Motor insurance center: Non-compliance with general data processing principles

The Finnish DPA has fined a motor insurance center EUR 52,000. The controller had excessively requested patient data from within the healthcare system for the purpose of processing claims. However, much of the data was not necessary to process the claims. For example, the DPA found that the motor vehicle insurance center had also collected patient visit notes to determine whether the health care provider had billed for visits that were not related to the examination or treatment of injuries caused by the accident. The DPA notes that the Finnish Motor Insurance Act does not justify direct access to all patient data, but that the information requested must be necessary for the processing of the claim. For this reason, the authority recognized a violation of the principles of legality and transparency as well as data minimization in practice.

GDPR Articles: Art. 5 (1) a), c) GDPR, Art. 25 (2) GDPR
Industry: Finance, Insurance and Consulting