Tietosuojavaltuutetun toimisto (Finland) - 3216/452/17

From GDPRhub
Tietosuojavaltuutetun toimisto - 3216/452/17
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(c) GDPR
Article 9 GDPR
Article 9(1) GDPR
Article 9(2)(a) GDPR
Article 9(2)(g) GDPR
Article 25(2) GDPR
Article 58(2)(d) GDPR
§ 6(1)(1) Data Protection Act
Type: Investigation
Outcome: Violation Found
Started: 17.10.2017
Decided: 08.06.2022
Published: 07.07.2022
Fine: n/a
Parties: LähiTapiola Keskinäinen Henkivakuutusyhtiö
National Case Number/Name: 3216/452/17
European Case Law Identifier: n/a
Appeal: Appealed - Confirmed
Helsingin hallinto-oikeus (Finland)
116/2024
Original Language(s): Finnish
Original Source: Finlex (in FI)
Initial Contributor: fred

The Finnish DPA found a life insurance company to have breached Article 5(1)(a) GDPR, Article 5(1)(c) GDPR, Article 9 GDPR and Article 25(2) GDPR for not having a legal basis to process the health data of life insurance applicants and for processing the data unnecessarily.

English Summary

Facts

The Finnish DPA had asked the controller (LähiTapiola Keskinäinen Henkivakuutusyhtiö, a life insurance company) to explain on which legal basis and for what purpose it processed data subjects' health data requested from the health care. The controller was also asked to explain how it processed personal data before the execution of an insurance contract, and how it ensured that it did not process unnecessary personal data.

In response to the request, the controller clarified that it processed data subjects' health data for the performance of an insurance contract in accordance with Article 6(1)(b) GDPR. In addition, the processing was based on Section 6(1)(1) of the Finnish Data Protection Act, according to which insurance institutions may, despite the general prohibition in Article 9(1) GDPR, process the health data of the insured party and the claimant, which is necessary to determine the liability of the insurance institution.

The controller stated that it requested all data subjects applying for life insurance for their consent to that the controller may, if necessary, request health data from health care units in order to determine the scope of the insurance coverage and the amount of the insurance premium, as well as whether the insurance can be granted.

The controller also stated that it only requested health data necessary for the execution of the insurance contract. The necessity of the health data depends on the insurance product and is generally requested for the five years preceding the insurance application. The controller emphasised that the health data received from data subjects or health care units is almost always relevant in terms of the insurance contract.

Holding

On the basis of the information provided by the controller, the DPA emphasised that Section 6(1)(1) of the Finnish Data Protection Act, which is based on Article 9(2)(g) GDPR, applies only to the processing of the personal data of insured parties and claimants. The DPA considered that the insurance contract has not yet been concluded at the insurance application stage, and the provisions of the Finnish Data Protection Act cannot be extended to a data subject applying for insurance. Therefore, Section 6(1)(1) of the Finnish Data Protection Act cannot be applied to the processing of health data of insurance applicants and to requesting their health data from health care units.

The DPA stated that the consent requested by the controller concerned an unspecified set of health data stored in the patient information systems of various health care units. The data subjects could not control whether their personal data was processed or not or for what purposes it was processed. Thus, the consent requested by the controller was not sufficient to fulfil the requirements for the processing of special categories of personal data according to Article 9(2)(a) GDPR.

The DPA also stated that data subjects deal with health care units for many different reasons, and not all information is relevant for determining the risk and liability of insurance companies. The DPA considered that it was against the principles of fairness, data minimisation and data protection by default that the controller requested health care units to disclose all the health data concerning the data subject. Therefore, the controller must be able to demonstrate that it only requests such health data that is necessary for determining its liability.

On the basis of the information gathered, the DPA held that the controller had violated Article 5(1)(a) GDPR, Article 5(1)(c) GDPR, Article 9 GDPR and Article 25(2) GDPR. As a result, and in accordance with Article 58(2)(d) GDPR, the DPA ordered the controller to assess the time period for which it is necessary to request health data and to bring its processing operations into compliance with the provisions of the GDPR.

Comment

The Finnish DPA has issued similar decisions against two other insurance companies in cases 4680/182/18 and 7285/183/18.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.

Decision of the Data Protection Commissioner

Thing

Requesting the health status information of the registered person from the health care unit in connection with the assessment of the insurance company's liability

Registrar

Insurance company

A matter to be resolved

On 17 October 2017, the registrant informed the data protection officer's office that the data controller has requested the registrant's extensive patient information from the health care unit in connection with the application for the insurance it offers.

With the health data form of the insurance application, the registrar had requested the registrant's consent to the fact that the various health care units are allowed to hand over the registrant's patient information to the registrar. The registrant later canceled his insurance application and found out from the Omakanta service that the registrar had requested all the registrant's health information from the health center based on the registrant's authorization. However, the information had not been handed over by the health center to the controller.

The registrant has asked the data protection commissioner's office to evaluate the matter, because according to the registrant's view, it is not appropriate that the authorization given to the data controller in the health data form of the insurance application means such extensive access to the registrant's health information.

In 2020 and 2021, the data protection commissioner's office has investigated the procedures of the data controller in situations where the data controller requests data on the health status of registered users from health care units in 2020 and 2021. This decision concerns the systematic and currently used method of operation of the data controller.

In this decision, the term insurance applicant means not only the actual insurance applicant, but also persons whose insurance is intended to be taken out in case of illness or death, even if they are not insurance applicants themselves.

The Data Protection Commissioner assesses the matter based on the General Data Protection Regulation (EU) 2016/679 of the European Parliament and the Council and the Data Protection Act (1050/2018). The following legal questions have to be resolved in the matter:

1) whether the data controller processes the health status data belonging to the special personal data groups of the registrants in connection with applying for voluntary insurances in accordance with Article 9 of the General Data Protection Regulation; and

2) in the processing of personal data, does the data controller comply with the regulation of Article 5, paragraph 1, subsection c of the General Data Protection Regulation on data minimization, the regulation of Article 5, paragraph 1, subsection a, on the reasonableness of data processing, and the regulation of Article 25, paragraph 2, on built-in and default data protection to the extent that the data controller requests health information about the data subject in healthcare of the unit and processes the information it receives to clarify the insurance company's liability.

When the aforementioned notification regarding the controller has been made to the data protection commissioner's office, the Personal Data Act (523/1999) has been applied as the general law regulating the processing of personal data. The General Data Protection Regulation has been applied since May 25, 2018, and the Personal Data Act has been repealed by the Data Protection Act specifying the Data Protection Regulation, which entered into force on January 1, 2019. Since the subject of this decision is the general operating method implemented by the controller in 2020 and 2021 and still in use, and the processing of personal data carried out by the controller before the entry into force of the General Data Protection Regulation is not the subject of the evaluation, the General Data Protection Regulation applies.

Statement received from the registrar

The registrar has been asked for an explanation in the case with clarification requests dated 26.8.2020 and 2.12.2020. The registrar has given a written statement on the matter on 30 September 2020 and 13 January 2021.

The process of mapping the insurance company's liability

The data controller was asked to explain on what basis of processing and for what purpose the data controller processes the information requested from the health care unit about the data subject. In addition, the data controller was asked to tell what the processing process before the execution of the data controller's insurance contract is like.

According to the registry keeper, in the case brought to the attention of the Data Protection Commissioner's office, the mentioned insurance is a voluntary insurance, which always includes death insurance and optionally insurances in case of, for example, incapacity for work or serious illness.

According to the registrar, obtaining the necessary health information in connection with the insurance application in order to choose liability is essential in personal insurance, because the compensations paid from the insurance are determined through insurance events that happen to the person. Also, the liability limitations of the registrar according to Section 37 of the Insurance Contracts Act (543/1994) can only be based on this information.

According to the registrar, in personal insurance, the insured's age and health affect the scope of insurance coverage and the amount of the insurance premium. Based on information about age and health, it can also be concluded that insurance cannot be granted at all. The insurance company does not have the prerequisites to engage in insurance business to insure risks for which it cannot process information necessary for liability selection. The registrar cannot insure illnesses that the insured already had when applying for insurance. The registrar also has the right to refuse to enter into a contract due to the health condition of the insurance applicant, or if the insurance applicant refuses to provide a health report and authorization to obtain health information.

The controller states in the report that it processes health information about the data subjects in order to implement the contract (Article 6, Paragraph 1, Subsection b of the General Data Protection Regulation). In the opinion of the data controller, the processing of personal data concerning the health status of the registered person is permitted pursuant to section 6, subsection 1, point 1 of the Data Protection Act, in order to clarify the liability of the insurance company.

The registrar says that in such insurances offered by the registrar, where the conclusion of the insurance contract requires a medical choice of liability, the insurance applicant's insurance application includes filling out a health report. In this context, the insurance applicant authorizes the registrar to request the health status information of the insurance applicant from the health care units. The controller has delivered to the data protection commissioner's office the copies of the short and extensive health report he used in connection with the insurance application.

In connection with the health examination, the registrar asks the insurance applicant for authorization to request information from healthcare units (so-called nursing facility authorization) in the following way:

"I declare that I agree to the fact that the doctors, hospitals, health centers, counseling centers, occupational health care units, mental health offices and private medical institutions, as well as other insurance companies and insurance and pension institutions who have examined and treated me will give the personal information about my health necessary for processing this application and a possible compensation case to [the controller]. In order to obtain the necessary information, [the data controller] may hand over to the above-mentioned parties individualized information about my state of health and my insurance. Regarding the information in the National Pension Institute, my consent only applies to the information needed to process the compensation case.''

The insurance in question is a voluntary insurance, which the policyholder can legally cancel at any time. If the insurance is granted, it becomes effective from the date of submission of the application. Therefore, if the policy applicant cancels during the insurance application phase, the cancellation must be made in writing. The health report with treatment facility authorization is part of the insurance application, so the authorization ceases when the insurance applicant cancels the application.

The registrar has also stated that before concluding the contract, the insurer has an extensive obligation to provide information on the content and purpose of the insurance in accordance with the Insurance Contracts Act. According to the registrar's sales model, the seller goes through the process related to applying for life insurance with the customer, including filling out a health report and a nursing facility authorization. As part of fulfilling the notification obligation, the customer receives, among other things, the product description and terms and conditions regarding the insurance. The product description states that in order to make an insurance solution, the data controller always needs information about the health status of the insurance applicant in addition to the application, and that the data controller receives personal data from the customer himself, from entities authorized by him, and from public registers. According to the insurance terms, the insurance is based on the information provided by the policy applicant about the policy applicant's state of health.

Information requested by the controller

The registrant was asked to clarify which information it requests for use in requests for information about the registrant sent to health care units related to insurance contracts. In addition, the data controller was asked to explain how the data controller ensures that it does not process information that is unnecessary for each customer's purpose. The registrar was also asked to tell how it works if the registrar has been provided with information that is not relevant for the execution of the insurance contract.

The registrar has stated that the insurer needs extensive information about the customer before concluding the insurance contract. The necessary information depends on the insurance product. For example, the Insurance Contracts Act requires the collection of certain information from the customer even before the insurance is offered, and the Act on Prevention of Money Laundering and Terrorist Financing (444/2017) requires the collection of statutory information for, among other things, knowing and identifying the customer.

The registrar has liability selection principles, which define the risks to be insured and the conditions under which they are insured. In the registrar's organization, decisions regarding insurance applications are made based on its own decision guidelines, which are based on defined liability selection principles. […].

If the execution of the insurance contract requires the policy applicant to provide a medical examination, the extent of the information collected in the medical examination depends on the insurance cover applied for and its level. According to the registrar, only health information relevant to the implementation of the insurance contract is requested in the health examination. If a decision regarding the application cannot be made on the basis of the insurance application and the health report alone, the application handler will assess what additional information is needed with the help of the registrar's decision instructions. More information is requested either from the insurance applicant or from the health care units.

Information about health care units is requested on a case-by-case basis during the insurance application phase only if it is necessary for the selection of medical liability made in connection with the processing of the application. If the answers given by the insurance applicant in the health examination are sufficient from the point of view of the selection of liability, the treatment facility inquiry is not made, but the selection of liability can be made based on the information provided by the insurance applicant. […].

If it is necessary to make a request for information to the health care unit in connection with the health examination, the requested information will be limited to only the health status information necessary for the processing of the insurance application. Information requests are limited as defined by the controller. In this case, treatment facility inquiries ask for copies of medical reports or doctor's reports regarding the specified illness, which show background information about the illness, symptoms, examinations or procedures, as well as possible previous visits and examination results. As a rule, the information is requested from a defined time interval.

The information request is made in the following way:

"Person X, has […] been examined or treated at your treatment facility due to illness Y. In order to process the insurance application, we ask you to provide us with copies of medical records or doctor's reports, which show the background information of the aforementioned diseases, symptoms, examinations or procedures, as well as any previous visits and examination results. We request the above-mentioned information from [specified time period].''

In exceptional cases, where the large insurance amount applied for exceeds the predefined insurance amount limits, the registrar requires a medical examination of the insurance applicant.

The data controller says that the data subject who brought the case to the office of the data protection commissioner has been asked to provide the information [...] and the inquiry has concerned all visits made to the health care unit, but according to the data controller's operating model, the information should have been requested individually for each disease affecting the choice of responsibility, and not information about all visits.

The registrar has stated that when ascertaining the health status of the insurance applicant for the purpose of the insurance contract, it is always a question of the whole, on the basis of which it is assessed whether the insurance applicant can be insured on behalf of his health status with the applied for insurance cover. Because of this, situations rarely arise where the health information received from the registered person or the health care unit would not be relevant for the purpose of the contract. Despite this, it is possible that, in retrospect, additional information from the point of view of the contract could have reached the controller's systems in an individual case, which was not detected in connection with the processing of the insurance application.

The registrar has also revealed that due to the policyholder's obligation to provide information according to Section 22 of the Insurance Contracts Act and related regulations on negligence, insurance applicants often want to provide as much information about their health as possible.

The data protection officer's decision and reasons

1. Lawfulness of processing health data belonging to special personal data groups

Decision

Based on the reasons presented in more detail below, the data protection commissioner considers that the data controller cannot process the health data of the applicant for voluntary insurance or the health data of the person for whose death, illness or injury voluntary insurance is being applied for, based on the provisions of section 6, subsection 1, point 1 of the Data Protection Act. For this reason, the data controller cannot also request the health status information of these persons from the health care unit during the insurance application phase, pursuant to the provisions of Section 6, Subsection 1, Clause 1 of the Data Protection Act.

Based on the more detailed assessment presented below, the processing of the special personal data groups of the voluntary insurance applicant by the controller does not comply with Article 9 of the General Data Protection Regulation. For this reason, the Data Protection Commissioner orders the data controller, pursuant to Article 58, paragraph 2, subparagraph d of the General Data Protection Regulation, to bring the processing operations in line with the provisions of Article 9 of the General Data Protection Regulation, when the data controller processes the health data of the applicant for voluntary insurance or the health data of the person for whose death, illness or injury voluntary insurance is being applied for. .

