Tietosuojavaltuutetun toimisto (Finland) - 4680/182/18

From GDPRhub
Tietosuojavaltuutetun toimisto - 4680/182/18
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 9 GDPR
Article 9(1) GDPR
Article 9(2)(a) GDPR
Article 9(2)(g) GDPR
Article 58(2)(d) GDPR
§ 6(1)(1) Data Protection Act
Type: Investigation
Outcome: Violation Found
Started: 03.08.2018
Decided: 08.06.2022
Published: 07.07.2022
Fine: n/a
Parties: OP-Henkivakuutus Oy
National Case Number/Name: 4680/182/18
European Case Law Identifier: n/a
Appeal: Appealed - Confirmed
Helsingin hallinto-oikeus (Finland)
117/2024
Original Language(s): Finnish
Original Source: Finlex (in FI)
Initial Contributor: fred

The Finnish DPA found a life insurance company to have breached Article 9 GDPR for not having a legal basis to process the health data of life insurance applicants.

English Summary

Facts

The Finnish DPA had asked the controller (OP-Henkivakuutus Oy, a life insurance company) to explain on which legal basis and for what purpose it processed data subjects' health data requested from the health care. The controller was also asked to explain how it processed personal data before the execution of an insurance contract.

In response to the request, the controller clarified that the processing was based on Section 6(1)(1) of the Finnish Data Protection Act, according to which insurance institutions may, despite the general prohibition in Article 9(1) GDPR, process the health data of the insured party and the claimant, which is necessary to determine the liability of the insurance institution. The controller considered that it had the right to process health data at all stages of the life insurance customer relationship: when applying for insurance, during the insurance period and after an insured event has occurred.

The controller also stated that it requested all data subjects applying for life insurance for their consent to that the controller may, if necessary, request health data from health care units in order to process the insurance application and possible compensation case, and to ensure the accuracy of the health data. The controller considered it necessary that the consent given by data subjects was valid for the entire duration of the insurance contract.

The controller claimed that a situation where the data subject withdraws their consent or does not give it in the first place, but the controller must still issue life insurance and keep it valid, is impossible. In the controller's view, the data subject could have terminated the insurance at any time if they did not want the controller to receive their health data from the health care.

Holding

On the basis of the information provided by the controller, the DPA emphasised that Section 6(1)(1) of the Finnish Data Protection Act, which is based on Article 9(2)(g) GDPR, applies only to the processing of the personal data of insured parties and claimants. The DPA considered that the insurance contract has not yet been concluded at the insurance application stage, and the provisions of the Finnish Data Protection Act cannot be extended to a data subject applying for insurance. Therefore, Section 6(1)(1) of the Finnish Data Protection Act cannot be applied to the processing of health data of insurance applicants and to requesting their health data from health care units.

The DPA stated that the consent requested by the controller concerned an unspecified set of health data stored in the patient information systems of various health care units. The data subjects could not control whether their personal data was processed or not or for what purposes it was processed. Thus, the consent requested by the controller was not sufficient to fulfil the requirements for the processing of special categories of personal data according to Article 9(2)(a) GDPR.

On the basis of the information gathered, the DPA held that the controller had violated Article 9 GDPR. As a result, and in accordance with Article 58(2)(d) GDPR, the DPA ordered the controller to bring its processing operations into compliance with the provisions of Article 9 GDPR.

Comment

The Finnish DPA has issued similar decisions against two other insurance companies in cases 3216/452/17 and 7285/183/18.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.

Decision of the Data Protection Commissioner

Thing

Requesting the health status information of the registered person from the health care unit in connection with the assessment of the insurance company's liability

Registrar

Insurance company

A matter to be resolved

On August 3, 2018, the data subject informed the data protection officer's office that the data controller has, in connection with the life insurance application, requested the data subject's consent to the fact that the data subject's health data from different health care units can be handed over to the data controller. The registrar has asked the registrants to sign the following consent in connection with the health examination of the insurance application:

''I declare that I agree to the fact that the doctors who examined and treated me, occupational health professionals, hospitals, health centers, counseling centers, health care units, mental health offices and private medical facilities as well as other insurance companies and insurance and pension institutions provide the insurance company with the information about my health necessary to process this application and any compensation case . In order to obtain the necessary information, the insurance company can hand over individualized information about my state of health and my insurance to the parties mentioned above. Regarding the information from the National Pension Service, my consent only applies to the information needed to process the compensation case.''

According to the registered opinion, on the basis of a broad and open consent request, it is not possible for the registered person to control to what extent the insurance company gets access to the registered patient's data.

In 2020 and 2021, the data protection commissioner's office has investigated the procedures of the data controller in situations where the data controller requests data on the health status of registered users from health care units in 2020 and 2021. This decision concerns the systematic and currently used method of operation of the data controller.

In this decision, the term insurance applicant means not only the actual insurance applicant, but also persons whose insurance is intended to be taken out in case of illness or death, even if they are not insurance applicants themselves.

The Data Protection Commissioner assesses the matter based on the General Data Protection Regulation (EU) 2016/679 of the European Parliament and the Council and the Data Protection Act (1050/2018). The issue to be resolved is whether the data controller processes the health data belonging to the special personal data groups of the registrants in accordance with Article 9 of the General Data Protection Regulation when applying for voluntary insurance. In addition, in connection with this decision, the Data Protection Commissioner gives general guidance to the data controller regarding the situations when the data controller requests health information about the registered person from the healthcare unit and processes the information received in order to clarify the liability of the insurance company.

Statement received from the registrar

The registrar has been requested to clarify the matter on 10 September 2020, 7 December 2020 and 16 August 2021. The registrar has given a written report on the matter on 9 October 2020, 18 January 2021 and 16 September 2021.

The process of mapping the insurance company's liability

The data controller was asked to explain on what basis of processing and for what purpose the data controller processes the information requested from the health care unit about the data subject. In addition, the data controller was asked to tell what the processing process before the execution of the data controller's insurance contract is like.

The registrant says that the processing of registered health data is necessary in life insurance operations when making an insurance decision (whether life insurance can be granted) and a compensation decision (whether life insurance can be compensated). In the opinion of the registrar, pursuant to Section 6 subsection 1, point 1 of the Data Protection Act, the registrar has the right to process the insured's health data in all phases of the life insurance customership: when applying for insurance, while the insurance is in force, and after an insured event has occurred.

Before taking out risk life insurance, the registrar checks the health status of the policy applicant and asks the policy applicant to fill out a health report as part of the insurance application. The registrar notes that medical reports, prescriptions or other attachments are not attached to the health report, but are requested from the registered person after filling out the health report if additional information is required to make an insurance decision. Based on the health status information provided in the health examination, the registrar assesses whether the insurance can be granted and, if so, under what conditions. The health condition of the person registered in risk life insurance can affect the price of the insurance. The controller has delivered a copy of the health report he used to the data protection commissioner's office.

The registrar says that all registrants applying for life insurance will be asked for their consent to obtain health information from health care units, if necessary, in order to process the insurance application and any compensation case.

The registrar states that the provision of Section 13, subsection 2 of the Act on the Status and Rights of the Patient (785/1992, Patient Act) requires that the registered person be asked to consent to the transfer of patient data from the healthcare unit to the insurance company. In this regard, the controller draws attention to the fact that in the case brought to the attention of the Data Protection Commissioner's Office, the situation in question is the purchase of life insurance. In the case of life insurance, the insurance event leading to the payment of insurance compensation is the death of the registered person. This means that it is no longer possible to request the registrant's consent to the release of their health information after the actual insurance event, i.e. death, and for this reason consent is requested when applying for insurance with a health information form.

According to the view of the registrar, it is necessary that the consent of the registered person, which enables the insurance company to acquire health information, exists for the entire duration of the insurance contract to ensure the realization of the insurance company's rights according to the Insurance Contract Act (543/1994). In practice, such a situation is impossible that the data subject would withdraw the consent entitling to the acquisition of his health data or would not give it in the first place, but the insurance company should issue life insurance and keep it still valid. The registrant can terminate the insurance at any time, if the registrant does not want the data controller to obtain health information about him from the health care unit.

The registrar says that it requests data on the health status of the registered person from the health care unit during the insurance application phase, as a rule, only when it is a question of a large insurance amount. In addition, in certain situations, the registrar requests the registered person's health information from the health care unit after the actual insurance event, i.e. the registered person's death.

The registrar has stated in his report on 18.1.2021 that the registrar directs the registrant to medical examinations in accordance with the guidelines for the selection of liability during the insurance application phase at the registrar's expense in the insurance application phase, when the insurance amount of the life insurance sought from the registrar is large. In this case, the data controller processes the health data of the registered person obtained from these medical examinations based on the consent given by the registered person when evaluating the granting of insurance. If the insurance amount applied for is not a large sum, the registrar requests the necessary health information during the insurance application phase, as a rule, from the registrant himself.

In addition, the registrar has stated in its report on 16 September 2021 that, in accordance with its current operating model, the registrar requests the health status information of the registered person after the death of the registered person (i.e. the insurance event of the life insurance) from the health center of the place of residence in specified situations.

The registrar has said that in other situations, the information needed to make an insurance solution is requested directly from the registered person. Despite this, however, the registrar has stated that it is necessary for the life insurance business that the registrar has, if necessary, the opportunity to request health status information directly from healthcare units in all situations other than those that are currently adopted as the main rule in the registrar's business. With the consent given in connection with the health examination, the controller reserves for himself the opportunity to ask the health care units for the individualized health status information needed to make an insurance solution in the selection of liability. In practice, however, the data controller uses this consent given by the data subject very narrowly only in the situations described above, related to large-sum insurances and the occurrence of an insurance event.

The controller considers that its general practice of using consent only in limited situations implements the principle of minimization in Article 5 of the General Data Protection Regulation and supports the data subjects' right to privacy.

Information requested by the controller

The registrant was asked to clarify which information it requests for use in requests for information about the registrant sent to health care units related to insurance contracts. In addition, the data controller was asked to explain how the data controller ensures that it does not process information that is unnecessary for each customer's purpose. The registrar was also asked to tell how it works if the registrar has been provided with information that is not relevant for the execution of the insurance contract.

The data controller states that the scope of the processing carried out by it must be limited to what is necessary in terms of establishing the company's liability, but the data controller has the actual right of processing based on section 6, subsection 1, point 1 of the Data Protection Act, during the application phase of the insurance, while it is in force and after the insured event has occurred. If necessary, the registry keeper must be able to verify the correctness of the health information provided by the registered person. For this reason, the registrar considers it legal and appropriate to request consent to obtain health information from each insured.

The registrar has said that additional information will be requested from the registered person after completing the health report, if additional information related to the health status of the registered person is required to make an insurance solution. In this case, the requested additional information is defined in accordance with the liability selection guidelines for the type of insurance being applied for. On the other hand, the controller has also stated in this context that, in general, the additional clarification requests it directs to the registered or health care unit are always individualized regarding a specific illness, injury or symptom. […]

When it comes to large-sum insurance offered by the registrar, the registrar will, if necessary, request additional information from the registrant himself regarding the possible illness, symptom, defect or injury reported in the health report, copies of treatment reports from reception visits and statements about the results of examinations. The requested information includes records of the data subject's treatment contacts, which are requested from the data subject, for example, as printouts from the Kanta service.

When the registrant in large-sum insurances has been referred to a doctor's examinations at the expense of the registrar, the registrar requests a medical report from the health care unit regarding the registrant's state of health, as well as certain results of laboratory tests and an EKG curve. In these situations, the data controller agrees with the data subject, if necessary, whether the data subject will provide the individual health data affecting the issuance of the insurance to the data controller himself or whether the data controller will request this information from the healthcare unit.

[…]. The registrar verifies that, when concluding the insurance contract, the registered person has provided correct and complete information to the questions asked in the health examination, which may be relevant in terms of assessing the insurer's liability.

The registrar states that, in order to clarify its responsibility, it has the right to ensure that the insured has acted in the manner required by the regulation on the obligation to provide information in the Insurance Contracts Act when applying for insurance. In this regard, the controller refers to Sections 22, 24 and 35 of the Insurance Contracts Act. According to the registrar's view, the exercise of its rights is central to ensuring the general price level of life insurance and uniform treatment of the insured. The registrar states that in this way it is able, among other things, to intervene in situations where the insured would not have had the right to receive life insurance based on correct and complete information. […]

The controller says that if the registered person or the healthcare operation unit provides the controller with more information than requested, only the information relevant to the selection of responsibility will be taken into account in the choice of responsibility. However, even the information that is irrelevant for the selection of liability is stored together with the requested information that is relevant for the selection of liability as part of the documentation related to the insurance contract.

According to the registrar, the documents submitted by the registered person are not deleted as a matter of principle, because according to the registered person's opinion, it was necessary information to evaluate the matter. Information that is not necessary for the selection of responsibility is not used in decision-making, but documents submitted by the data subject are not deleted, unless the data subject specifically requests it. Self-initiated deletion of the data submitted by the data subject would, in the opinion of the data controller, endanger the legal protection and status of the data subject if he could not later refer to the documents he submitted.

The data protection officer's decision and reasons

Decision

Based on the reasons presented in more detail below, the data protection commissioner considers that the data controller cannot process the health data of the applicant for voluntary insurance or the health data of the person for whose death, illness or injury voluntary insurance is being applied for, based on the provisions of section 6, subsection 1, point 1 of the Data Protection Act. For this reason, the data controller cannot also request the health status information of these persons from the health care unit during the insurance application phase, pursuant to the provisions of Section 6, Subsection 1, Clause 1 of the Data Protection Act.

Based on the more detailed assessment presented below, the processing of the special personal data groups of the voluntary insurance applicant by the controller does not comply with Article 9 of the General Data Protection Regulation. For this reason, the Data Protection Commissioner orders the data controller, pursuant to Article 58, paragraph 2, subparagraph d of the General Data Protection Regulation, to bring the processing operations in line with the provisions of Article 9 of the General Data Protection Regulation, when the data controller processes the health data of the applicant for voluntary insurance or the health data of the person for whom voluntary insurance is being applied for in the event of death, illness or injury. .

The Data Protection Commissioner leaves it to the discretion of the data controller to determine the more precise appropriate measures, but orders to submit to the Data Protection Commissioner's office by July 29, 2022, an explanation of what measures the data protection officer has taken as a result of the decision, unless it applies for an amendment to this decision.

On applicable legislation

The General Data Protection Regulation of the European Parliament and the Council is immediately applicable law in the member states. The General Data Protection Regulation contains national leeway, on the basis of which national legislation can be used to supplement and specify matters specifically defined in the regulation. The general data protection regulation is specified in the national data protection law.

In principle, pursuant to Article 9, Paragraph 1 of the General Data Protection Regulation, the processing of health-related information is prohibited. However, processing is permitted if one of the processing conditions according to Article 6 of the General Data Protection Regulation is met and if, in addition, one of the special processing grounds mentioned in Article 9 is also met.

In accordance with Section 6, Subsection 1, Subsection 1 of the Data Protection Act, Article 9, Subsection 1 of the Data Protection Regulation does not apply to information obtained in the course of insurance operations handled by the insurance institution regarding the health, illness, or disability of the insured and the claimant, or any treatment measures directed at him or comparable actions that are necessary to determine the insurance institution's liability.

According to § 1, the Insurance Contracts Act applies to insurance other than statutory insurance. In accordance with Section 2, Subsection 1, Clause 4 of the Insurance Contracts Act, the policyholder means the person who has entered into an insurance contract with the insurer, and in accordance with Clause 5, the insured means the person who is the subject of personal insurance.

Reasoning

In the case under consideration, the issue is voluntary insurance. The Insurance Contracts Act sets a general framework for contracts, but the scope of insurance coverage and many details of the conditions are specific to the insurance company.

Before concluding the insurance contract, the registrar maps the health status of the insurance applicant in the selection of liability, as a rule, based on the information provided in the insurance applicant's medical examination. If the insurance amount of the applied for life insurance is large, the registrar directs the registered doctor to examinations and requests the data on the health status of the registered person obtained from these doctor's examinations. The registrar has stated that it is, however, possible to request health information from the health care unit also when applying for other insurance amounts. […]. In addition, the controller may request healthcare records concerning the registrant from the registrant himself as printouts from the Kanta service. The registrar considers that the processing of personal data regarding the health status of the insurance applicant in the insurance company is permitted under the provisions of section 6 subsection 1 point 1 of the Data Protection Act.

According to Section 6, Subsection 1, Clause 1 of the Data Protection Act, Article 9, Section 1 of the Data Protection Regulation does not apply to information obtained in the course of insurance operations processed by the insurance institution about the insured's and claimant's state of health, illness, or disability, or information about the treatment measures directed at him or comparable actions that are necessary to determine the insurance institution's liability. The provision in question has been issued pursuant to the national margin of maneuver of the General Data Protection Regulation and is based on Article 9, paragraph 2, subparagraph g of the General Data Protection Regulation. The drafts of the Data Protection Act state that the detailed regulation of insurance institutions, together with the requirement of a license for insurance operations and the right of processing limited to ascertaining liability, can be considered to constitute appropriate and special measures to protect the basic rights and interests of the data subject.

According to § 11 of the Personal Data Act, which was in force before the Data Protection Act was enacted, the processing of sensitive personal data is prohibited, and sensitive data was considered to be, for example, personal data that describes a person's state of health, illness or disability, or treatment measures directed at him or measures comparable to them. However, according to Section 12 of the Personal Data Act, this did not prevent the insurance institution from processing information obtained in the insurance business about the insured's and claimant's state of health, illness or disability, or about treatment measures or comparable measures aimed at them. The regulation of the currently valid Data Protection Act thus corresponds to the regulation of the previously valid Personal Data Act.

According to Section 2, Subsection 1, Clause 4 of the Insurance Contracts Act, the policyholder means the person who has entered into an insurance contract with the insurer. According to Section 2, Subsection 1, Clause 5 of the Insurance Contracts Act, insured means the person who is the subject of personal insurance. According to the provisions of the Insurance Contracts Act, the insured of life insurance is a person whose death or survival insurance has been taken out. The insured of accident insurance is a person whose insurance has been taken out in case of accidental injury or death.

The Data Protection Commissioner draws attention to the fact that the regulation according to section 6, subsection 1, point 1 of the Data Protection Act is limited only to the processing of information about the health, illness or disability of the insured and the claimant. During the insurance application phase, the insurance contract has not yet been concluded.

Information requested from the health care unit

Personal data must be processed in accordance with the law, appropriately and transparently from the point of view of the data subject (data protection regulation, Article 5, paragraph 1, subparagraph a). Fairness is a general principle regarding the processing of personal data, which requires, among other things, that personal data is not processed in an unexpected or misleading way for the data subject. Registrants must be guaranteed the greatest possible right to self-determination in determining the use of their own personal data. The most important purpose of data protection legislation is that registered users retain control over their own personal data. Therefore, when processing data, the kind of processing that meets the expectations of the registered users should be taken into account.

The health care information requested by the registrar concerns the registered health information collected during the care relationship, where the starting point has been the confidentiality of the care relationship between the registered person and the health care unit. In accordance with Section 12 of the Patient Act, the healthcare professional must enter in the patient records the information necessary to secure the organization, planning, implementation and monitoring of the patient's care. According to the Data Protection Commissioner, the information collected during the care relationship is not necessarily limited to health-related information only. The information may reveal, for example, information about ethnic origin, religious beliefs, or sexual behavior and orientation. During the treatment relationship, the data subject has disclosed the information in order to receive the treatment required for his health condition. The data may be particularly sensitive, and their processing may, depending on the context, pose significant risks to the protection of the data subjects' private lives and possibly other fundamental rights and freedoms.

The obligation of the health care and medical care provider to keep patient documents confidential has been stipulated in several contexts. In Section 13 of the Patient Act, the starting point is that the information contained in patient documents is confidential. According to section 13, subsection 2 of the Patient Act, a healthcare professional may not, without the patient's written consent, provide information contained in patient documents to a third party. According to section 13, subsection 3 of the Patients' Act, disclosure of information is permitted in addition to the patient's consent only in limited situations, such as the necessity of the patient's examination and treatment or based on a specific provision of the law. The processing of patient documents is therefore associated with a strong need to respect and protect the patient's privacy.

For the reasons stated above, the data protection commissioner considers that the provision of Section 6, subsection 1, point 1 of the Data Protection Act regarding the processing of health data of the insured and the claimant in the insurance business cannot be extended to the registered person who is an insurance applicant during the insurance application phase. Registrants must be able to rely on the verbatim regulation of the Data Protection Act when applying for insurance. The processing of health data belonging to special personal data groups contrary to the wording regulation is not in accordance with the reasonable expectations of the registered. Due to the need for strong privacy protection related to patient documents, it is also not possible for the data to be processed contrary to the literal regulation.

Therefore, the Data Protection Commissioner considers that it is not possible to apply the provisions of Section 6, Subsection 1, Clause 1 of the Data Protection Act to the processing of the health information of the insurance applicant and the request for health information from the health care unit.

Consent as a basis for processing special personal data groups

Although the Data Protection Commissioner leaves to the discretion of the data controller the determination of more precise appropriate measures due to the order given to the data controller, the Data Protection Commissioner would like to point out in this context that, according to the Data Protection Commissioner's view, it would be possible for the data controller to process the health information of insurance applicants before concluding an insurance contract based on consent. The Data Protection Commissioner explains his view in more detail below.

Pursuant to Article 9, paragraph 2, subparagraph a of the General Data Protection Regulation, the prohibition on the processing of special groups of personal data does not apply if the data subject has given his express consent to the processing of the personal data in question for one or more specific purposes. In accordance with Article 4, paragraph 11 of the General Data Protection Regulation, the data subject's "consent" means any voluntary, individualized, informed and unambiguous expression of will by which the data subject accepts the processing of his personal data by giving a statement expressing consent or by taking an action clearly expressing consent.

Article 7 of the General Data Protection Regulation stipulates the conditions for consent. In accordance with Article 7, paragraph 4, when assessing the voluntariness of the consent, it must be taken into account as comprehensively as possible, among other things, whether the execution of the contract, including the provision of the service, is conditioned by the consent to the processing of personal data that is not necessary for the execution of the contract in question.

The European Data Protection Board has issued guidelines 05/2020 on consent according to the General Data Protection Regulation. In the guidelines, it has been stated that in Article 9, Paragraph 2 of the General Data Protection Regulation, which provides for special exceptions to the processing of special groups of personal data despite the general processing ban, the need for the implementation of the agreement is not provided for as such an exception. In this regard, the data controllers should find out whether one of the special exceptions provided for in Article 9, paragraph 2, subparagraphs b - j, could apply to such a situation. If none of the exceptions set forth in subsections b - j apply to the situation, obtaining express consent in accordance with the conditions for valid consent laid down in the General Data Protection Regulation is the only possible legal exception on the basis of which the controller could process data belonging to special personal data groups.

As an example, the guidelines refer to a situation where a customer books a flight and in this context asks the airline for travel assistance in getting on the plane. The airline then asks the customer to provide the airline with information about their health status so that the airline can identify what kind of help the customer needs in order to arrange appropriate services for the customer. In this context, the airline requests express consent to the processing of the customer's health data for the purpose of arranging assistance. The Data Protection Council has stated with regard to this example situation that, since the information is necessary to perform the requested service, Article 7, paragraph 4 of the General Data Protection Regulation does not apply.

On the other hand, the data protection commissioner also draws the controller's attention to the fact that, in accordance with Article 7, paragraph 4 and paragraph 43 of the introduction of the Data Protection Regulation, it is not desirable to require, in connection with the execution of the contract, that the data subject must give his consent to the processing of personal data that is not necessary for the execution of the contract in question. If consent is given in such a situation, it is not considered voluntarily given. Below, in the guidance of the data protection commissioner issued in connection with this decision, it is discussed what kind of processing of personal data to determine the liability of the insurance company is in accordance with Article 5(1)(a) and (c) and Article 25(2) of the General Data Protection Regulation.

The Data Protection Commissioner also draws attention to the fact that, in accordance with Article 7, paragraph 3 of the General Data Protection Regulation, the data subject must have the right to withdraw his consent at any time. Withdrawal of consent does not affect the legality of processing carried out on the basis of consent prior to its withdrawal. Before giving consent, the data subject must be informed of this. Withdrawing consent must be as easy as giving it.

On the authorization requested by the registrar

The data protection commissioner also evaluates the current method of operation of the data controller, where the data controller requests, in connection with the health report form, the registered authorization to request health data from healthcare units.

Based on the information provided by the registrar, in connection with all insurance applications, it requests authorization from the registered person to request information from the health care unit, if the conclusion of the insurance contract requires a medical choice of liability. The registrar acts this way despite the fact that in all cases the registrar does not request the insurance applicant's health information from the health care unit. During the application phase, the registrants sign an authorization to the effect that the health care units are allowed to provide the data controller with the personal data regarding the registrant's state of health necessary for processing the insurance application and a possible compensation case.

Paragraph 43 of the preamble of the Data Protection Regulation specifies that consent is not considered to have been given voluntarily if it is not possible to give separate consent for different personal data processing activities, despite the fact that this is appropriate in individual cases. The guidelines of the European Data Protection Board state that if consent is obtained in full compliance with the General Data Protection Regulation, it is a tool that data subjects can use to control whether or not their personal data is processed. According to the instructions, the conditions related to "individualized" consent aim to ensure a certain degree of control and transparency for the data subject. The prerequisites for individualized consent are that the data controller observes accuracy in requests for consent. In each separate request for consent, the controller must explain exactly what data is processed for each purpose, so that the data subject is clear about the different options and their effects. In accordance with the instructions, obtaining valid informed consent requires that the data subject is informed about what information is collected and used.

According to the opinion of the Data Protection Commissioner, the current form of authorization used by the data controller applies to an undefined set of registered stored health data in the patient registers of different healthcare units. Referring to the regulation of the Data Protection Regulation and the guidelines issued by the European Data Protection Board based on it, the Data Protection Commissioner considers that the consent requested from the data subject is not sufficiently specific and the consent request does not follow the level of precision that would allow insurance applicants to control whether their personal data is processed or not, and which data for each purpose will be processed.

Therefore, the data protection commissioner considers that the general authorization requested by the data controller in connection with the health examination to request information from different health care units for the processing of the insurance case is not sufficient to fulfill the requirement for the processing of special personal data groups according to Article 9, paragraph 2, subsection a of the General Data Protection Regulation.

In its report, the registrar has stated that its main operating model is to request a doctor's report on the registrant and selected examination results when applying for life insurance. In its statement, the registry keeper has stated that the additional clarification requests it sends to the health care operational unit are always individualized regarding a specific illness, injury or symptom. […]. For this reason, the Data Protection Commissioner has not considered it necessary to use the remedial powers in accordance with Article 58, Paragraph 2 of the General Data Protection Regulation against the data controller regarding the identification and limitation of requests to health care units.

Below, in connection with this decision, the Data Protection Commissioner gives general guidance to the data controller regarding the situations in which the data controller requests health information about the data subject from the health care unit and processes the information received in order to clarify the liability of the insurance company.

Applicable legal provisions

General Data Protection Regulation
Article 5 paragraph 1 subparagraph a

Article 7
Article 9

Data Protection Act

Section 6 subsection 1 paragraph 1
Insurance Contract Act
Section 1 and Section 2

The law regarding the status and rights of a patient

Section 12 and Section 13

Appeal

According to Section 25 of the Data Protection Act (1050/2018), this decision can be appealed by appealing to the Administrative Court in accordance with the provisions of the Act on Trial in Administrative Matters (808/2019). The appeal is made to the administrative court.

Service

The decision is notified in accordance with § 60 of the Administrative Act (434/2003) by mail against receipt.

The decision is not legally binding.

Guidance from the data protection officer regarding data minimization, reasonableness of processing and built-in and default data protection

In its report on 9 October 2020, the controller has generally stated that requests for additional clarification to the registered or healthcare operational units are always individualized regarding a specific illness, injury or symptom. In addition, the registrar has stated at that time that the registrar does not, for example, ask for the delivery of all patient documents for a period of five years.

In its report on January 18, 2021, the registrar has stated that its main operating model during the life insurance application phase is to direct the registered person to medical examinations when applying for a large amount of insurance. In this case, the controller requests from the health care unit a doctor's report on the registered health condition, as well as certain results of laboratory tests and an EKG curve.

In addition to the above, the data controller has stated in his statement on 16 September 2021 that it is necessary for the life insurance business that the data controller has the possibility to request health status information directly from healthcare units in all situations other than those that are currently adopted as the main rule in the data controller's business. According to the registrar, with the consent given through the health examination, the registrar reserves the opportunity to ask the health care unit for the individualized health information needed to make an insurance solution directly from the health care unit in other situations as well. In this regard, the controller has stated that this consent is used very narrowly when concluding an insurance contract, only so-called in large-sum insurances, if it has been separately agreed with the customer that the data controller receives the information directly from the healthcare unit.

In the following way, the Data Protection Commissioner instructs the data controller to take into account Article 5(1)(a) and (c) and Article 25(2) of the General Data Protection Regulation in their processing activities when the data controller requests health information about the registered person from the health care unit and processes the information received to determine the liability of the insurance company.

In accordance with paragraph 27 of the introduction to the General Data Protection Regulation, the data protection regulation does not apply to information about deceased persons. For this reason, the data protection commissioner does not direct the data controller regarding the processing of health data of deceased persons on the basis of the data protection regulation.

According to Article 5(1)(c) of the General Data Protection Regulation, personal data processed must be appropriate and relevant and limited to what is necessary in relation to the purposes for which they are processed ("data minimization"). The principle of data minimization is specified in paragraph 39 of the preamble of the General Data Protection Regulation, according to which personal data should only be processed if the purpose of the processing cannot reasonably be achieved by other means. The Data Protection Commissioner also draws attention to the European Data Protection Board's guidelines on built-in and default data protection, according to which key elements of the data minimization principle include, among other things:

Avoiding processing – we avoid using personal data at all, if it is possible in connection with each purpose.

Limitation of processing – limit the amount of personal data collected only to what is necessary for the purpose.

Materiality of the data being processed – personal data is essential for the purpose of processing, and the controller must be able to demonstrate the materiality.

Necessity of the processed data – each group of personal data must be necessary for the specified purposes and must be processed only if the purpose cannot be fulfilled by other means.

According to Article 25, paragraph 2 of the General Data Protection Regulation, the controller is obliged to implement appropriate technical and organizational measures to ensure that by default only personal data necessary for each specific purpose of the processing is processed. This obligation applies to the amount of personal data collected, the extent of processing, storage time and availability.

In this respect, the data protection commissioner draws attention to the fact that the processing of patient documents requested from healthcare units involves a strong need to respect and protect the patient's privacy. The starting point for processing patient documents is that the data subject can and has been able to expect during the treatment relationship that health data will be processed with respect for the data subject's privacy. The registered person may have dealt with the health care unit for many different reasons, and not all information collected about the registered person in the health care unit is necessarily relevant in terms of assessing the insurance company's responsibility when applying for insurance or when assessing the conditions for paying insurance compensation.

According to Article 5, paragraph 1, subparagraph a of the General Data Protection Regulation, personal data must be processed legally, appropriately and transparently from the point of view of the data subject ("lawfulness, reasonableness and transparency"). The reasonableness of processing personal data is a general principle that requires, among other things, that personal data must not be processed in a way that is unreasonably harmful to the data subject and that the processing of personal data must meet the data subject's reasonable expectations.

On June 8, 2022, the Data Protection Commissioner issued decisions 3217/452/17 and 7285/183/18, in which the Data Protection Commissioner considered that based on the provisions of the Insurance Contracts Act and Article 5(1)(a) and (c) and Article 25(2) of the Data Protection Regulation, the data controller must in all cases identify the healthcare in the request made to the unit regarding the registered person's health status information, which relevant information and from which time period the data controller requests access. The data protection commissioner has stated in the decisions that the insurance company must identify the information requested in the request for the health status information of the registered person submitted to the health care unit to a specific matter, incident, disease or symptom that is of factual importance in assessing the responsibility of the data controller. The insurance company must also assess from which period requesting the registered health status information from the health care unit is necessary in order to clarify the responsibility of the controller and, based on this, limit the period from which the registered health status information is requested from the health care unit.

The Office of the Data Protection Commissioner monitors the data controller's activities based on contacts made to the Office of the Data Protection Commissioner.

You cannot apply for a change to this guidance of the data protection officer by appealing.