Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Finland: Sanctions Board of Ombudsman fines Motor Insurers' Centre €52,000 for violation of data minimisation principle

The Office of the Data Protection Ombudsman ('the Ombudsman') published, on 27 January 2022, the Ombudsman's and the Sanctions Board of the Ombudsman's ('the Board') decision in Decision No. 4431/161/21, as issued on 16 December 2021, in which the Board imposed a fine of €52,000 to the Finnish Motor Insurers' Centre, for violations of Articles 5(1)(a), 5(1)(c), and 25(2) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following a complaint from a data subject.

Background to the decision

In particular, the Ombudsman stated that it had received a complaint from a data subject on 20 March 2017, where the complainant had alleged that the Motor Insurers' Centre had obtained more information from the health service than had been necessary for the settlement of the claim. In addition, the Ombudsman noted that the Motor Insurers' Centre had considered that it could collect patient data extensively and request medical records from the health care system as such in order to settle claims. Furthermore, the Ombudsman noted that the Motor Insurers' Centre had also collected patients' visitation notes to determine whether the health service had billed for visits unrelated to the examination or treatment of injuries caused by the accident. Moreover, the Ombudsman stated that the Motor Insurers' Centre had also requested information in case the health service had failed to provide information relevant to the claim.

Findings of the Ombudsman

In particular, the Ombudsman stated that the practice of the Motor Insurers' Centre violated the principle of data minimisation pursuant to Article 5(1)(c) of the GDPR. In addition, the Ombudsman noted that the Motor Insurance Act (460/2016) does not justify direct access to all patient data, but that the requested information must be necessary for the resolution of the claim. Hence, the Ombudsman highlighted that as a general rule, an insurer cannot ask for all information concerning a client's treatment, instead, the requested information must be limited and identified on a case-by-case basis. Furthermore, the Ombudsman stated that the practice of the Motor Insurers' Centre also failed to meet the conditions of fairness of the processing of personal data as the claimant had a legitimate expectation that the insurance company will process only data that is necessary for the decision on compensation. Moreover, the Ombudsman noted that according to the Board, the behaviour of the Motor Insurers' Centre shows that it had not sufficiently familiarised itself with the requirements of data protection legislation. Lastly, the Ombudsman stated that the fact that sensitive health data was processed was one of the factors that justified the imposition of the fine.

Outcomes

In light of the above, the Board imposed the aforementioned fine of €52,000 to the Motor Insurers' Centre, and the Ombudsman issued a warning to the Motor Insurers' Centre for data protection violations and ordered to change its policy on requesting patient data to comply with data protection rules. Lastly, the Ombudsman noted that an appeal against the decision may be lodged in an administrative court.

You can read the press release here and the decision here, both only available in Finnish.

UPDATE (7 February 2022)

Ombudsman publishes English press release of Board's decision to fine Motor Insurers' Centre €52,000 for violation of data minimisation principle

The Ombudsman published, on 4 February 2022, an English press release of the Ombudsman's and the Board's decision where, among other things, the Board fined Motor Insurers' Centre €52,000 for violation of the data minimisation principle.

You can read the press release here.