Lde: Created page with “{{COURTdecisionBOX |Jurisdiction=Finland |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=KHO |Court_Original_Name=Korkein hallinto-oikeus |Court_English_Name=Supreme Administrative Court |Court_With_Country=KHO (Finland) |Case_Number_Name=391/2024 |ECLI=ECLI:FI:KHO:2025:86 |Original_Source_Name_1=Finlex |Original_Source_Link_1=https://www.finlex.fi/fi/oikeuskaytanto/korkein-hallinto-oikeus/ennakkopaatokset/2025/86?language=fin&highlightId=972199&highli…”
|Jurisdiction=Finland
|Court-BG-Color=
|Courtlogo=Courts_logo1.png
|Court_Abbrevation=KHO
|Court_Original_Name=Korkein hallinto-oikeus
|Court_English_Name=Supreme Administrative Court
|Court_With_Country=KHO (Finland)
|Case_Number_Name=391/2024
|ECLI=ECLI:FI:KHO:2025:86
|Original_Source_Name_1=Finlex
|Original_Source_Link_1=https://www.finlex.fi/fi/oikeuskaytanto/korkein-hallinto-oikeus/ennakkopaatokset/2025/86?language=fin&highlightId=972199&highlightParams=%257B%2522type%2522%253A%2522EXTENDED%2522%252C%2522and%2522%253A%2522Yleinen+tietosuoja-asetus%2522%252C%2522or%2522%253A%2522%2522%252C%2522not%2522%253A%2522%2522%252C%2522exact%2522%253A%2522%2522%257D
|Original_Source_Language_1=Finnish
|Original_Source_Language__Code_1=FI
|Original_Source_Name_2=
|Original_Source_Link_2=
|Original_Source_Language_2=
|Original_Source_Language__Code_2=
|Date_Decided=29.12.2025
|Date_Published=
|Year=2025
|GDPR_Article_1=Article 9 GDPR
|GDPR_Article_Link_1=Article 9 GDPR
|GDPR_Article_2=Article 9(2)(g) GDPR
|GDPR_Article_Link_2=Article 9 GDPR#2g
|GDPR_Article_3=
|GDPR_Article_Link_3=
|GDPR_Article_4=
|GDPR_Article_Link_4=
|EU_Law_Name_1=
|EU_Law_Link_1=
|EU_Law_Name_2=
|EU_Law_Link_2=
|National_Law_Name_1=
|National_Law_Link_1=
|National_Law_Name_2=
|National_Law_Link_2=
|Party_Name_1=
|Party_Link_1=
|Party_Name_2=
|Party_Link_2=
|Appeal_From_Body=
|Appeal_From_Case_Number_Name=
|Appeal_From_Status=
|Appeal_From_Link=
|Appeal_To_Body=
|Appeal_To_Case_Number_Name=
|Appeal_To_Status=
|Appeal_To_Link=
|Initial_Contributor=lde
|
}}
A court held that an insurance company may process health data at the insurance application stage under national law. The Court found that the national insurance exception to [[Article 9 GDPR|Article 9 GDPR]] applies regardless of whether the insurance contract has already been concluded.
== English Summary ==
=== Facts ===
The controller is an insurance company offering voluntary personal insurance. In the context of processing insurance applications, the controller requested and processed health data obtained from healthcare providers in order to assess insurability and determine potential liability.
The Data Protection Ombudsman investigated the controller’s practices and concluded that the processing of health data at the application stage violated [[Article 9 GDPR|Article 9 GDPR]]. According to the Ombudsman, the national exception under Section 6(1)(1) of the Finnish Data Protection Act, which allows insurance companies to process health data, could only apply once an insurance contract had been concluded. On that basis, the Ombudsman ordered the controller to bring its processing into compliance with [[Article 9 GDPR|Article 9 GDPR]].
The Helsinki Administrative Court upheld the Ombudsman’s decision, finding that the concept of “insured person” under national law did not extend to insurance applicants prior to the conclusion of a contract.
The controller appealed to the Supreme Administrative Court.
=== Holding ===
The court overturned the decisions of both the Administrative Court and the Data Protection Ombudsman.
The Court held that the concept of “insured person” in Section 6(1)(1) of the Finnish Data Protection Act must be interpreted to include the person who is the object of voluntary personal insurance, irrespective of whether the insurance contract has already been concluded or is still being applied for. This interpretation was supported by the structure and purpose of national insurance law, which requires the assessment of risk and liability already at the application stage.
The Court found that processing health data during the insurance application phase is an inherent and necessary part of insurance activity and falls within the national exception permitted under [[Article 9 GDPR#2g|Article 9(2)(g) GDPR]]. Interpreting the exception more narrowly would exclude a core element of insurance practice without support in the legislative history.
Accordingly, the Court concluded that the controller’s processing of health data was not unlawful under [[Article 9 GDPR|Article 9 GDPR]], annulled the supervisory authority’s order, and lifted the obligation to modify the processing practices.
== Comment ==
”Share your comments here!”
== Further Resources ==
”Share blogs or news articles here!”
== English Machine Translation of the Decision ==
The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.
<pre>
The Data Protection Ombudsman had considered that the processing of health data carried out by the insurance company in connection with the application for voluntary personal insurance was not in accordance with Article 9 of the General Data Protection Regulation. According to the Data Protection Ombudsman, the exception in Section 6(1)(1) of the Data Protection Act, on the basis of which insurance activities may process data concerning the health of the insured, could not be applied at the stage of applying for insurance.
The Supreme Administrative Court held, on the grounds set out in its decision, that the insured person referred to in Section 6(1)(1) of the Data Protection Act is the subject of voluntary personal insurance, regardless of whether the insurance contract has already been concluded or whether the insurance has just been applied for. The processing of health data carried out by the insurance company was not in accordance with Article 9 of the Data Protection Regulation on the grounds presented by the Data Protection Ombudsman.
Vote 3 — 2
Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) Article 9(1) and (2)(g)
Data Protection Act, Section 6(1)(1)
Insurance Contracts Act, Section 2(1)(4) and (5) and Section 22
Decision appealed
Helsinki Administrative Court, 16 January 2024, No. 117/2024
Judgment of the Supreme Administrative Court
The Supreme Administrative Court grants leave to appeal and examines the matter.
The decisions of the Administrative Court and the Data Protection Ombudsman are quashed.
The appellant’s claim for reimbursement of legal costs is dismissed.
Background
(1) In 2020 and 2021, the Office of the Data Protection Ombudsman investigated the practices of the insurance company (hereinafter also the controller) that is the applicant for the appeal when processing health information requested from healthcare units in connection with applications for voluntary insurance.
(2) On 8 June 2022, the Data Protection Ombudsman issued a decision on the systematic practices of the applicant for the appeal. According to the decision, the controller cannot, pursuant to the provisions of Section 6(1)(1) of the Data Protection Act, process the health information of an applicant for voluntary insurance or the health information of a person for whose death, illness or injury voluntary insurance is being applied for. For this reason, the controller cannot also request the health information of these persons from the healthcare unit at the stage of applying for insurance, pursuant to the above-mentioned provision.
(3) According to the decision of the Data Protection Commissioner, the processing of special categories of personal data of the applicant for voluntary insurance by the controller is not in accordance with Article 9 of the General Data Protection Regulation. For this reason, the Data Protection Commissioner has issued an order to the controller pursuant to Article 58(2)(d) of the Regulation to bring the processing operations into compliance with the provisions of Article 9 of the Regulation when the controller processes the health data of the applicant for voluntary insurance or the health data of the person for whose death, illness or injury voluntary insurance is being applied for. A report on the measures taken must be submitted by 29 July 2022, unless the controller applies for an appeal against the decision.
(4) The Data Protection Commissioner has considered that it is not possible to apply the provision of Section 6(1)(1) of the Data Protection Act to the processing of the health data of the applicant for voluntary insurance or the person for whose death, illness or injury voluntary insurance is being applied for. According to the aforementioned provision, Article 9(1) of the Data Protection Regulation does not apply when an insurance institution processes information about the insured obtained in the course of insurance activities and specified in the provision.
(5) The Administrative Court has rejected the appellant’s appeal with its claims for reimbursement of legal costs and, by decision of the Data Protection Commissioner, extended the deadline set for the appellant to submit a report on the measures taken until 1 March 2024.
(6) According to the reasoning of the Administrative Court’s decision, the Data Protection Act or its preparatory works do not define what is meant by an insured person in the context of the application of the Data Protection Act. The starting point for interpreting the concept can be considered to be Section 2(1)(5) of the Insurance Contracts Act, according to which an insured person means a person who is the subject of personal insurance or for whose benefit non-life insurance is valid. According to the wording of Section 6, Subsection 1, Paragraph 1 of the Data Protection Act, it is not justified to interpret the concept of insured person in such a way that it would also cover the applicant for insurance before the conclusion of the insurance contract. The legislative drafting material regarding this section does not support the interpretation that the legislator intended to extend the concept of insured person to the applicant for insurance or that this was considered necessary for determining the liability determined on the basis of the insured event. The appellant has therefore not been able to process the health information of the applicant for voluntary insurance pursuant to Section 6, Subsection 1, Paragraph 1 of the Data Protection Act before the conclusion of the insurance contract. Based on the above, the Data Protection Ombudsman has been able to consider that the processing of the special categories of personal data of the applicant for voluntary insurance is not in accordance with Article 9 of the General Data Protection Regulation and will issue an order that is more clearly stated in the decision.
The case has been decided by the members of the Administrative Court, Petteri Leppikorpi, Nina Tuominen and Lotta Haverinen, who have also presented the case.
Claims in the Supreme Administrative Court
(7) The appellant has requested leave to appeal and has requested that the decisions of the Administrative Court and the Data Protection Ombudsman be overturned. The Office of the Data Protection Ombudsman shall be ordered to reimburse the appellant’s legal and party costs in the Administrative Court and the Supreme Administrative Court, including interest on late payment.
(8) The Data Protection Ombudsman has requested that the appeal and the claim for reimbursement of legal costs be dismissed.
Reasons for the Supreme Administrative Court’s decision
Question
(9) The Supreme Administrative Court is to decide whether the Data Protection Commissioner could, on the grounds presented, consider that the processing of health data of an applicant for voluntary insurance or of a person for whose death, illness or injury voluntary insurance is being applied for by the controller is not in accordance with Article 9 of the General Data Protection Regulation, and to issue the controller with the order set out in point 3 above. The matter concerns, above all, the meaning of the term “insured person” used in point 1 of section 6(1) of the Data Protection Act.
Applicable legal provisions
(10) Pursuant to Article 9(1) of the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC), the processing of personal data, including data concerning health, is prohibited. Pursuant to point (g) of paragraph 2 of the same Article, paragraph 1 shall not apply where processing is necessary for important reasons of public interest under Union law or the law of a Member State, provided that it is proportionate to the aim pursued, respects the essential aspects of the right to the protection of personal data and provides for appropriate and specific measures to safeguard the fundamental rights and interests of the data subject.
(11) Pursuant to Section 1 of the Data Protection Act, that Act clarifies and supplements the General Data Protection Regulation and its national application.
(12) According to Section 6(1)(1) of the Data Protection Act, Article 9(1) of the Data Protection Regulation does not apply when an insurance institution processes information obtained in the course of insurance activities on the health, illness or disability of the insured and the claimant, or on the treatment or comparable measures applied to them, which are necessary for the insurance institution to determine its liability.
(13) According to Section 2(1)(4) of the Insurance Contracts Act, in the said Act, the policyholder means the person who has concluded an insurance contract with the insurer; if the right based on the insurance is transferred, the provisions on the policyholder apply to the transferee, and according to Section 5, the insured means the person who is the subject of the personal insurance or for whose benefit the non-life insurance is valid.
(14) According to Section 22 of the Insurance Contracts Act, before the insurance is granted, the policyholder and the insured must provide correct and complete answers to questions posed by the insurer that may be relevant to the assessment of the insurer’s liability.
Key aspects presented by the Data Protection Ombudsman and the appellant
(15) The Data Protection Ombudsman considers that the concept of insured cannot be extended to mean the applicant for insurance or the person for whose death, illness or injury voluntary insurance is being applied for. Such processing of health information contrary to the wording of the regulation would not be reasonable and foreseeable for the data subjects. The Data Protection Act has been enacted under the margin of manoeuvre of the Data Protection Regulation, and the data subject must be able to rely on the wording of the Data Protection Act.
(16) According to the appellant, the concept of insured must be interpreted in such a way that it also covers the person who is intended to be the subject of the insurance contract, taking into account the purpose, legislative history and systematics of the provision. The so-called insurance exception in Section 6(1)(1) of the Data Protection Act is an additional national exception enabled by the General Data Protection Regulation, which has also been consistently applied to the selection of liability prior to the conclusion of an insurance contract. In the selection of liability, the insurance company assesses the conditions for granting the insurance. For this reason, Section 22 of the Insurance Contracts Act stipulates that the insured is obliged to provide information to the insurance institution even before the conclusion of the contract. Therefore, it is logical to interpret Section 6(1)(1) of the Data Protection Act as allowing the receipt of this information also before the conclusion of the contract.
Legal assessment and conclusion
(17) Section 6(1)(1) of the Data Protection Act provides for an exception to the general prohibition of processing special categories of personal data in Article 9(1) of the General Data Protection Regulation concerning the insurance activities of insurance institutions. The preparatory work for the Data Protection Act (HE 9/2018 vp) considered such a regulation possible on the basis of Article 9(2)(g) of the Data Protection Regulation.
(18) The provision of the Data Protection Act corresponds to Section 12(11) of the repealed Personal Data Act (523/1999), and in addition, a largely identical ground for exemption has already been included in Section 7(6) of the Personal Data Register Act (471/1987). In the preparatory work for the Data Protection Act (HE 9/2018 vp), national clarification regarding insurance activities has been considered necessary so that insurance institutions can continue to process information obtained in insurance activities about the health status, illness or disability of the insured and the claimant, or about the treatment measures applied to them, or comparable information.
(19) The Supreme Administrative Court notes that the Data Protection Act or its preparatory work does not specifically define what is meant by the insured in Section 6(1)(1) of the Act. In such cases, when interpreting this national provision, importance must be given to what is meant by the insured in national insurance legislation.
(20) Section 22 of the Insurance Contracts Act provides for the obligation of the policyholder and the insured to provide information. The first sentence of the provision concerns the obligation to provide information before the insurance is granted. Nevertheless, the provision imposes an obligation on the insured in addition to the policyholder. According to the definitional provision of the Insurance Contracts Act, the concept of insured person refers to the subject of personal insurance and the person for whose benefit the non-life insurance is valid.
(21) Based on the aforementioned provisions, the Supreme Administrative Court finds that the concept of insured person must also be understood in Section 6, Subsection 1, Point 1 of the Data Protection Act as meaning the subject of voluntary personal insurance, regardless of whether the insurance contract has already been concluded or whether the insurance has just been applied for. Interpreting the national exception for insurance activities provided for in the Data Protection Act in the manner set out above does not lead to personal data being processed in insurance activities in violation of the principles of Article 5 of the General Data Protection Regulation on the processing of personal data.
(22) The Supreme Administrative Court further notes that in insurance activities there is a need to process information regarding the health of individuals both in order to determine the liability of the insurance institution in the contractual relationship and also in order to assess the liability of the insurance institution already at the stage of applying for insurance. There is no support available from the draft laws of the Data Protection Act or its predecessors for the interpretation that the legislator intended to exclude the insurance application stage, which is an essential part of insurance activities, from the insurance exemption enabling the processing of health-related data.
(23) Based on the above, the Supreme Administrative Court finds that the insured person in Section 6(1)(1) of the Data Protection Act also refers to an applicant for voluntary insurance or a person for whose death, illness or injury voluntary insurance is being applied for.
Conclusion
(24) The Data Protection Ombudsman has not been able to consider, on the grounds presented in his decision, that the appellant cannot, pursuant to the provisions of Section 6(1)(1) of the Data Protection Act, process the health information of an applicant for voluntary insurance or the health information of a person for whose death, illness or injury voluntary insurance is being applied for, or request the health information of these persons from the healthcare unit during the insurance application stage. The processing of special categories of personal data by the appellant has therefore not been in breach of Article 9 of the GDPR on the grounds presented by the Data Protection Commissioner. Accordingly, the Data Protection Commissioner has also not been able to issue the appellant with an order resulting from its decision to bring the processing of personal data into compliance with the Regulation.
(25) On the grounds mentioned, the decisions of the Data Protection Commissioner and the Administrative Court must be annulled.
Legal costs
(26) According to Section 95(1) of the Act on Administrative Proceedings, a party to the proceedings is obliged to compensate the other party’s legal costs in whole or in part if, in particular in view of the decision given in the case, it is unreasonable for the other party to have to bear its own legal costs. According to Section 2 of the same section, when assessing the reasonableness of the liability to compensate, the legal ambiguity of the case, the actions of the parties and the significance of the case for the party concerned may also be taken into account.
(27) According to the detailed justifications of the section (HE 29/2018 vp), the starting point is that if a public party loses the case, it would be obliged to compensate the other party’s legal costs. According to the justifications, when assessing the grounds for liability for compensation, special attention should be paid to the decision given in the case. However, the outcome of the case is not the only determining factor when assessing the reimbursement of legal costs, but the decision on the reimbursement of legal costs is a question of the overall assessment of the reasonableness of the liability for costs.
(28) The Data Protection Ombudsman has made the decision in question in order to carry out his task of supervising compliance with the data protection legislation provided for him. The matter has been subject to legal interpretation. Regardless of the outcome of the case, it is therefore not unreasonable, taking into account the circumstances, for the appellant to consider his legal costs in the Administrative Court and the Supreme Administrative Court as a loss.
The case has been decided by legal advisors Outi Suviranta, Taina Pyysaari, Monica Gullans (dissenting opinion), Toni Kaarresalo (dissenting opinion) and Päivi Pietarinen. The rapporteur for the case is Elina Ranz (dissenting opinion).
Voting report and dissenting opinion
Voting report of the dissenting legal advisor Toni Kaarresalo, with whom legal advisor Monica Gullans concurred:
“I grant leave to appeal. I dismiss the appeal. As I am obliged to rule on the costs of the proceedings on the basis of the majority’s decision on the merits, I agree with the majority on those costs.
Reasons
According to Article 9(1) of the General Data Protection Regulation of the European Parliament and of the Council, the processing of data concerning health, among other things, is prohibited. According to point (g) of paragraph 2 of the same article, paragraph 1 shall not apply if the processing is necessary for an important reason of public interest under Union law or the law of a Member State, provided that it is proportionate to the aim pursued, respects the essential aspects of the right to the protection of personal data and provides for suitable and specific measures to safeguard the fundamental rights and interests of the data subject.
According to the regulatory mechanism of the General Data Protection Regulation, the basis for the processing of data concerning health must be laid down separately, unless the processing is based on the explicit and legitimate interests of the data subject. consent or other ground for processing. In Finland, the Data Protection Act specifies and supplements the General Data Protection Regulation and its national application.
Section 6, subsection 1, paragraph 1 of the Data Protection Act concerns a national exception to the general prohibition on processing health data laid down in the General Data Protection Regulation. According to the said section of the act, Article 9, paragraph 1 of the Data Protection Regulation shall not apply when an insurance institution processes information obtained in the course of insurance activities on the health, illness or disability of the insured and the claimant, or on the treatment or comparable measures applied to him or her, which are necessary to determine the liability of the insurance institution.
The Data Protection Act or its preparatory works do not specifically define what is meant by the insured in section 6, subsection 1, paragraph 1 of the Act. The content of the provision corresponds to the national legislation previously in force in the part in question. When the Personal Data Act (523/1999) was enacted, the corresponding exception was specified in the then-current compared to the Personal Data Register Act (471/1987) in that the processing was extended to cover not only information about the insured but also information about the claimant (HE 96/1998 vp, p. 47). According to the justifications in the government proposal, this was due to the fact that insurance institutions also have to process health information about claimants other than the insured in their operations. For example, a person injured in a traffic accident is often not the insured, but an outside person who has suffered personal injury in a traffic accident.
I note that the registration of health information about claimants other than the insured in the aforementioned government proposal, with its justifications, does not refer to a situation in which insurance is just being applied for, but to a situation in which an insured event has occurred. This is natural, since the issue was the processing of information in order to determine the liability of the insurance institution. The above-mentioned clarification in the Personal Data Act shows that efforts have been made to regulate the processing of personal data precisely even in the period preceding the General Data Protection Regulation. However, no clarifications have been made regarding the concept of the insured in the Personal Data Act or the Data Protection Act. Similarly, the limitation for determining the liability of an insurance institution has not been extended to include the assessment of the liability of an insurance institution in a situation where insurance is only being applied for.
In the provisions of the Insurance Contracts Act explained above in the reasons for the Supreme Administrative Court’s decision, the concept of the insured is not used consistently in such a way that it is clearly and precisely defined on this basis. According to the definition provision of the Insurance Contracts Act, the insured refers to someone who is the subject of personal insurance or for whose benefit non-life insurance is valid, and this also corresponds to the general meaning of the concept.
In interpreting the Data Protection Act, in addition to Section 10 of the Finnish Constitution, which protects the protection of private life and personal data, the European Union’s data protection regulations must be taken into account. Regardless of the national margin of manoeuvre, the basis for processing data or the legislative measure relating to it must also be clear and precise in accordance with the case law of the Court of Justice of the European Union and the European Court of Human Rights, and its application must be foreseeable for the persons concerned. (Recital 41 of the General Data Protection Regulation).
For the reasons mentioned above, I consider that Section 6(1)(1) of the Data Protection Act cannot be interpreted broadly so that the insured person also refers to an applicant for voluntary insurance or a person for whose death, illness or injury voluntary insurance is being applied for.
In view of the above, there are no grounds for changing the outcome of the administrative court’s decision.”
The rapporteur’s proposal for a decision on the matter, rapporteur Elina Ranz, was of the same content as the voting opinion of legal advisor Kaarresalo.
</pre>