LähiTapiola Keskinäinen Henkivakuutusyhtiö – Court Ruling (Finland, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
LähiTapiola Keskinäinen Henkivakuutusyhtiö, another life insurance company, also had its appeal rejected regarding the processing of health data from applicants. The court ruled that the company did not have a valid legal basis for this data collection. This case reinforces the need for companies to ensure they have proper legal grounds before collecting sensitive information.
What happened
The court ruled that LähiTapiola Keskinäinen Henkivakuutusyhtiö had no legal basis to process health data from life insurance applicants.
Who was affected
Life insurance applicants whose health data was requested by LähiTapiola Keskinäinen Henkivakuutusyhtiö.
What the authority found
The court determined that the company could not classify insurance applicants as 'insured parties', thus lacking a valid legal basis for processing their health data.
Why this matters
This ruling highlights the importance of understanding legal definitions in data processing. Insurance companies must ensure they have the right to collect sensitive data or risk facing legal challenges.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
The controller (LähiTapiola Keskinäinen Henkivakuutusyhtiö, a life insurance company) had asked the Administrative Court of Helsinki (the Court) to overturn the Finnish DPA's decision, according to which the controller had no legal basis to process the health data of life insurance applicants and it processed the data unnecessarily. The controller filed the appeal claiming that it must be able to process health data, because the health status of the insured party and the risks associated with it are at the centre of the risk assessment related to the granting of the insurance. The controller considered that insurance applicants must also be considered insured parties in accordance with [https://www.finlex.fi/fi/laki/ajantasa/2018/20181050#L2P6 Section 6(1)(1) of the Finnish Data Protection Act], according to which insurance institutions may, despite the general prohibition in Article 9(1) GDPR, process the health data of the insured party and the claimant, which is necessary to determine the liability of the insurance institution. The controller also stated that the order issued by the DPA, on the basis of which it should assess the time period for which it is necessary to request health data, is vague and unspecified. The controller considered that it must be able to process all health data in order to assess which precise information is ultimately relevant. The Court noted that neither the Finnish Data Protection Act nor its preparatory material have defined what is meant by the insured party in connection with the application of the Act. However, in the Court's view, the preparatory material of the Act does not support as an interpretation that the legislator intended to extend the concept of "insured party" to apply also to the applicant an insurance before the conclusion of an insurance contract. In this respect, the Court also stated that the "insured party" is defined in [https://www.finlex.fi/fi/laki/ajantasa/1994/19940543#L1P2 Section 2(1)(5) of the Finni
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (1)
Other cases involving LähiTapiola Keskinäinen Henkivakuutusyhtiö in FI
Details
About this data
Cite as: Cookie Fines. LähiTapiola Keskinäinen Henkivakuutusyhtiö - Finland (2024). Retrieved from cookiefines.eu
Last updated: