle access to information, and that the necessary information should primarily be requested in the form of a statement.

The Administrative Court states that the visit notes must be regarded as essential information related to the investigation of the causation in tort and insurance compensation law in order to resolve the compensation case in a situation where compensation is sought specifically for the examination or treatment costs of the visit in question. The tasks related to the consideration of the compensation case therefore belong to the core task of the insurance company and cannot even be partly transferred to the responsibility of the registrar of the patient data registers. If an injury other than a traffic accident has been treated during the visit, this information is also necessary to determine the liability for compensation, because on the basis of the traffic insurance, examination or treatment costs other than those caused by an injury caused by a traffic accident will not be reimbursed. Evaluating whether or not an examination or treatment expense is compensable from the motor insurance is therefore a question that is central to the investigation and resolution of the compensation case, not just a question related to the correctness of the invoicing. In this respect, the decision of the data protection officer is based on an incorrect assessment of which information is necessary information to investigate or resolve the compensation case.

The view presented in the decision under appeal, that the information necessary to resolve the traffic damage compensation case should primarily be requested in the form of a statement, cannot be supported by the provisions of the Motor Insurance Act concerning access to information or their preambles either. In this respect, it has not appeared from the report presented in the case that the Motor Insurance Center would systematically request information other than what is necessary for solving the compensation case from the care providers.

As stated above, it may be necessary for the Motor Insurance Center to make extensive requests for information, among other things, regarding patient document entries, in order to resolve the compensation case. From the report issued by the Motor Insurance Center, it appears that visit notes other than those related to examination or treatment visits for which reimbursement from motor insurance is applied for are requested only exceptionally, and that the necessity assessment is done on a case-by-case basis. Furthermore, the Finnish Motor Insurance Center has stated that in these situations the aim is to identify the request for information as precisely as possible considering the circumstances and limit it to only the information necessary for processing, for example by limiting the temporal scope of the request or by specifying which medical specialty records the request applies to. In the decision of the data protection commissioner under appeal, no individual position has been taken on the extent to which these operating methods presented by the Finnish Transport Insurance Agency have been considered to be in violation of data protection regulations. The Administrative Court considers that the explanation presented in the case cannot be considered sufficient to demonstrate that the Motor Insurance Agency would have systematically collected more information in this respect than it is entitled to pursuant to section 82 subsection 1 clause 3 and subsection 3 of the Motor Insurance Act.

Insofar as the data protection commissioner has referred to the complaint case he had previously resolved in his opinion, the administrative court states that this individual case has not been assessed by the administrative court and otherwise it cannot have a decisive significance when assessing the legality of the Motor Insurance Agency's systematic way of operating.

Result

The Administrative Court states that no grounds have emerged in the case to consider that the Motor Insurance Center would systematically make too extensive information requests for patient document entries, i.e. information requests that ask for information other than what is necessary to resolve the compensation case. The Motor Insurance Center has not been proven to have acted contrary to the data minimization principle in its data processing. Data processing cannot be considered unreasonable either. When the Motor Insurance Center has not been shown to have acted contrary to the principles of data minimization or unreasonableness of processing, the Motor Insurance Center cannot be considered to have acted contrary to the requirements of built-in and default data protection either. The decisions under appeal must therefore be annulled and the fine imposed on the Transport Insurance Center removed. After the decisions have been annulled on this basis, the statement about the grounds for appeal regarding the penalty payment expires.

Cost

According to Section 95(1) of the Law on Legal Proceedings in Administrative Matters, the party to the proceedings is obliged to reimburse the other party's legal costs in whole or in part, if, especially taking into account the decision in the case, it is unreasonable for the latter to have to bear their own legal costs. According to subsection 2, when assessing the reasonableness of the obligation to compensate, the legal ambiguity of the case, the actions of the parties and the importance of the case for the interested party can also be taken into account.

The Motor Insurance Center has demanded compensation for its legal costs for 79 hours for a total of 45,089.13 euros with legal interest.

The Administrative Court considers that, taking into account the decision in the case, it would be unreasonable for the Motor Insurance Center to be fully responsible for its own legal costs. Despite the opportunity reserved for it, the office of the Data Protection Commissioner has not commented on the amount of court costs. Taking into account the quality and scope of the case, the number and content of the parties' pleadings, and the fact that the administrative court has rejected some of the grounds for appeal, the administrative court considers 18,000 euros to be a reasonable amount of court costs. The administrative court obligates the claim, rejecting the data protection authorized office, to compensate the legal costs of the Transport Insurance Center with the said amount, together with interest on late payment stipulated in the Interest Act.