STICHTING ALBERT SCHWEITZER Hospital – Court Ruling (Netherlands, 2020)

In the context of a claim for damages after a surgery at the hospital, the patient refused to sign a document drafted by the insurer of the hospital according to which (s)he would agree to the communication of his/her personal data. The insurance company argued that such communication was necessary for the analysis of the liability of the hospital before any litigation. The Court had to assess whether there was a legal ground under the GDPR to make the communication of the medical data to the insurance company of the hospital compliant with Article 9 GDPR. The court considered that the exception under article 9.2 (f) GDPR could not justify the communication of medical data to the insurer. Indeed, the insurance company did not need the data for ‘the establishment, exercise or defense of a legal claim’ since both parties were only at the negotiation stage. The fact that the hospital chose its insurer as a third party to assess the liability of the hospital cannot also be a ground for such communication. Nor can article 6 ECHR apply to this situation since this article refers to the judicial procedure and does not provide any guarantees for the extrajudicial process.