- Michalopoulou & Associates
- Brief Summary of facts
Following the Athens Appeal Court’s decision no. 1900/2017, an individual’s lawsuit was rejected, in relation to an insurance company’s refusal to sign a life insurance contract with the latter, in view of processing the individual’s personal data from his military discharge papers, on which it was referred that the individual suffered from “a sexual identity disorder with a characteristic deflection” ( estrionic ), a judgment issued also by Decision no. 33/2016 of the Hellenic Data Protection Authority.
According to the case’s facts, the applicant filled out a questionnaire drafted by the insurance company. The questionnaire included a question regarding whether he had fulfilled his military obligations or had he been legally exempted from it, to which the applicant responded positively. In addition to that, he noted, next to his answer, the term “I5”, which he afterwards erased with the use of blanco eraser. Afterwards, a company employee received the questionnaire, and purposely scratched off the blanco and observed the erased note. As a result, the company asked from the applicant to adduce his military discharge papers, which were accordingly sent by the applicant.
The Court of Appeal, judged by majority, in favor of the insurance company’s denial to insure the applicant, with the reasoning ( ratio ) that the individual had previously granted his consent provided that he himself sent the requested discharge documents to the insurance company.
The legislator has included health data within the meaning of sensitive personal data, which had as a result, the legal protection of health dataConsequently, in that particular case, matters of personal data arise.
- “Τhe Consent as primary obligation”
Personal data processing is allowed provided that the subject has previously granted his consent. This means that the person must express his free, explicit and specific declaration of will, expressed clearly, with complete awareness, by which the subject grants his consent regarding to the processing of his personal data, of course after having been relatively informed. To begin with, in the present case, the subject did not provide his consent ( notice ), given that he erased the term “I5” with blanco, indicating thus his explicit non – consent over the use of this information. Nonetheless, the company’s employee illegally scratched the erase, despite the subject’s clear denial to consent on that processing.
Afterwards, the applicant was asked to adduce his military discharge papers, in order for the reason of his exemption from duty to be verified. Once the papers were adduced to the company, the applicant received a negative answer from the insurance company, regarding his request for a life insurance. According to the personal data legislation, a warning to the data subject is required before the processing, which must include, without question, specific information about the cause of data processing. As a result, issues also arise regarding the lack of proper information towards the applicant, concerning the reason for the presentation of his discharge papers, as well as all the possible consequences of such a presentation. Can we therefore, talk, about a free, explicit and specific declaration of will, expressed in a clear and under full awareness way? The answer is clearly negative.
Furthermore, another issue to be examined is how a non-medical paper, such as a military discharge paper, can serveas ground for denying insurance services to an applicant. Military discharge papers do not consist, due to their nature and purpose, a medical document, on the contrary, they serve as a simple documentary evidence of the subject’s ability to fulfill his military duties. Not only it is not an essential document for the evaluation of the subject’s insurance capacity, but it is completely irrelevant to it, as it should only be used to prove the subject’s military ability.
- GDPR in view!
The force of the new General Data Protection Regulation (GDPR) is imminent. In this context, one can easily notice that the European legislator defined as a data subject every person who lives inside a society of intelligence and information, who has, in other words, access, at every time, on information and intelligence
The severity of the European legislation can also be noticed in regards to the safety conditions foreseen by the GDPR, a severity which is further on depicted into the fines imposed by the latter. In other words, if a company violates a data subjects’ rights or the general principles about data processing, she shall be obliged to pay fines up to 20.000.000 Euros, or else 4 % of her global total incomes.
In addition to that, according to article 7 of the GDPR, when data processing is based on consent, the controller, being responsible for the processing must be able to prove that the data subject has given his approval to the processing of his personal data. Consequently, companies are responsible to provide proof, concerning consent granting. That means that the companies must, from now on, be significantly careful and act appropriately, in order not to be penalized in accordance with the fines provisions set by the Regulation.