The Data Protection Commissioner leaves it to the discretion of the data controller to determine the more precise appropriate measures, but orders to submit to the Data Protection Commissioner's office by July 29, 2022, an explanation of what measures the data protection officer has taken as a result of the decision, unless it applies for an amendment to this decision.

On applicable legislation

The General Data Protection Regulation of the European Parliament and the Council is immediately applicable law in the member states. The General Data Protection Regulation contains national leeway, on the basis of which national legislation can be used to supplement and specify matters specifically defined in the regulation. The general data protection regulation is specified in the national data protection law.

In principle, pursuant to Article 9, Paragraph 1 of the General Data Protection Regulation, the processing of health-related information is prohibited. However, processing is permitted if one of the processing conditions according to Article 6 of the General Data Protection Regulation is met and if, in addition, one of the special processing grounds mentioned in Article 9 is also met.

In accordance with Section 6, Subsection 1, Section 1 of the Data Protection Act, Article 9, Section 1 of the Data Protection Regulation does not apply to information obtained in the course of insurance operations handled by the insurance institution about the insured's and claimant's health, illness or disability, or information about the treatment measures assigned to him or similar actions that are necessary to determine the insurance institution's liability.

According to § 1, the Insurance Contracts Act applies to insurance other than statutory insurance. In accordance with Section 2, Subsection 1, Clause 4 of the Insurance Contracts Act, the policyholder means the person who has entered into an insurance contract with the insurer, and in accordance with Clause 5, the insured means the person who is the subject of personal insurance.

Reasoning

In the case under consideration, the issue is voluntary insurance. The Insurance Contracts Act sets a general framework for contracts, but the scope of insurance coverage and many details of the conditions are specific to the insurance company.

Before concluding the insurance contract, the registrar maps the health status of the policy applicant in the selection of liability based on the information provided by the policy applicant in the health examination and copies of the medical report and doctor's report requested from the health care unit. The controller has stated that it processes the data to implement the insurance contract (Article 6(1)(b) of the General Data Protection Regulation). The registrar considers that the processing of personal data regarding the health status of the insurance applicant in the insurance company is permitted under the provisions of section 6, subsection 1, point 1 of the Data Protection Act.

According to Section 6, Subsection 1, Clause 1 of the Data Protection Act, Article 9, Section 1 of the Data Protection Regulation does not apply to information obtained in the course of insurance operations handled by the insurance institution about the insured's and claimant's health, illness, or disability, or information about the treatment measures assigned to him or similar actions that are necessary to determine the insurance institution's liability. The provision in question has been issued pursuant to the national discretion of the General Data Protection Regulation and is based on Article 9, paragraph 2, subparagraph g of the General Data Protection Regulation. The drafts of the Data Protection Act state that the detailed regulation of insurance institutions, together with the requirement of a license for insurance operations and the right of processing limited to ascertaining liability, can be considered to constitute appropriate and special measures to protect the basic rights and interests of the data subject.

According to § 11 of the Personal Data Act, which was in force before the Data Protection Act was enacted, the processing of sensitive personal data is prohibited, and sensitive data was considered to be, for example, personal data that describes a person's state of health, illness or disability, or treatment measures directed at him or measures comparable to them. However, according to Section 12 of the Personal Data Act, this did not prevent the insurance institution from processing information obtained in the insurance business about the insured's and claimant's state of health, illness or disability, or about treatment measures or comparable measures aimed at them. The regulation of the currently valid Data Protection Act thus corresponds to the regulation of the previously valid Personal Data Act.

According to Section 2, Subsection 1, Clause 4 of the Insurance Contracts Act, the policyholder means the person who has entered into an insurance contract with the insurer. According to Section 2, Subsection 1, Clause 5 of the Insurance Contracts Act, insured means the person who is the subject of personal insurance. According to the provisions of the Insurance Contracts Act, the insured of life insurance is a person whose death or survival insurance has been taken out. The insured of accident insurance is a person whose insurance has been taken out in case of accidental injury or death.

The Data Protection Commissioner draws attention to the fact that the regulation in accordance with section 6, subsection 1, point 1 of the Data Protection Act is limited only to the processing of information about the health, illness or disability of the insured and the claimant. During the insurance application phase, the insurance contract has not yet been concluded.

Information requested from the health care unit

Personal data must be processed in accordance with the law, appropriately and transparently from the point of view of the data subject (data protection regulation, Article 5, paragraph 1, subparagraph a). Fairness is a general principle regarding the processing of personal data, which requires, among other things, that personal data is not processed in an unexpected or misleading way for the data subject. Registrants must be guaranteed the greatest possible right to self-determination in determining the use of their own personal data. The most important purpose of data protection legislation is that registered users retain control over their own personal data. Therefore, when processing data, the kind of processing that meets the expectations of the registered users should be taken into account.

The health care information requested by the registrar concerns the registered health information collected during the care relationship, where the starting point has been the confidentiality of the care relationship between the registered person and the health care unit. In accordance with § 12 of the Act on the Status and Rights of the Patient (785/1992, the Patient Act), the healthcare professional must enter in the patient documents the information necessary to secure the organization, planning, implementation and monitoring of the patient's treatment. According to the Data Protection Commissioner, the information collected during the care relationship is not necessarily limited to health-related information only. The information may reveal, for example, information about ethnic origin, religious beliefs, or sexual behavior and orientation. During the treatment relationship, the data subject has disclosed the information in order to receive the treatment required for his health condition. The data may be particularly sensitive, and their processing may, depending on the context, pose significant risks to the protection of the data subjects' private lives and possibly other fundamental rights and freedoms.

The obligation of the health care and medical care provider to keep patient documents confidential has been stipulated in several contexts. In Section 13 of the Patient Act, the starting point is that the information contained in patient documents is confidential. According to section 13, subsection 2 of the Patient Act, a healthcare professional may not, without the patient's written consent, provide information contained in patient documents to a third party. According to section 13, subsection 3 of the Patients' Act, disclosure of information is permitted in addition to the patient's consent only in limited situations, such as the necessity of the patient's examination and treatment or based on a specific provision of the law. The processing of patient documents is therefore associated with a strong need to respect and protect the patient's privacy.

For the reasons stated above, the data protection commissioner considers that the provision of Section 6, subsection 1, point 1 of the Data Protection Act regarding the processing of health data of the insured and the claimant in the insurance business cannot be extended to the registered person who is an insurance applicant during the insurance application phase. Registrants must be able to rely on the verbatim regulation of the Data Protection Act when applying for insurance. The processing of health data belonging to special personal data groups contrary to the wording regulation is not in accordance with the reasonable expectations of the registered. Due to the need for strong privacy protection related to patient documents, it is also not possible for the data to be processed contrary to the literal regulation.

Therefore, the Data Protection Commissioner considers that it is not possible to apply the provisions of Section 6, Subsection 1, Clause 1 of the Data Protection Act to the processing of the health information of the insurance applicant and the request for health information from the health care unit.

Consent as a basis for processing special personal data groups

Although the Data Protection Commissioner leaves to the discretion of the data controller the determination of more precise appropriate measures due to the order given to the data controller, the Data Protection Commissioner would like to point out in this context that, according to the Data Protection Commissioner's view, it would be possible for the data controller to process the health information of insurance applicants before concluding an insurance contract based on consent. The Data Protection Commissioner explains his view in more detail below.

Pursuant to Article 9, paragraph 2, subparagraph a of the General Data Protection Regulation, the prohibition on the processing of special groups of personal data does not apply if the data subject has given his express consent to the processing of the personal data in question for one or more specific purposes. In accordance with Article 4, paragraph 11 of the General Data Protection Regulation, the data subject's "consent" means any voluntary, individualized, informed and unambiguous expression of will by which the data subject accepts the processing of his personal data by giving a statement expressing consent or by taking an action clearly expressing consent.

Article 7 of the General Data Protection Regulation stipulates the conditions for consent. In accordance with Article 7, paragraph 4, when assessing the voluntariness of the consent, it must be taken into account as comprehensively as possible, among other things, whether the execution of the contract, including the provision of the service, is conditioned by the consent to the processing of personal data that is not necessary for the execution of the contract in question.

The European Data Protection Board has issued guidelines 05/2020 on consent according to the General Data Protection Regulation. In the guidelines, it has been stated that in Article 9, Paragraph 2 of the General Data Protection Regulation, which provides for special exceptions to the processing of special groups of personal data despite the general processing ban, the need for the implementation of the agreement is not provided for as such an exception. In this regard, the data controllers should find out whether one of the special exceptions provided for in Article 9, paragraph 2, subparagraphs b - j, could apply to such a situation. If none of the exceptions set forth in subsections b - j apply to the situation, obtaining express consent in accordance with the conditions for valid consent laid down in the General Data Protection Regulation is the only possible legal exception on the basis of which the controller could process data belonging to special personal data groups.

As an example, the guidelines refer to a situation where a customer books a flight and in this context asks the airline for travel assistance in getting on the plane. The airline then asks the customer to provide the airline with information about their health status so that the airline can identify what kind of help the customer needs in order to arrange appropriate services for the customer. In this context, the airline requests express consent to the processing of the customer's health data for the purpose of arranging assistance. The Data Protection Council has stated with regard to this example situation that, since the information is necessary to perform the requested service, Article 7, paragraph 4 of the General Data Protection Regulation does not apply.

On the other hand, the Data Protection Commissioner draws the controller's attention to the fact that in accordance with Article 7, paragraph 4 and paragraph 43 of the introduction of the Data Protection Regulation, it is not desirable to require, in connection with the execution of the contract, that the data subject must give his consent to the processing of personal data that is not necessary for the execution of the contract in question. If consent is given in such a situation, it is not considered voluntarily given. Below, the data protection commissioner's second decision deals with what kind of processing of personal data to determine the insurance company's liability is in accordance with Article 5(1)(a) and (c) and Article 25(2) of the General Data Protection Regulation.

The Data Protection Commissioner also draws attention to the fact that, in accordance with Article 7, paragraph 3 of the General Data Protection Regulation, the data subject must have the right to withdraw his consent at any time. Withdrawal of consent does not affect the legality of processing carried out on the basis of consent prior to its withdrawal. Before giving consent, the data subject must be informed of this. Withdrawing consent must be as easy as giving it.

On the authorization requested by the registrar

The data protection commissioner also evaluates the current method of operation of the data controller, where the data controller requests the authorization of the registered person to request health information from healthcare units in connection with the health report form.

Based on the information provided by the registrar, in connection with all insurance applications, it requests authorization from the registered person to request information from the health care unit, if the conclusion of the insurance contract requires a medical choice of liability. The registrar acts this way despite the fact that in all cases the registrar does not request the insurance applicant's health information from the health care unit. During the application phase, the registrants sign an authorization to the effect that the health care units are allowed to provide the data controller with personal data regarding the registrant's state of health necessary for processing the insurance application and possible compensation case.

Paragraph 43 of the preamble of the Data Protection Regulation specifies that consent is not considered to have been given voluntarily if it is not possible to give separate consent for different personal data processing activities, despite the fact that this is appropriate in individual cases. The guidelines of the European Data Protection Board state that if consent is obtained in full compliance with the General Data Protection Regulation, it is a tool that data subjects can use to control whether their personal data is processed or not. According to the instructions, the conditions related to "individualized" consent aim to ensure a certain degree of control and transparency for the data subject. The prerequisites for individualized consent are that the controller observes precision in requests for consent. In each separate request for consent, the controller must explain exactly what data is processed for each purpose, so that the data subject is clear about the different options and their effects. Obtaining valid informed consent in accordance with the instructions requires that the data subject is informed about what information is collected and used.

According to the opinion of the Data Protection Commissioner, the current form of authorization used by the data controller applies to an undefined set of registered stored health data in the patient registers of different healthcare units. Referring to the regulation of the Data Protection Regulation and the guidelines issued by the European Data Protection Board based on it, the Data Protection Commissioner considers that the consent requested from the data subject is not sufficiently specific and the consent request does not follow the level of precision that would allow insurance applicants to control whether their personal data is processed or not, and which data for each purpose will be processed.

Therefore, the data protection commissioner considers that the general authorization requested by the data controller in connection with the health examination to request information from different health care units for the processing of the insurance case is not sufficient to fulfill the requirement for the processing of special personal data groups according to Article 9, paragraph 2, subsection a of the General Data Protection Regulation.

2. Data minimization, reasonable processing and built-in and default data protection

Decision

Based on the reasons presented in more detail below, the data protection commissioner orders the data controller pursuant to Article 58(2)(d) of the General Data Protection Regulation to bring the processing of personal data into compliance with Article 5(1)(a) and (c) and Article 25(2) of the General Data Protection Regulation when the data controller requests information about the health status of the data subject from the healthcare unit and processes the information it receives to determine the insurance company's liability.

When the data controller requests data on the health status of the registered person from the health care unit, based on this regulation, the data controller must assess from which period the request for data on the health status of the registered person is necessary in order to clarify the liability of the data controller and, based on the assessment, limit the period from which data on the health status of the registered person is requested from the health care unit.

The Data Protection Commissioner leaves it to the discretion of the data controller to determine the more precise appropriate measures, but orders to submit to the Data Protection Commissioner's office by July 29, 2022, an explanation of what measures the data protection officer has taken as a result of the decision, unless it applies for an amendment to this decision.

On applicable legislation

According to Section 22 of the Insurance Contracts Act, before the insurance is issued, the policyholder and the insured must give correct and complete answers to the questions posed by the insurer, which may be relevant in terms of assessing the insurer's liability. In addition, during the insurance period, the policyholder and the insured must, without undue delay, correct any information they have provided to the insurer that they find to be incorrect or incomplete.

According to Section 37 of the Insurance Contracts Act, the insurance terms may limit the insurer's liability for the consequences of the illness or injury covered by the insurance, on the basis that the illness or injury already existed when the insurance was applied for, and the limitation is based on the information the insurer acquired about the insured's health before issuing the insurance.

According to Section 69 of the Insurance Contracts Act, the applicant for compensation must provide the insurer with such documents and information as are necessary to clarify the insurer's liability and which can reasonably be required of him, also taking into account the insurer's possibilities to obtain a statement.

According to Article 5(1)(c) of the General Data Protection Regulation, personal data processed must be appropriate and relevant and limited to what is necessary in relation to the purposes for which they are processed ("data minimization").

According to Article 5, paragraph 1, subparagraph a of the General Data Protection Regulation, personal data must be processed legally, appropriately and transparently from the point of view of the data subject ("lawfulness, reasonableness and transparency").

According to Article 25, paragraph 2 of the General Data Protection Regulation, the data controller is obliged to implement appropriate technical and organizational measures to ensure that, by default, only personal data necessary for each specific purpose of the processing is processed. This obligation applies to the amount of personal data collected, the extent of processing, storage time and availability.

Reasoning

The registrar requests the health status information of the applicant for voluntary insurance from the health care unit in order to clarify his responsibility according to the Insurance Contracts Act. The registrar has said that information is requested from the health care unit on a case-by-case basis only at the application stage if it is necessary in terms of the selection of medical liability made in connection with the processing of the application. If the answers given by the registered person in the health examination are sufficient from the point of view of the selection of responsibility, the information request is not made to the health care unit, but the selection of responsibility can be made based on the information provided by the registered person.

According to the report given by the registrar, if it is necessary to request information from the health care unit in connection with the processing of the insurance application, the information requests will be limited on a defined basis. Information requests ask for copies of medical reports or doctor's statements concerning the identified disease or symptom, which show background information about the disease, symptoms, examinations or procedures, as well as any previous visits and examination results. As a rule, the information is requested from a defined time interval. In the data request form of the example case submitted by the data protection officer to the data protection officer's office, it is stated that "we are requesting the above-mentioned information from [xx time period].''

The Data Protection Commissioner assesses the controller's operation method based on the provisions of the Insurance Contracts Act and the Data Protection Regulation opened above.

In accordance with paragraph 27 of the introduction to the General Data Protection Regulation, the data protection regulation does not apply to information about deceased persons. For this reason, in this decision, the data protection commissioner does not evaluate the processing of health data of deceased persons based on the data protection regulation.

When evaluating the registrar's method of operation, attention must first be paid to the fact that under Section 22 of the Insurance Contracts Act, the insurance applicant's obligation to provide information is limited to information that may be relevant in terms of assessing the insurer's liability. In the drafts of the Insurance Contracts Act, it is specified that the policyholder's obligation to provide information only applies to matters that may be relevant in terms of assessing the insurer's liability. It has been established in the legal literature that the matters inquired by the insurance company must, based on experience, be closely related to the insurer's risk assessment. In the same context, it has been established that such information, which is not relevant in isolation, can together form a whole that is relevant for risk assessment. For example, minor illnesses must be reported when asked, even if the reporting party considers the information irrelevant in terms of the insurer's liability.

Also in connection with applying for compensation, the insurer must be given the information necessary to determine the insurer's liability pursuant to Section 69 of the Insurance Contracts Act. With regard to applying for compensation, the drafts of the Insurance Contracts Act specify that documents and information necessary to establish liability include, for example, those that can be used to determine whether an insured event has occurred and how much damage has occurred. The claimant's obligation to clarify also applies to matters unfavorable to him. In personal insurance, for example, the claimant must not fail to submit the necessary medical certificate, even if this results in a failure to provide information.

The provisions of the Insurance Contracts Act presented above should be evaluated together with the regulations regarding data minimization and built-in and default data protection. The principle of data minimization (Article 5(1)(c) of the General Data Protection Regulation) is specified in paragraph 39 of the preamble of the General Data Protection Regulation, according to which personal data should only be processed if the purpose of the processing cannot reasonably be achieved by other means. In addition, the Data Protection Commissioner draws attention to the European Data Protection Board's guidelines on built-in and default data protection, according to which key elements of the data minimization principle include, among other things:

- Avoiding processing – avoid using personal data at all, if it is possible in connection with each purpose.

- Limitation of processing – limit the amount of personal data collected only to what is necessary for the purpose.

- The materiality of the data being processed – the personal data must be relevant for the processing in question, and the controller must be able to demonstrate the materiality.

- Necessity of the processed data – each group of personal data must be necessary for the specified purposes, and must be processed only if the purpose cannot be fulfilled by other means.

According to the guidelines of the European Data Protection Board, the basic condition for the processing of personal data is to include data protection in the processing operations already by default. It is the responsibility of the data controller to define in advance the specific, specific and legal purpose for which the data is processed. By default, the adopted operating methods should be such that the controller processes only such personal data as is necessary for each specific purpose of processing.

For the reasons stated above, the data protection commissioner considers that, based on the regulation of the Insurance Contracts Act and the Data Protection Regulation, the data controller must in all cases specify in the request to the health care unit regarding the data on the health status of the registered person, which relevant information and from which time period the data controller requests access. This means that the data controller must limit the requested information to a specific issue, case, illness or symptom that is of actual importance in assessing the data controller's responsibility. The registrar must also assess from which period it is necessary to request the health status information of the registered person from the health care unit in order to clarify the responsibility of the registrar and, based on this, limit the period from which the health status information of the registered person is requested from the health care unit. In the already sent request, the controller must limit the requested information to only necessary information so that the controller is also able to demonstrate that it requests from the health care unit only such information on the health status of the registered person as is necessary in the evaluations concerning the clarification of the controller's responsibility.

The processing of patient documents requested from health care units involves a strong need to respect and protect the patient's privacy, and this is stipulated, among other things, in Section 13 of the Patient Act. In the worst case, the processing of the data in question may involve the risk of, for example, humiliating the data subject or spreading information about the family's private life. The starting point for processing patient documents is that the data subject can and has been able to expect during the treatment relationship that health data will be processed with respect for the data subject's privacy. The registered person may have dealt with the health care unit for many different reasons, and not all information collected about the registered person in the health care unit is necessarily relevant in terms of assessing the insurance company's responsibility when applying for insurance or when assessing the conditions for paying insurance compensation.

The reasonableness of personal data processing (Article 5, paragraph 1, subsection a of the General Data Protection Regulation) is a general principle that requires, among other things, that personal data may not be processed in a way that is unreasonably harmful to the data subject and that the processing of personal data must meet the data subject's reasonable expectations. The controller must respect the basic rights of the data subjects and implement appropriate measures to respect the rights. It is the responsibility of the controller to take into account what kind of processing is in line with the reasonable expectations of the data subjects. The data protection commissioner considers that, due to the serious risk associated with health status data created in healthcare units, an unnecessarily extensive processing of data by default would be unreasonable from the point of view of data subjects. It is not reasonable for the data controller to gain access to the data subject's health status on an unnecessarily wide and unlimited basis based on the liability assessment process.

In the matter that is now being resolved, the controller has said that its operating model is to limit requests for information on a defined basis during the insurance application phase. In information requests, the controller requests copies of medical records or medical reports from the health care unit regarding the identified disease or symptom. Based on the facts revealed in the reports provided, the Data Protection Commissioner does not consider it necessary to use the remedial powers in accordance with Article 58, paragraph 2 of the General Data Protection Regulation with regard to limiting the sent information requests related to a disease or symptom.

However, the Data Protection Commissioner draws attention to the fact that the registrar's operating method is to request health status information from a defined time interval as a rule. The Data Protection Commissioner considers that, based on the provisions of the Insurance Contracts Act and the Data Protection Regulation, the data controller must make an assessment regarding the period, in addition to the fact that the data controller identifies the request to the health care unit regarding a specific matter, case, illness or symptom that is of factual importance in assessing the data controller's responsibility.

The Data Protection Commissioner also draws attention to the recommendation of the Finnish Medical Association on September 25, 2009 (revised on May 2, 2016) on the disclosure of patient data to insurance companies. The Finnish Medical Association recommends handing over information about the patient's state of health in the form of a statement, unless the procedure is otherwise provided for in special legislation. The Data Protection Commissioner also considers it justified that the information should be requested and disclosed primarily in the form of a statement. Such a method of operation is in accordance with the principle of minimizing personal data and protects the patient's privacy, for example, in a situation where the visit logs contain information other than what is clearly necessary for the assessment of the insurance company's liability.

Penalty assessment

In decision no. 4431/161/21, the sanctioning board of the data protection authorized office has imposed a penalty payment on the Finnish Transport Insurance Agency for violation of data protection regulations in the processing of patient document entries in connection with compensation cases. The data protection commissioner also assesses in the case that is currently being resolved, whether it is necessary to impose a sanction on the controller.

In the penalty assessment, the Data Protection Commissioner draws attention to the fact that, based on the reports given, the Data Protection Commissioner has had to intervene with remedial powers in the controller's procedure only in terms of limiting the period of information requests.

In addition, the data protection commissioner draws attention to the fact that in the decision of the data protection commissioner's office dnro 4431/161/21, the right to access to information is assessed based on Section 82 of the Motor Insurance Act (460/2016). In accordance with section 82, subsection 3 of the Motor Insurance Act, the insurance company's right to access information requires that the information is necessary for the resolution of the insurance or compensation case under consideration, or otherwise necessary for the performance of the duties stipulated in this law. Pursuant to Section 22 of the Insurance Contracts Act, the disclosure obligation applies to information that may be relevant in terms of assessing the insurer's liability. Pursuant to Section 69 of the Insurance Contracts Act, the claimant must provide the insurer with such documents and information as are necessary to ascertain the insurer's liability. It has been established in the legal literature that the matters inquired by the insurance company must, based on experience, be closely related to the insurer's risk assessment. In the same context, it has been established that such information, which is not relevant in isolation, can together form a whole that is relevant for risk assessment.

Based on the above, the wording of the Insurance Contracts Act can be estimated to leave more room for interpretation than the Motor Insurance Act. Despite this, based on the regulation of the Insurance Contracts Act, the data subject has, according to the data protection commissioner's opinion, a justified reason to expect that the insurance company will only process the health data of the data subject that is necessary and limited for the insurance matter.

In the penalty assessment, the Data Protection Commissioner takes into account that in the case that is now being decided, it has been necessary to use the corrective powers to a significantly lesser extent than in the decision no. 4431/161/21. In addition, the data protection commissioner takes into account when evaluating the procedure of the data controller that the Insurance Contracts Act does not set as high necessity criteria for accessing data as the Motor Insurance Act.

Based on the overall assessment, in this case it is most appropriate to try to change the operation of the data controller to comply with the law in all respects pursuant to Article 58(2)(d) of the General Data Protection Regulation. According to the opinion of the data protection officer, it is not necessary to issue a notice to the controller.

Applicable legal provisions

General Data Protection Regulation
Article 5(1)(a) and (c).

Article 7
Article 9

Article 25 paragraph 2

Article 58

Data Protection Act

Section 6 subsection 1 paragraph 1
Insurance Contract Act
Section 1, Section 2, Section 22, Section 37 and Section 69

The law regarding the status and rights of a patient

Section 12 and Section 13

Appeal

According to Section 25 of the Data Protection Act (1050/2018), this decision can be appealed by appealing to the Administrative Court in accordance with the provisions of the Act on Trial in Administrative Matters (808/2019). The appeal is made to the administrative court.

Service

The decision is notified in accordance with § 60 of the Administrative Act (434/2003) by mail against receipt.

The decision is not legally binding.