Court case 391/2024 – Court Ruling (Finland, 2025)

The controller is an insurance company offering voluntary personal insurance. In the context of processing insurance applications, the controller requested and processed health data obtained from healthcare providers in order to assess insurability and determine potential liability. The Data Protection Ombudsman investigated the controller’s practices and concluded that the processing of health data at the application stage violated Article 9 GDPR. According to the Ombudsman, the national exception under Section 6(1)(1) of the Finnish Data Protection Act, which allows insurance companies to process health data, could only apply once an insurance contract had been concluded. On that basis, the Ombudsman ordered the controller to bring its processing into compliance with Article 9 GDPR. The Helsinki Administrative Court upheld the Ombudsman’s decision, finding that the concept of “insured person” under national law did not extend to insurance applicants prior to the conclusion of a contract. The controller appealed to the Supreme Administrative Court. The court overturned the decisions of both the Administrative Court and the Data Protection Ombudsman. The Court held that the concept of “insured person” in Section 6(1)(1) of the Finnish Data Protection Act must be interpreted to include the person who is the object of voluntary personal insurance, irrespective of whether the insurance contract has already been concluded or is still being applied for. This interpretation was supported by the structure and purpose of national insurance law, which requires the assessment of risk and liability already at the application stage. The Court found that processing health data during the insurance application phase is an inherent and necessary part of insurance activity and falls within the national exception permitted under Article 9(2)(g) GDPR. Interpreting the exception more narrowly would exclude a core element of insurance practice without support in the legislative histo