The Finnish Motor Insurers' Centre – €52,000 Fine (Finland, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Finnish Motor Insurers' Centre was fined for asking healthcare providers for more patient information than necessary to settle claims. The Finnish data protection authority found that the company overstepped its rights under the law. This case shows that businesses must only collect data that is truly needed for their operations.
What happened
The Finnish Motor Insurers' Centre requested excessive patient information from healthcare providers beyond what was necessary for settling claims.
Who was affected
Patients whose medical records were accessed by the Finnish Motor Insurers' Centre.
What the authority found
The Finnish authority ruled that the company violated data protection rules by requesting more patient information than necessary, breaching the principle of data minimization.
Why this matters
This decision emphasizes the importance of data minimization, reminding companies to only collect information that is essential for their specific purposes. It highlights the need for businesses to carefully assess their data collection practices.
GDPR Articles Cited
National Law Articles
The Finnish DPA was notified that the Finnish Motor Insurers' Centre (the controller) had requested unnecessary patient information from healthcare providers in order to settle claims. The DPA then asked the controller to explain how it processed patient information disclosed by healthcare providers for the purposes of settling claims. In response to the request, the controller clarified that, according to [https://www.finlex.fi/fi/laki/ajantasa/2016/20160460#L7P82 Section 82 of the Finnish Motor Liability Insurance Act], it has the right, notwithstanding the obligation of confidentiality or other restrictions on access to information, to obtain statements made by healthcare providers and other information concerning the patients' medical records, health status, ability to work, treatment and rehabilitation. The controller stated that it was impossible to process the claim without the claimants' medical records. The controller processed the patients' healthcare appointment data to determine whether the healthcare provider had charged for visits that were not related to the examination or treatment of injuries sustained in a traffic accident. The controller emphasised that it followed the principle of data minimisation and that the patients’ healthcare appointment data were not requested unnecessarily. The controller also noted that it had to request a large amount of information in case the healthcare providers had omitted information necessary for claims handling. On the basis of the information provided by the controller, the DPA considered that [https://www.finlex.fi/fi/laki/ajantasa/2016/20160460#L7P82 Section 82 of the Finnish Motor Liability Insurance Act] does not give the controller the right to directly access all patient records, but that the information requested must be necessary for the settlement of the claim. As a general rule, insurance companies may not request all information about customers' healthcare appointments, but this information must b
Related Enforcement Actions (1)
Other enforcement actions involving The Finnish Motor Insurers' Centre in FI
Details
About this data
Cite as: Cookie Fines. The Finnish Motor Insurers' Centre - Finland (2021). Retrieved from cookiefines.eu
Last updated: