The Finnish DPA fines Motor Insurers’ Centre for the Collection of Unnecessary Patient Information

The Finnish Office of the Data Protection Ombudsman (“DPA”) has imposed an administrative fine on the Finnish Motor Insurers’ Centre for the collection of unnecessary patient information with the decision dated 16 December 2021.

The DPA has investigated the Finnish Motor Insurers’ Centre’s (“Controller”) practices in requesting patient records from health care providers for claims handling purposes.

  • The controller has taken the view that it has the right to collect extensive patient information and request unredacted patient records from health care providers in order to settle claims.
  • The controller has collected information on the patients’ health care appointments to determine whether the health care provider has charged for visits not related to the examination or treatment of injuries sustained in the traffic accident.
  • Information has been requested in case the health care provider would have omitted information essential for claims handling.
  • The controller has systematically requested the full patient records of claimants instead of limiting their requests to the information necessary for claims handling.

This practice has violated the GDPR. The DPA notes that the Traffic Insurance Act does not give direct access to all patient records. Rather, the information requested must be necessary for the settlement of the claim.

The DPA also finds that information on an individual's state of health should primarily be disclosed to insurance companies in the form of a statement, as recommended by the Finnish Medical Association.

The DPA;

  • Imposed an administrative fine of 52,000 Euros on the Finnish Motor Insurers’ Centre.
  • Reprimanded for data protection violations and ordered it to bring its practices for requesting patient information into compliance with data protection regulations.

You can reach further information here.

Kind regards,

Zumbul Attorneys at Law

info@zumbul.av.tr