OP-Henkivakuutus Oy – Violation Found (Finland, 2022)

The Finnish DPA had asked the controller (OP-Henkivakuutus Oy, a life insurance company) to explain on which legal basis and for what purpose it processed data subjects' health data requested from the health care. The controller was also asked to explain how it processed personal data before the execution of an insurance contract. In response to the request, the controller clarified that the processing was based on [https://www.finlex.fi/fi/laki/ajantasa/2018/20181050#L2P6 Section 6(1)(1) of the Finnish Data Protection Act], according to which insurance institutions may, despite the general prohibition in Article 9(1) GDPR, process the health data of the insured party and the claimant, which is necessary to determine the liability of the insurance institution. The controller considered that it had the right to process health data at all stages of the life insurance customer relationship: when applying for insurance, during the insurance period and after an insured event has occurred. The controller also stated that it requested all data subjects applying for life insurance for their consent to that the controller may, if necessary, request health data from health care units in order to process the insurance application and possible compensation case, and to ensure the accuracy of the health data. The controller considered it necessary that the consent given by data subjects was valid for the entire duration of the insurance contract. The controller claimed that a situation where the data subject withdraws their consent or does not give it in the first place, but the controller must still issue life insurance and keep it valid, is impossible. In the controller's view, the data subject could have terminated the insurance at any time if they did not want the controller to receive their health data from the health care. On the basis of the information provided by the controller, the DPA emphasised that [https://www.finlex.fi/fi/laki/ajantasa/2018/20181050#L2P6 Section