Court case KHO:2025:86 – Court Ruling (Finland, 2025)

The DPA started an ex-officio investigation into the practices of an insurance company regarding the processing of health data in connection with applications for voluntary personal insurance. During the insurance application process, the controller requested health information from healthcare providers concerning individuals applying for insurance, or individuals for whose death, illness, or injury insurance was being sought. The processing was based on Section 6(1)(1) of the Finnish Data Protection Act, which provides a national derogation from the prohibition on processing special categories of personal data for insurance activities. In a decision issued on 8 June 2022, the DPA found that this derogation did not apply at the application stage, as applicants could not be considered “insured persons” within the meaning of Section 6(1)(1). On that basis, the DPA concluded that the processing of health data violated Article 9 GDPR and ordered the controller to bring its processing operations into compliance and to cease requesting health data during the application phase. The insurance company appealed. The first instance Court upheld the DPA’s substantive assessment, reasoning that neither the wording of the Data Protection Act nor its preparatory materials supported extending the concept of “insured person” to applicants prior to the conclusion of an insurance contract. The controller then appealed this decision, arguing that the insurance derogation must also cover the application stage, given the structure and purpose of insurance law and the obligation of insured persons to disclose relevant health information before insurance is provided. The court upheld the appeal, overturning both the DPA and the first instance court’s decisions. The Court held that the concept of “insured person” in Section 6(1)(1) of the Data Protection Act must be interpreted in light of national insurance legislation, in particular the Insurance Contracts Act. Although the Data Protect