Date of final decision: 16 December 2021
Cross-border case or national case: National case
Controller: Finnish Motor Insurers’ Centre
Legal Reference: Lawfulness, fairness and transparency (Art. 5(1)(a)), data minimisation (Art. 5(1)(c)), data protection by design and by default (Art. 25(2))
Decision: Administrative fine, reprimand and order to comply
Key words: Data minimisation, patient data
Summary of the Decision
Origin of the case
The Office of the Data Protection Ombudsman has investigated the Finnish Motor Insurers’ Centre’s practices in requesting patient records from health care providers for claims handling purposes.
The controller has taken the view that it has the right to collect extensive patient information and request unredacted patient records from health care providers in order to settle claims. The controller has also collected information on the patients’ health care appointments to determine whether the health care provider has charged for visits not related to the examination or treatment of injuries sustained in the traffic accident. Information has also been requested in case the health care provider would have omitted information essential for claims handling.
The controller has systematically requested the full patient records of claimants instead of limiting their requests to the information necessary for claims handling. This practice has violated the GDPR.
The Data Protection Ombudsman notes that the Traffic Insurance Act does not give direct access to all patient records. Rather, the information requested must be necessary for the settlement of the claim.
The Data Protection Ombudsman also finds that information on an individual's state of health should primarily be disclosed to insurance companies in the form of a statement, as recommended by the Finnish Medical Association.
The Sanctions Board of the Office of the Data Protection Ombudsman imposed an administrative fine of 52,000 euros on the Finnish Motor Insurers’ Centre.
The Data Protection Ombudsman reprimanded the Finnish Motor Insurers’ Centre for data protection violations and ordered it to bring its practices for requesting patient information into compliance with data protection regulations.
The decision is not final as the Finnish Motor Insurers’ Centre has appealed it in the administrative court.
For further information:
- Administrative fine imposed on the Finnish Motor Insurers’ Centre for the collection of unnecessary patient information (27 January 2022)
- Decision of the Data Protection Ombudsman and the sanctions board in Finlex (in Finnish)
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.