LähiTapiola Keskinäinen Henkivakuutusyhtiö – Violation Found (Finland, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Finnish DPA found that LähiTapiola, a life insurance company, processed health data without a clear legal basis. The company claimed it needed this data to decide on insurance coverage. This case highlights the importance of having a valid reason for using personal data.
What happened
LähiTapiola processed health data from applicants without a clear legal basis.
Who was affected
Applicants for life insurance whose health data was processed by LähiTapiola.
What the authority found
The DPA found that LähiTapiola did not have a valid legal basis for processing health data, violating GDPR rules on data processing.
Why this matters
This case underscores the need for companies to ensure they have a valid legal basis for processing personal data, especially sensitive information like health data. It serves as a reminder for businesses to review their data processing practices to comply with GDPR.
GDPR Articles Cited
National Law Articles
The Finnish DPA had asked the controller (LähiTapiola Keskinäinen Henkivakuutusyhtiö, a life insurance company) to explain on which legal basis and for what purpose it processed data subjects' health data requested from the health care. The controller was also asked to explain how it processed personal data before the execution of an insurance contract, and how it ensured that it did not process unnecessary personal data. In response to the request, the controller clarified that it processed data subjects' health data for the performance of an insurance contract in accordance with Article 6(1)(b) GDPR. In addition, the processing was based on [https://www.finlex.fi/fi/laki/ajantasa/2018/20181050#L2P6 Section 6(1)(1) of the Finnish Data Protection Act], according to which insurance institutions may, despite the general prohibition in Article 9(1) GDPR, process the health data of the insured party and the claimant, which is necessary to determine the liability of the insurance institution. The controller stated that it requested all data subjects applying for life insurance for their consent to that the controller may, if necessary, request health data from health care units in order to determine the scope of the insurance coverage and the amount of the insurance premium, as well as whether the insurance can be granted. The controller also stated that it only requested health data necessary for the execution of the insurance contract. The necessity of the health data depends on the insurance product and is generally requested for the five years preceding the insurance application. The controller emphasised that the health data received from data subjects or health care units is almost always relevant in terms of the insurance contract. On the basis of the information provided by the controller, the DPA emphasised that [https://www.finlex.fi/fi/laki/ajantasa/2018/20181050#L2P6 Section 6(1)(1) of the Finnish Data Protection Act], which is based on Article 9(2)(g) GDPR
Outcome
Violation Found
The DPA found a violation but did not impose a fine.
Related Enforcement Actions (0)
No other enforcement actions found for LähiTapiola Keskinäinen Henkivakuutusyhtiö in FI
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. LähiTapiola Keskinäinen Henkivakuutusyhtiö - Finland (2022). Retrieved from cookiefines.eu
Last updated: