The classic problem in the insurance sector can be summed up as follows:
– In order to take out certain insurances, some health data may sometimes be required.
– However, the processing of health data is prohibited (article 9.1 of the GDPR), unless an exception applies (article 9.2 of the GDPR).
– Neither article 9.2 of the GDPR, nor Belgian law, provides that the need to perform a contract may constitute such exception to the prohibition principle.
– Insurance companies must therefore invoke another exception provided for in Article 9.2 of the GDPR. Generally they tend to rely on the one based on the consent of the data subject.
– However, this exception is not suited to the situation, since the insured is obliged to give his or her consent if he or she wants to benefit from the insurance. Consent does therefore not meet the applicable legal criteria (freedom of consent).
In a recent decision1, dealing with a complaint from a prospective policyholder, the Belgian DPA’s Litigation Division found that there was no valid legal basis for the health data processing, but that the insurance company was not responsible for it.
It pointed out that « the legislator should intervene in this respect in order to provide a legal basis specific to the insurance sector that allows the collection of health data within well-defined limits in the context of the (pre-)contractual relationship between the insurer and the insured. By way of illustration, the Litigation Division refers to article 30.3.b. of the Dutch law implementing the General Data Protection Regulation, which provides for such a legal basis ».
The case was eventually dismissed.
1 Decision 109/2024 of the Litigation Division of the Belgian Data Protection Authority, available at https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n0-109-2024.pdf
PICTURE : Health insurance by Nick Youngson (license CC BY-SA 3.0 / Pix4free)
