A Collection is a selection of features, articles, comments and opinions on any given theme or topic. It allows you to stay up‑to‑date with what interests you most.
Login here to access your saved articles and followed authors.
We have sent you an email so you can reset your password.
Sorry, we had a problem.
Tags related to this article
Published 17 May 2016
In a recent decision (under number 11/2016), the Hellenic Data Protection Authority (the "HDPA") authorised the sharing by an insurance company (insurer A) of sensitive data (in this case health data) of its insured under an existing life-long life and health insurance contract (as of 2002), to another insurance company (insurer B) that concluded a life insurance contract with the same insured (as of 2012), for the purposes of judicial use thereof by insurer B.
The request of insurer B referred specifically to the receipt of health-related information maintained in the files of insurer A regarding the insured, such as copies of any decisions / opinions of health committees of any social security body as well as any other information regarding the insured’s diseases or disability and the granting of pension, as to the period prior to the conclusion of the life insurance contract with insurer B. Insurer B proposed to use the requested information for establishing an allegation regarding the lack of causal link between a road traffic accident and the insured’s allegedly sustained health damage there-under (i.e. severe spinal cord injuries), for which the insured was seeking compensation in the form of insurance indemnity through a writ filed against insurer B.
In addressing such request, the HDPA took into account various laws, including (a) the provisions of the law 2472/1997 (Greek Data Protection Act) on the terms and conditions for a lawful processing of sensitive data (i.e. health data) and the need for prior notification of data subjects by data controllers regarding the disclosure of their data to third parties; (b) the provisions of Medical Ethics Code on the granting of medical certificates, by way of exception, to third parties (subject to the establishment of a legitimate interest by the latter), and the conditions for the lifting of medical confidentiality; and (c) the provisions of the law 2496/1997 (Greek Insurance Contract Act) on insurance contract definition, the insurance applicant’s pre-contractual information duty to inform the insurer of any element or incident that may be objectively material for the assessment of the risk to be insured and the default rule that a health insurance contract does not, in principle, cover diseases / health injuries attributed to pre-existing conditions.
Upon consideration of said facts and laws, the HDPA came to the following conclusions:
(a) insurer B asking for the disclosure of sensitive data (i.e. health data) relating to the insured contained in the files of insurer A bore the capacity of a third party;
(b) the processing purpose, to which such request related, was actually the defence by insurer B against the insured’s writ;
(c) said processing purpose was compatible with relevant provisions of the Greek Data Protection Act, especially Art. 7 par. 2 elem. c thereof, pursuant to which the processing of sensitive data and the formation and operation of a relevant file is, by way of exception, allowed, upon license by the HDPA, that is granted, among others, where the processing refers to data that is necessary for the acknowledgement, exercise and defence of rights before a court or a disciplinary body;
(d) the principle of proportionality was fulfilled in the relevant context, since the requested information was, in principle, appropriate for the purpose of judicial use thereof, in the form of establishment by insurer B of an allegation that the serious spinal cord injuries, which had been allegedly sustained by the insured in the road traffic accident and for which the insured was seeking insurance indemnity from insurer B, were actually caused through a pre-existing health problem that the insured had not communicated to the insurer B at the time of conclusion of the life insurance contract, giving rise to a coverage denial; and
(e) insurer A in its capacity as data controller bore an obligation to notify the insured of the disclosure of their sensitive data to insurer B.
The HDPA's decision reflects the benchmarks upon which the HDPA assesses requests relating to disclosure of sensitive data to third parties for the purpose of judicial use thereof. The benchmarks set out by the HDPA should be considered in the event that organisations operating in Greece receive a request from a third party for disclosure of insureds’ sensitive data, for the purposes of judicial use.
Submitted by Alkistis Christofilou, Partner and Maria Demirakou, Senior Associate at Rokas Law Firm – Athens, Greece
Return to main page >>>
Lisa Broderick, Rowena McCormack, Julie-Anne Binchy, Charlotte Burke, Simon Halpin, David Freeman
Rhiannon Webster, Jade Kowalski
Khurram Shamsee, Hans Allnutt, Eleanor Ludlam
Jade Kowalski, Rhiannon Webster, Ceri Fuller, Khurram Shamsee, Sophie Devlin, Christopher Air
Jade Kowalski, Rhiannon Webster
Rhiannon Webster, Charlie Christie
Michael McMillen, Rhiannon Webster
Ceri Fuller, Khurram Shamsee, Jade Kowalski, Sophie Devlin, Christopher Air
Hans Allnutt, Patrick Hill, Laura Stewart
Hans Allnutt, Camilla Elliot
Hans Allnutt, Patrick Hill
Hans Allnutt, Rhiannon Webster, Patrick Hill