OP-Henkivakuutus Oy – Court Ruling (Finland, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
OP-Henkivakuutus Oy, a life insurance company, lost its appeal to process health data from insurance applicants. The court decided that the company did not have a legal reason to collect this sensitive information. This ruling highlights the importance of having clear legal grounds for processing personal health data.
What happened
The court ruled that OP-Henkivakuutus Oy had no legal basis to process health data from life insurance applicants.
Who was affected
Life insurance applicants whose health data was sought by OP-Henkivakuutus Oy.
What the authority found
The court found that the company could not interpret insurance applicants as 'insured parties' under Finnish law, thus lacking a valid legal basis for processing their health data.
Why this matters
This decision emphasizes that companies must clearly understand the legal definitions and requirements for processing sensitive data. It serves as a reminder for insurance providers to review their data collection practices.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
The controller (OP-Henkivakuutus Oy, a life insurance company) had asked the Administrative Court of Helsinki (the Court) to overturn the Finnish DPA's decision, according to which the controller had no legal basis to process the health data of life insurance applicants. The controller filed the appeal claiming that it must be able to process the health data because the health status of the insured party and the risks associated with it are at the centre of the risk assessment related to the granting of the insurance. The controller also considered that insurance applicants must also be considered insured parties in accordance with [https://www.finlex.fi/fi/laki/ajantasa/2018/20181050#L2P6 Section 6(1)(1) of the Finnish Data Protection Act], according to which insurance institutions may, despite the general prohibition in Article 9(1) GDPR, process the health data of the insured party and the claimant, which is necessary to assess the risks of the insurance institution. The Court noted that neither the Finnish Data Protection Act nor its preparatory material have defined what is meant by the insured party in connection with the application of the Act. However, in the Court's view, the preparatory material of the Finnish Data Protection Act does not support as an interpretation that the legislator intended to extend the concept of "insured party" to apply also to the applicant of an insurance before the conclusion of an insurance contract. In this respect, the Court also stated that the "insured party" is defined in [https://www.finlex.fi/fi/laki/ajantasa/1994/19940543#L1P2 Section 2(1)(5) of the Finnish Insurance Contracts Act], according to which the insured refers to the party that is currently subject to personal insurance or non-life insurance policy. Thus, the Court considered that this definition could be used as a starting point for interpretation also when applying [https://www.finlex.fi/fi/laki/ajantasa/2018/20181050#L2P6 Section 6(1)(1) of the Finnish Da
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (1)
Other cases involving OP-Henkivakuutus Oy in FI
Details
About this data
Cite as: Cookie Fines. OP-Henkivakuutus Oy - Finland (2024). Retrieved from cookiefines.eu
Last updated: