Insurance company – Court Ruling (Belgium, 2020)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A Belgian court upheld a decision against an insurance company for using customer health data without clear consent. This case highlights the importance of transparency in privacy policies and having a valid reason for using personal data. The ruling shows that companies must clearly communicate how they use customer data.
What happened
An insurance company used a customer's health data without clear consent and failed to justify its actions.
Who was affected
The affected party was a customer of the insurance company whose health data was used.
What the authority found
The court upheld that the insurance company lacked transparency and a legitimate basis for processing health data, violating GDPR rules.
Why this matters
This ruling underscores the need for companies to be transparent about data use and to ensure they have a valid legal basis. It serves as a reminder that privacy policies must be clear and comprehensive.
GDPR Articles Cited
This decision is an appeal of decision 24/2020, where a customer (the data subject) of an insureance company (the controller) claimed that its health data was used for a purpose to which he did not explicitly agree by the controller. The DPA upheld the complaint and stated that there was a lack of transparancy in the controller's privacy policy as it did not demontrate any legitimate interest. Therefore the controller violated Article 5(1)(a) and (2), Article 6(1), Article 12(1), Article 13(1)(b) and (c) GDPR. The DPA imposed a fine of €50.000. The controller appealed the decision of the DPA at the Court of Appeal of Brussels and raised the following pleas: # The decision was void because of a lack of reasoning regarding the legal basis for #* the processing of personal data with regard to the purposes set out in Article 4.3 of its Privacy Statement, and #* the transfers to third parties set out in Article 6 of its Privacy Statement. # It should have been able to rely on its legitimate interests for the processing of personal data for certain purposes and for transfers to third parties. # When it could not rely on its legitimate interests, it should have been able to rely on legal grounds other than the consent. # The decision violates its freedom of enterprise. # The fine was disproportionate. In response the DPA requested the Court to declare the appeal unfounded, as: # the contested decision was properly reasoned in law and in fact. It was based the information available, in view of the active duty of responsibility of the controller. The balancing of interests provided by te controller did not change this. (regarding the controllers's 1st to 4th plea) # the decision did not unlawfully restrict the controller's ability to stop the violations found. The fact that the GBA, based on the information at its disposal, presumed that it was possible to use consent as a legal basis does not affect the lawfulness of the decision. (regarding the controller's 2th and 3th p
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Insurance company in BE
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Insurance company - Belgium (2020). Retrieved from cookiefines.eu
Last updated: