Tietosuojavaltuutetun toimisto (Finland) - 4431/161/21: Difference between revisions

Tietosuojavaltuutetun toimisto - 4431/161/21
Authority:	Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction:	Finland
Relevant Law:	Article 5(1)(a) GDPR Article 5(1)(c) GDPR Article 25(2) GDPR Article 58(2)(b) GDPR Article 58(2)(d) GDPR Article 83 GDPR § 82 Motor Liability Insurance Act
Type:	Investigation
Outcome:	Violation Found
Started:	20.03.2017
Decided:	16.12.2021
Published:	27.01.2022
Fine:	52000 EUR
Parties:	The Finnish Motor Insurers' Centre
National Case Number/Name:	4431/161/21
European Case Law Identifier:	n/a
Appeal:	Appealed - Overturned Helsingin hallinto-oikeus (Finland) 5398/2023
Original Language(s):	Finnish
Original Source:	Finlex (in FI)
Initial Contributor:	fred

The DPA imposed a fine of €52,000 on the Finnish Motor Insurers' Centre for processing and requesting unnecessary patient information from healthcare providers.

English Summary

Facts

The Finnish DPA was notified that the Finnish Motor Insurers' Centre (the controller) had requested unnecessary patient information from healthcare providers in order to settle claims. The DPA then asked the controller to explain how it processed patient information disclosed by healthcare providers for the purposes of settling claims.

In response to the request, the controller clarified that, according to Section 82 of the Finnish Motor Liability Insurance Act, it has the right, notwithstanding the obligation of confidentiality or other restrictions on access to information, to obtain statements made by healthcare providers and other information concerning the patients' medical records, health status, ability to work, treatment and rehabilitation.

The controller stated that it was impossible to process the claim without the claimants' medical records. The controller processed the patients' healthcare appointment data to determine whether the healthcare provider had charged for visits that were not related to the examination or treatment of injuries sustained in a traffic accident.

The controller emphasised that it followed the principle of data minimisation and that the patients’ healthcare appointment data were not requested unnecessarily. The controller also noted that it had to request a large amount of information in case the healthcare providers had omitted information necessary for claims handling.

Holding

On the basis of the information provided by the controller, the DPA considered that Section 82 of the Finnish Motor Liability Insurance Act does not give the controller the right to directly access all patient records, but that the information requested must be necessary for the settlement of the claim. As a general rule, insurance companies may not request all information about customers' healthcare appointments, but this information must be limited and specified on a case-by-case basis.

The DPA emphasised that, in addition to the necessity requirement under the Finnish Motor Liability Insurance Act, the controller must also comply with the data minimisation principle as well as data protection by design and default when receiving personal data. Accordingly, the controller should have reasonably limited the information requested, erased unnecessary information disclosed to it and ensured that it processed only personal data necessary for the purposes of the processing.

The DPA found that the processing of all information about the patients' healthcare appointments also failed to meet the fairness requirements for the processing of personal data, as the data subjects have a justified reason to expect that the insurance companies will only process the information necessary to settle the claim.

The DPA also noted that although it is the healthcare provider's responsibility to sort the information to be disclosed, insurance companies must still review all the information they receive and erase any unnecessary personal data. However, billing issues between healthcare providers and insurance companies must be resolved by means other than the systematic and large-scale collection of patient information.

On the basis of the information gathered, the DPA held that the controller had violated Article 5(1)(a) GDPR, Article 5(1)(c) GDPR and Article 25(2) GDPR. As a result, the DPA issued a reprimand to the controller in accordance with Article 58(2)(b) GDPR. Pursuant to Article 58(2)(d) GDPR, the DPA also ordered the controller to comply with the principles of fairness and data minimisation as well as data protection by design and default when processing the patient information.

In addition to the reprimand and the order, the Sanctions Board of the DPA imposed an administrative fine of €52,000 on the controller pursuant to Article 83 GDPR. The Board considered that the controller's practice was intentional, and that it had not taken action to mitigate the damage suffered by data subjects.

Comment

According to Section 24(4) of the Finnish Data Protection Act, administrative fines cannot be imposed on public authorities, autonomous institutions governed by public law and other similar bodies. The controller is a body that coordinates the implementation and development of motor insurance based on the Finnish Act on the Motor Insurers' Centre. In its decision, the DPA took the view that the controller should not be considered as an entity that could be excluded from the application of the administrative fine.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.

Thing

The insurance company's right to receive patient data
Registrar

Motor Insurance Center

On March 20, 2017, a case was initiated in the Data Protection Commissioner's office, in which the initiator has stated that, in his opinion, the Finnish Transport Insurance Agency has obtained more information from the health care service than was necessary to resolve the compensation case (identity number 1007/452/17). According to the initiator, the Motor Insurance Center has, for example, asked the psychotherapist for the visit reports regarding each psychotherapy visit, and these have also been handed over to the Motor Insurance Center by the psychotherapist.

In connection with the handling of this individual case, the data protection commissioner's office has also investigated the systematic operation of the Motor Insurance Agency when it requests patient data from the health care for the processing of the compensation case.

This decision of the Data Protection Commissioner concerns the systematic operation of the Motor Insurance Agency.
The decision of the data protection officer in the case of data minimization and internal and default data protection
Statement received from the registrar

The registrar has been asked to clarify the matter with a request for clarification dated 24 August 2020 and a request for additional clarification dated 1 October 2020. The registrar has issued a written statement on the matter on September 1, 2020, and an additional statement on October 12, 2020.

According to the registrar, it is impossible to process the claim and pay the compensation without medical documents prepared for the claimant. In compensation processing for traffic injuries, an overall picture of the claimant's health is needed, not just the limitations caused by the traffic accident injury. Statements alone are not sufficient explanations regarding the state of health.

According to the registrar, it has unfortunately often happened that patient document entries have been copied word for word in the statements and information relevant to the compensation case has been left out. According to the registrar, healthcare professionals are basically not familiar with statutory motor insurance claim processing and benefits legislation, and thus are unable to assess what information is necessary. In addition, the statements unnecessarily burden healthcare and cause additional costs. Practice has also shown that treatment facilities bill insurance companies for visits that are not related to the investigation or treatment of a traffic injury. These cannot be clarified other than on the basis of visit notes.

Insofar as it is necessary to exceptionally request information about research or treatment visits other than those covered by motor insurance, the necessity assessment is done on a case-by-case basis according to the controller, and the request for information is sought to be individualized in accordance with the principle of minimization as precisely as possible considering the circumstances. Necessity assessment is always done on a case-by-case basis, and the request can be narrowed down, for example, by limiting its temporal scope or by specifying which specialty entries the request applies to.

The registrar says that the right of insurance companies to obtain visit records is currently recorded in Section 56 of the Motor Insurance Act. The drafts of the Motor Insurance Act state in relation to the relevant provision that "the insurance company cannot make an indemnification decision regarding the treatment, unless it has at its disposal records of the injured person's treatment visit" (HE 123/2015). The provision corresponds factually to the Motor Insurance Act (279/1959) and the Customer Payments Act applied at the time of the Personal Data Act. Based on these regulations, the controller considers that the visit records should be delivered to the insurance company without a separate request. The registrar adds that pursuant to Section 21 a of the previously applied Motor Insurance Act (279/1959), and similarly pursuant to Section 82 of the current Motor Insurance Act (460/2016), it has the right to receive the necessary visit records for claims processing also insofar as the issue is not of motor insurance indemnities of visits. Section 82, subsection 1, point 3 of the current Motor Insurance Act reads as follows:
The insurance company has the right, notwithstanding the obligation of confidentiality and other restrictions on access to information, to receive:

3) statements prepared by a doctor and other professionals referred to in the Act on Health Care Professionals, the health care operation unit referred to in section 2, paragraph 4 of the Act on the Status and Rights of the Patient, the body implementing the rehabilitation of the injured person, another health care operation unit, and a social service provider or treatment facility, and other information from patient records, health status, ability to work, care and rehabilitation.

The provision specifies that "The insurance company's right to access information referred to in subsection 1 above requires that the information is necessary for the resolution of the insurance or compensation matter under consideration or otherwise necessary for the performance of the duties stipulated in this law".

Referring to the above, the registrar considers that in terms of claims processing, it is essential that the insurance company has an understanding of the claimant's overall state of health, which includes all matters that may affect the claimant's ability to work or operate. The traffic insurance covers only the part of the reduction in work or functional capacity caused by the traffic accident, and the insurance company must also be aware of illnesses and injuries unrelated to the traffic accident, which limit the right to compensation.

The registrar also brings up the government's proposal for the Motor Insurance Act (HE 123/2015), according to which "in order to decide on compensability and determine the amount of compensation, accurate information is needed, among other things, on the injuries caused to the injured party, the treatment measures caused by them and limitations on work ability. Information about the injured person's health other than the immediate consequences of the traffic accident is essential when assessing the contribution of another injury or illness to the occurrence of the personal injury or the effect of the personal injury on the reduction of work ability. These other health-related information, which are necessary for solving the compensation case, can sometimes be needed for a long time before the traffic accident, in some cases even for the entire lifetime of the injured party. The right of access to information in accordance with the proposed section would include not only medical reports drawn up for applying for compensation, but also other necessary information, such as medical records, examination results and expert reports regarding rehabilitation".

According to the controller, data collection in accordance with case 1007/452/17, which was previously initiated at the data protection commissioner's office, is still usual at the Motor Insurance Center and other insurance companies engaged in motor insurance. A separate statement prepared for the insurance company (so-called E-statement) is only requested if it is considered necessary on a case-by-case basis. According to the registrar, statements rarely have added value in compensation processing.
Hearing and request for further clarification

The Motor Insurance Center has been reserved the opportunity referred to in § 34 of the Administrative Act (434/2003) to be heard and to express its opinion on the matter and to give its explanation of such demands and explanations that may affect the resolution of the matter. At the same time, the Motor Insurance Center has been given the opportunity to bring up such matters referred to in Article 83, Paragraph 2 of the General Data Protection Regulation, which, in the view of the Motor Insurance Center, should be taken into account when making a decision. For this purpose, a consultation request and a request for additional clarification have been sent to the Motor Insurance Center on July 9, 2021 electronically and by ground mail, to which it has been asked to respond by August 6, 2021. The response deadline has since been extended at the request of the Transport Insurance Center until August 13, 2021. The Motor Insurance Center has responded to the consultation request and additional clarification request on August 13, 2021.

In its response, Liikennevakuutuskeskus has stated that it always follows the principle of data minimization, and visit records are not requested from healthcare unnecessarily. The data collection also could not have been contrary to the data subject's justified expectations, because the basis for data processing and the right to access information are based on the law. According to the Finnish Motor Insurance Center's view, the obligation of treatment facilities to submit visit records related to the treatment or examination to be reimbursed by motor insurance is based on the law, while the submission of information exclusively in the form of a separate statement is not based on the law and would inevitably lead to solutions being based on an incomplete medical report. Nor does the Finnish Medical Association's recommendation require the submission of health information to motor insurance companies in the form of a statement, according to the Motor Insurance Agency.

In its response, the Norwegian Motor Insurance Center points out that Section 6, Paragraph 1 of the Data Protection Act states that Article 9, Paragraph 1 of the Data Protection Regulation does not apply to information obtained in the course of insurance operations regarding the health, illness, or disability of the insured and the claimant, or to treatment measures assigned to him or to comparable actions that are necessary to clarify the liability of the insurance institution. According to the Finnish Transport Insurance Agency, the processing of the claimant's health status data in order to determine the insurance company's liability is therefore expressly permitted. In its response, the Motor Insurance Center has also referred to the points of law that it has also brought up in its reports to the data protection commissioner's office on 1 September 2020 and 12 October 2020.

According to the Motor Insurance Agency, the need for changes in insurance legislation with the General Data Protection Regulation was also assessed for the Motor Insurance Act after the regulation entered into force, and it was not deemed necessary to change the information access provisions of the Motor Insurance Act. In connection with the consultation, the Motor Insurance Center has also stated that it has no actual turnover, as it is a non-profit public benefit entity.
Background information
From the Transport Insurance Centre

The Motor Insurance Center is a joint body for the implementation and development of motor insurance. All insurance companies engaged in motor insurance in Finland must belong to the Motor Insurance Center.

Liikennevakuutuskeskus is based on law and receives income from credits and the insurances it issues. The Motor Insurance Center has a general assembly, regular meetings, a board of directors and a CEO. The Motor Insurance Center ultimately protects the rights of the victim of a traffic accident and takes care of the consequences of neglecting the statutory motor insurance.

In accordance with the government's proposal (HE 123/2015), motor insurance is a statutory damage insurance, the purpose of which is to provide comprehensive insurance cover for damage to property and personal injury to those who suffer damage from using a motor vehicle for traffic. Taking out motor insurance is made mandatory by law due to the heightened risk of damage associated with the use of motor vehicles.
Sales

According to the statement given by the Motor Insurance Center on 13 August 2021, it has no actual turnover. Therefore, in the case of the Motor Insurance Agency, considering its operating model, it is justified to take the amount accumulated from the Motor Insurance Agency's income and fundraising as the basis for the economic value of the operation. In 2020, this total amount was 8,069,923.31 euros
On applicable legislation

The Motor Insurance Center's right to access information is expressly provided for in Section 82 of the Motor Insurance Act (460/2016). Before this, Section 21 a of the Motor Insurance Act (279/1959) (repealed as of January 1, 2017) has been applied as the corresponding legal point. When assessing the legality of data disclosure, the general legislation regulating the processing of personal data must also be taken into account.

The General Data Protection Regulation (EU) 2016/679 of the European Parliament and the Council (data protection regulation) has been applied since May 25, 2018. As a regulation, the regulation is immediately applicable law in the member states. The Data Protection Regulation contains national leeway, on the basis of which national legislation can be used to supplement and clarify matters specifically defined in the regulation. The general data protection regulation is specified by the national data protection act (1050/2018), which has been applied since January 1, 2019. The Data Protection Act repealed the Personal Data Act (523/1999) that had been in force previously.

A central principle in EU law is the principle of legal certainty. The ban on the application of retroactive legislation has been derived from this principle in several decisions of the EU Court. According to this prohibition, EU legal acts generally do not have a retroactive effect.

Regarding the general procedure of the Motor Insurance Center, legally relevant activities have continued in the same way since the application of the General Data Protection Regulation began. Since the subject of the evaluation is the Motor Insurance Agency's usual and still-in-use operating method, the General Data Protection Regulation applies to the matter, and it is not necessary to evaluate the conditions for the retroactive application of the General Data Protection Regulation.
General Data Protection Regulation

Article 5(1)(a) of the General Data Protection Regulation provides for the principle of reasonableness. The principle requires that personal data is processed appropriately and that the processing corresponds to the data subject's reasonable expectations.

Article 5(1)(c) of the General Data Protection Regulation provides for the data minimization principle, according to which personal data must be appropriate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

Article 25 of the General Data Protection Regulation provides for built-in and default data protection. According to paragraph 1 of the article, taking into account the latest technology and implementation costs, as well as the nature, scope, context and purposes of the processing, as well as the varying probability and severity of risks caused by the processing to the rights and freedoms of natural persons, the controller must effectively implement data protection principles, such as data minimization, in connection with the determination of processing methods and the processing itself appropriate technical and organizational measures, such as pseudonymization of data and the necessary protective measures, so that they can be included as part of the processing and so that the processing complies with the requirements of the General Data Protection Regulation and the rights of data subjects are protected. According to paragraph 2 of the article, the controller has the obligation to implement technical and organizational measures to ensure that, by default, only the personal data necessary for the specific purpose of the processing is processed. This obligation applies to the amount of personal data collected, the extent of processing, storage time and availability.
A legal issue

The Data Protection Commissioner assesses and resolves the matter on the basis of the aforementioned General Data Protection Regulation (EU) 2016/679 and the Data Protection Act (1050/2018).

The data protection commissioner must decide whether the data controller has complied with Article 25(2) and Article 5(1)(a) and (c) of the General Data Protection Regulation when acquiring patient data. Regarding the question, it is also necessary to assess whether the remedial powers according to Article 58, paragraph 2 of the General Data Protection Regulation should be used in the case.
Decision of the Data Protection Commissioner
The notice and order bring processing operations into compliance with the General Data Protection Regulation

The data controller has not complied with Article 5(1)(a) (reasonableness of processing), Article 5(1)(c) (minimization of data) and Article 25(2) (built-in and default data protection) of the General Data Protection Regulation, and the controller's procedure has not when acquiring patient data in compensation matters, has therefore not been in compliance with the General Data Protection Regulation.

The controller is given an order in accordance with Article 58(2)(d) of the General Data Protection Regulation to comply with the principle of data minimization, the principle of reasonableness and the built-in and default data protection obligation when acquiring patient data, and to bring the processing operations into compliance with the data protection regulation.

The controller is given a notice in accordance with Article 58(2)(b) of the General Data Protection Regulation about processing actions that violate the provisions of the General Data Protection Regulation.

The data protection commissioner leaves the appropriate measures to the discretion of the data controller, but orders a report on the measures taken to be submitted to the data protection commissioner's office by February 15, 2022, or no later than six weeks after notification of the decision, unless it applies for an amendment to this decision.
Administrative penalty fee

According to Section 24 of the Data Protection Act, the administrative fine (administrative penalty fee) stipulated in Article 83 of the General Data Protection Regulation is determined by the sanctioning board formed by the data protection commissioner and deputy data protection commissioners. The matter concerning the Motor Insurance Center is given to the Sanctions Board to decide. The Sanctions Board must therefore assess whether an administrative penalty payment in accordance with Article 58, Section 2, subparagraph i of the General Data Protection Regulation must be imposed on the data controller in addition to the notice and order issued by the Data Protection Commissioner.
Reasons for the decision
The Motor Insurance Center's right to access information according to the Motor Insurance Act

The right of access to information by the insurance company and the Motor Insurance Center is regulated in Section 82 of the Motor Insurance Act (460/2016). According to Section 82, Subsection 1, Clause 3 of the Motor Insurance Act, the insurance company has the right, notwithstanding the obligation of confidentiality and other restrictions on access to information, to obtain rehabilitation of the injured person from a doctor and other professionals referred to in the Act on Health Care Professionals, from the health care operational unit referred to in Section 2, Clause 4 of the Act on the Status and Rights of the Patient, statements and other information prepared by the executive body, other health care operational unit, and social service provider or treatment facility regarding patient documents, health status, work capacity, treatment and rehabilitation. Clause 3 of the regulation states that "the insurance company's right to access information referred to in clause 1 above requires that the information is necessary for the resolution of the insurance or compensation case under consideration or otherwise necessary for the performance of the duties stipulated in this law".

Based on the explanation obtained in the case, the registrar has interpreted the above-mentioned regulation of the Motor Insurance Act in its operation in such a way that, as a general rule, the Motor Insurance Agency can ask the registrar of patient documents to provide it with the full extent of the patient document entries of the claimant instead of a statement. However, the legal provision cannot be interpreted as entitling to direct access to all patient document entries, but access to information must be necessary in accordance with section 82, subsection 3. Therefore, the collected information should always be limited to what is necessary for solving the compensation case.

In addition to Section 82 of the Motor Insurance Act, the registrar has relied on the detailed reasoning of Section 56 of the Government proposal on the Motor Insurance Act (HE 123/2015), according to which "the insurance company cannot make a compensation decision regarding the treatment, unless it has access to records of the injured person's treatment visit". The legal section deals with the duty of the public health care unit to provide information to the insurance company in order to determine the liability for compensation and to obtain a full cost payment. According to the legislative text, for this purpose, the health care provider must provide the necessary information on treatment visits referred to in Section 12 of the Patient Act (785/1992). However, in the light of the necessity criterion contained in Section 82 of the Motor Insurance Act, this cannot be considered to mean that the insurance company should be given all indications regarding the treatment visit in full and without screening, and Section 56 of the Motor Insurance Act cannot be sustainably interpreted in such a way that its purpose is to nullify the necessity condition set in Section 82 of the Motor Insurance Act . The necessity of obtaining even partial markings must always be justified with case-specific reasons.

In the statement given to the data protection commissioner's office, the controller has also justified its activities with the following reasons from § 82 of the same government proposal (HE 123/2015, p. 111):

In order to decide on compensability and determine the amount of compensation, you need accurate information about, among other things, the injuries caused to the person who suffered the damage, the treatment measures caused by them, and the limitations of the ability to work. Information about the injured person's health other than the immediate consequences of the traffic accident is necessary when assessing the contribution of another injury or illness to the occurrence of the personal injury or the effect of the personal injury on the reduction of work ability. These other health-related information, which are necessary for solving the compensation case, can sometimes be needed for a long time before the traffic accident, in some cases even for the entire lifetime of the injured party. The right of access to information according to the proposed section would include not only medical reports drawn up for the purpose of applying for compensation, but also other necessary information, such as medical reports, examination results, and expert reports regarding rehabilitation.

The last sentence of the justification paragraph in question is missing from the citation presented by the controller, which states the following:

Also based on this section, the right of access to information would be limited to information necessary for the individual case in order to carry out the tasks referred to in section 1, which is why efforts should be made to identify the information.

Therefore, it can be considered that the purpose of the legislator was to limit the Motor Insurance Agency's right to access information to the information assessed and identified as necessary on a case-by-case basis.
Obtaining information for the settlement of the compensation case and the general data protection regulation

Similar to the requirement of necessity contained in the Motor Insurance Act, a limitation generally applicable to the processing of personal data comes from Article 5(1)(c) of the Data Protection Regulation (minimization of data), according to which personal data must be appropriate, relevant and limited to what is necessary in relation to the purposes for which they are used will be processed.

In turn, Article 25(2) of the General Data Protection Regulation provides for data protection by default, according to which the data controller is obliged to implement technical and organizational measures to ensure that by default only personal data necessary for each specific purpose of the processing is processed. This obligation applies to the amount of personal data collected, the extent of processing, storage time and availability.

In order to comply with its obligation according to Article 25(2), the controller must choose the default processing settings and options and be responsible for their implementation in such a way that by default only the processing of personal data that is absolutely necessary to achieve the set legal goal is carried out. This means, among other things, that the basic requirement is to include data protection in the processing of personal data by default, and the controller does not, for example, by default collect more personal data than is necessary. By default, the measures must be able to ensure that only such personal data are processed that are necessary for each specific processing purpose.

The above-mentioned obligations in accordance with the General Data Protection Regulation require that the information acquired in order to resolve the compensation case be limited to only the information necessary for the processing purpose. In order to comply with the minimization principle and the obligations regarding built-in and default data protection, the entity receiving personal data must endeavor to limit the requested data appropriately, delete unnecessary data if such data is provided to it, and ensure that the measures related to the processing of personal data in question are structured in such a way that only personal data necessary for the purpose of processing are processed.
Limiting the information to be acquired for settling the compensation case

In the report received in the matter, the Motor Insurance Center has said that collecting the visit notes as a whole is its usual way of working. In this regard, the Data Protection Commissioner states that requesting visit records in their entirety cannot be considered a legal starting point for collecting data for the basis of a compensation decision, because in doing so, the insurance company inevitably collects, in addition to necessary data, personal data that does not belong to it by law. Such a systematic, very broad interpretation of the necessity criterion set in the Motor Insurance Act and the minimization principle of the data protection regulation also ignores the central starting point in default data protection, according to which the data controller should not collect more detailed information than is justified in terms of the clearly defined and legal purpose of use of the personal data. In addition, it can be noted that the procedure does not meet the conditions set for the reasonableness of the processing of personal data (Article 5(1)(a) of the General Data Protection Regulation), but the processing of such extensive data can be considered to be contrary to the expectations of the data subject, because based on the legislation, the data subject has a justified reason to expect that the insurance company processes only his necessary personal data for the compensation decision.

On the other hand, the necessity of obtaining the information cannot be justified by the need brought up by the data controller in his report to go through the texts to find out whether there is anything relevant in the entries, or to ensure that the party providing the information has not knowingly or out of lack of understanding omitted to provide the information. The task of the registrar of patient data registers – not the insurance company – is to screen the necessary information before handing it over to the insurance company. Please note that this does not remove the insurance company's obligation to review the information it receives and ensure that it does not collect unnecessary personal data in violation of the data minimization principle.

In the report given to the data protection commissioner's office, the controller has also justified his procedure by the fact that, according to its experience, treatment facilities bill insurance companies for visits that are not related to the investigation or treatment of a traffic injury. However, billing issues between the care facility and the insurance company must be resolved by means other than the systematic, large-scale collection of patient data.

Regarding the method of providing information, for example, in the Finnish Medical Association's recommendation on the disclosure of patient information to an insurance company, it has been stated that information regarding the patient's state of health should be disclosed in the form of a statement, unless special legislation specifically provides for the procedure otherwise. The Data Protection Commissioner also considers it justified that the information should be requested and disclosed primarily in the form of a statement. Such a method of operation is in accordance with the principle of minimizing personal data and protects the patient's privacy, for example, in a situation where the visit logs contain information other than what is clearly necessary for processing the compensation case.

Although the above-mentioned primary method of providing information concerns the data provider, the Motor Insurance Center must also take this into account in its operations, and it cannot therefore consider as a general starting point the request of extensive patient document entries as such from the registrar of patient records. In connection with this, the Motor Insurance Center has justified its data collection method by, among other things, that the statements unnecessarily burden healthcare and cause additional costs. However, this is not a valid reason to violate data protection regulations.

According to the report obtained in the case, presenting extensive information requests for patient document entries has been a systematic method of operation of the registrar, which the registrar has deemed justified based on the regulation of the Motor Insurance Act. In acting in this way, however, the data controller has not taken into account the data limitation requirements contained in the Motor Insurance Act, and the data controller's method of operation is not compatible with the requirements of Article 5(1)(a), Article 5(1)(c) and Article 25(2) of the General Data Protection Regulation.

Based on the above grounds, the data protection commissioner issues a notice to the data controller and an order to change its procedures related to requests for patient data so that its operations meet the above-mentioned requirements set by the General Data Protection Regulation.

According to Section 24 of the Data Protection Act, the administrative penalty fee is determined by the penalty panel formed by the data protection commissioner and deputy data protection commissioners, which has issued the following decision on imposing the penalty fee.
Sanctions board's decision on an administrative fine (administrative penalty payment)
Registrar

Motor Insurance Center
Decision of the Sanctions Board

The Sanctions Board considers that the notice issued by the Data Protection Commissioner, the notice pursuant to Article 58, paragraph 2, subparagraph b, and the order pursuant to subparagraph d, of the General Data Protection Regulation are not a sufficient sanction, taking into account the nature and seriousness of the violation.

The sanctioning panel formed by the data protection commissioner and deputy data protection commissioners orders the data controller to pay the state an administrative sanction fee of 52,000 (fifty two thousand) euros pursuant to article 58, paragraph 2, subparagraph i and article 83 of the general data protection regulation.
Reasons for imposing an administrative penalty

Article 83 of the General Data Protection Regulation provides for the general conditions for imposing administrative fines. According to the article, the imposition of administrative fines must be effective, proportionate and dissuasive in each individual case. Administrative fines are imposed according to the circumstances of each individual case in addition to or instead of the remedial powers provided for in Article 58. When deciding on the imposition of an administrative fine and the amount of the administrative fine, the factors listed in Article 83, paragraph 2 of the General Data Protection Regulation must be taken into account in each individual case.

When evaluating the matter, the instructions of the data protection working group in accordance with Article 29 on the application and imposition of administrative fines are also taken into account.

In the case in question, it has been deemed that the data controller, when acquiring the registered patient's data in order to resolve the compensation case, has violated articles 5(1)(a) (principle of reasonableness), 5(1)(c) (principle of data minimization) and 25 (built-in and default data protection) of the General Data Protection Regulation ).

According to Section 24.4 of the Data Protection Act, a penalty payment cannot be imposed on state authorities, state business entities, municipal authorities, independent public law institutions, parliamentary agencies, the office of the President of the Republic, nor the Evangelical Lutheran Church of Finland and the Finnish Orthodox Church, nor their parishes, parish associations and other bodies. The Sanctions Board of the Office of the Data Protection Commissioner states that the Motor Insurance Agency is not an operator that could be excluded from the application of an administrative penalty, taking into account that the operators covered by Section 24.4 of the Data Protection Act are authorities or public administration bodies in accordance with Article 83(7) of the General Data Protection Regulation. In the case of the Motor Insurance Center, it is not, for example, a state business institution or an independent institution under public law, and the community's public benefit activity is not in itself a reason to consider the operator to be covered by Section 24.4 of the Data Protection Act. The operating model of the Motor Insurance Center has been taken into account when calculating the amount of the fine in such a way that the smallest has been chosen based on the alternative numbers that are the basis of the fine.
Summary and the amount of the administrative fine

According to Article 83(1) of the General Data Protection Regulation, the fine must be effective, proportionate and dissuasive. The assessment is made based on the circumstances of each individual case. When examining an individual case, it must be assessed whether the aim is only to change the activity to comply with the law, or whether it is justified to set the goal of punishing the controller for illegal activity. Regarding the amount of the fine, on the other hand, it must be taken into account whether the violation concerns the articles of the General Data Protection Regulation listed in Article 83(4) of the General Data Protection Regulation or Article 83(5) of the Regulation. Grading into two different categories forms the framework for setting the maximum amount of the fine, and the general data protection regulation does not specify fine amounts by type of violation, for example. In turn, the combined effect of all factors mentioned in Article 83(2) is taken into account in the assessment of the seriousness of the violation.

In the case of the Motor Insurance Center, it is justified to set the goal of both making the operation legal and drawing the attention of the registrar to the illegality of the method of operation with a financial penalty. In the case of the Motor Insurance Center, the violation has been long-lasting and still continues. The breach has also affected a large number of registrants. In the case of the Motor Insurance Center, simply bringing the operation into compliance with the requirements of data protection regulations cannot be considered sufficient. This point of view is also strongly supported by the systematicity of the violation and the fact that it was a violation of the data protection principles according to Article 5 of the General Data Protection Regulation.

In the case of the Motor Insurance Center, the upper limit of the fine in euros is formed in accordance with Article 83(5) of the General Data Protection Regulation, because the violation targets both those in accordance with Article 83(4) of the General Data Protection Regulation (violated article: Article 25) and those in accordance with Article 83(5) of the General Data Protection Regulation ( Article violated: Article 5) to the regulations. The non-fulfillment of the obligations arising from Article 5 must thus be assessed as a more serious violation, and it is possible to apply Article 83(5) of the General Data Protection Regulation when determining the overall penalty. In the amount of the fine, it must be taken into account that it meets the requirement of Article 83(1) of the General Data Protection Regulation regarding the warning effect of an administrative fine.

As aggravating factors, the evaluation must take into account the intentionality and negligence of the violation, the controller's passivity regarding measures to mitigate the damage caused to the data subjects, the neglect of appropriate technical and organizational measures, and the targeting of the violation to sensitive data concerning the data subject's health.

According to Article 83, Section 5, Subsection a of the General Data Protection Regulation, an administrative fine of a maximum of EUR 20,000,000, or, in the case of a company, four percent of the previous of the total worldwide net sales for the financial year, whichever is greater. Although the General Data Protection Regulation has been applied on 25 May 2018, and the Personal Data Act has not included a corresponding fine provision, it is possible to impose a fine for a so-called continuous violation, and thus it is also possible to take into account a violation prior to the start of the application of the General Data Protection Regulation.
The nature and seriousness of the breach

The nature and seriousness of the violation is assessed in light of the factors according to Article 83(2)(a) of the General Data Protection Regulation.

The case is not a minor violation referred to in preamble 148 of the General Data Protection Regulation, and the violation of the principles regarding the processing of personal data and the implementation of internal and default data protection affects the essential content of the obligations violated in this case. The scope and purpose of the data processing also support the evaluation of the violation as serious, so that the notice according to Article 58, paragraph 2, subparagraph b and the order according to subparagraph d of the General Data Protection Regulation cannot be considered as a sufficient sanction for the data controller.

In this decision of the sanctioning board and in the related decision of the data protection commissioner, the systematic operation of the Motor Insurance Agency has been evaluated based on the information obtained in the investigation of the case initiated in the data protection commissioner's office in 2017. In its report, the Motor Insurance Center has stated that the method of operation under evaluation is customary for it and that it is still in use. The grievances related to the systematic way of operating have therefore existed since at least 2017, i.e. longer than the period of application of the General Data Protection Regulation, and the violation is still ongoing. The long-term nature of the violation must be considered a justification for imposing an administrative penalty.

In connection with the hearing on 13 August 2021, the Motor Insurance Center has issued an additional explanation, according to which a total of 2,494 claims based on the Motor Insurance Act were reported to the Motor Insurance Center in 2019. According to the Motor Insurance Agency's estimate, the relative share of personal injuries among the damages handled by the Motor Insurance Agency corresponds to the National Insurance Agency's share of the traffic accident cases it handles in Finland, thus approximately 500 damage cases per year. The disciplinary panel also looks at the time of operation of the data controller, taking into account that the Motor Insurance Center processes the personal data of numerous registered users and that the violation has been systematic, not isolated. The impact of the violation on a large number of registered users should be taken into account as a justification for imposing an administrative penalty fee.

In the assessment of damages caused to registered persons, the decision of the Supreme Court KKO:1998:85 must be taken into account, which emphasized informed self-determination and stated that the wording of the personal registration offense referred to in Section 43 of the Personal Registration Act (471/1987), which has since been repealed, showed that violating the protection of privacy as a violation of informed self-determination as a procedure meant causing the damage or harm required by law. This is still true. A mere breach of privacy means causing harm or inconvenience. The condition is not the occurrence of financial or other material damage per se, although the occurrence of such damages is taken into account in accordance with the provisions of Article 83, paragraph 2, letter a of the General Data Protection Regulation, when imposing an administrative penalty fee and deciding on its amount. The Motor Insurance Center must be considered to have violated the rights of the data subjects according to the General Data Protection Regulation, as a result of which the data subjects have suffered damage.
Assessment of aggravating and mitigating factors
Intentional or negligent breach

The Finnish Motor Insurance Agency has submitted to the data protection commissioner's office that its general procedure regarding requesting registered visit records from healthcare is based on its interpretation of the Finnish Motor Insurance Agency's regulation on the right to access information. The Motor Insurance Center has presented the same justification to the initiator of case 1007/452/17 in 2017. The Motor Insurance Center has presented in its report to the Data Protection Commissioner's office that it has also taken into account the requirements from the data protection regulation in its operations. The procedure of the Motor Insurance Agency therefore shows that its operations are not sufficiently familiar with the valid data protection legislation and the requirements arising from it. In terms of the aspects stated above, the violation must be considered negligent. The Motor Insurance Agency's operating procedure, where patient reports are requested from health care to ensure the accuracy of the billing basis and to make sure that the health care does not, for example, cover up or not provide information due to lack of understanding, is a procedure deliberately introduced by the Motor Insurance Agency to prevent abuse by health care providers. The Motor Insurance Center has not presented grounds on the basis of which the procedure is justified. For this procedure, the violation must be considered intentional. The intentionality of the Motor Insurance Center's actions and partly negligence must be considered as an aggravating factor in the case.
Actions taken by the registrar to mitigate the damage caused to the data subjects

In the assessment of the nature and seriousness of the violation, the sanctioning board has considered that the data controller has violated the rights of data subjects according to the General Data Protection Regulation, as a result of which the data subjects have suffered damage. Regarding the measures taken by the data controller to mitigate the damage, it can be stated that the data controller has not taken any steps to mitigate the damage caused to the data subject. The registrar's inactivity in these respects must be considered an aggravating factor in the case.
The degree of responsibility of the controller, taking into account the technical and organizational measures taken by it pursuant to Articles 25 and 32

The Sanction Board states that when evaluating the measures taken by the controller pursuant to Articles 25 and 32, no mitigating factors can be identified in these respects either. The controller has not implemented appropriate and effective measures to ensure legal processing, and the relevant data protection practices and data protection principles have not been applied at the appropriate level in the organization.
Any previous similar violations by the controller

In addition to the case 1007/452/17 initiated at the Data Protection Commissioner's office on 20 March 2017, the Data Protection Commissioner's office has not received any other similar complaints from the data controller. Due to the systematic nature of the violation, it is not appropriate to consider this factor as a mitigating factor in the case.
Cooperation with the supervisory authority

The registry keeper's cooperation with the supervisory authority has been impeccable. However, in evaluating the matter, it is not appropriate to emphasize the cooperation already required by the legislation. Pursuant to Article 58(1) of the General Data Protection Regulation and Section 18 of the Data Protection Act, the controller has an obligation to provide the requested information to the supervisory authority, and it is not appropriate to consider the fulfillment of such a statutory obligation as a mitigating factor in the case.
Personal data groups affected by the breach

In its core operations, the controller processes data belonging to special personal data groups (Article 9 of the General Data Protection Regulation). Requests for access to information submitted by the data controller to health care are directed at sensitive data, related to the health of the data subject. In the case of patient data, the appropriate implementation of data minimization and the reasonableness of processing is also of particular importance in terms of the confidential patient relationship and the patient's right to self-determination. From the point of view of the patient's treatment, it is of primary importance that the patient can talk openly, for example, about his life situation, symptoms and thoughts. The focus of data processing on health information must be considered an aggravating factor in the case.
The way in which information about the violation came to the attention of the supervisory authority

Information about the violation has come to the supervisory authority through a complaint, not from the data controller's own notification. Therefore, there are no mitigating factors in this regard.

The decision to impose an administrative fine has been made by the members of the data protection commissioner's sanctioning board.