Necessity: an exception that became the rule
As in any case, there are exceptions recognized even on personal data protection. According to the law, personal data may be processed without the consent of the subject, when such process is necessary for the implementation of the contract to which the contracting party is data subject or for taking action at the request of the data subject during the pre-contractual stage.
However, what can an insurance company request in view of necessity? Representing a special aspect of the principle of proportionality, necessity arises only when the means used are totally necessary for fulfilling the cause and executing the contract. In short, there is undoubtedly a need for the provision of medical documents, which may serve as criteria for determining the person’s insurability, the amount of the premium etc.
Instead, a non-medical document, such as a military discharge document, cannot be used as a basis for denying the applicant an insurance service. This is further enhanced by the certainty required at the stage of identifying and determining the risk. The Actuarial Criteria, which play a key role, are consistent and require actual evidence to be the basis for identifying risk as a component of these data. It is not possible, therefore, to calculate the height and extent of the risk of a military discharge document, but only to make theories and hypotheses in a discussion of contingencies, which, however, abstain from the mathematical stability found in the institution of private insurance.
Our law firm’s comment
For all the above reasons, we believe that Decision with no. 1900/2017, issued by the Appellate Court of Athens, as well as the Decision with no. 33/2016 issued by the Hellenic Data Protection Authority wrongfully judged that there was not a violation regarding the life insurance applicant’s personal data. We point out that a change of mind and criterions’ regarding the meaning of necessity on behalf of insurance companies is required. While the world evolves and the actuarial science moves forward, we also have to evolve and find ways to protect health, not only as personal data, but also as everyone’s right to insurance.
We foresee and anticipate that the current status will move in the right direction, especially under the frame of the new Regulation 679/2016 (GDPR), which places the burden of personal data protection to the companies concerned, and threatens them with severe penalties and huge fines in case of non-compliance.
Last, but not least, we recommend that companies which collect and process personal data should conduct educational seminars for their employees in order to fully comply with the new Regulation, while they may also need to amend the contracts concerning data collecting and processing terms. In order for healthcare companies to comply with the new Regulation, certain requirements must be met, such as: on one hand the establishment of new roles and procedures as the Regulation commands, e.g. that of Privacy Officer, Security and Risk Officer and more importantly that of Data Protection Officer, and on the other hand cooperation between the company’s Departments, especially the Customer Service department, the Human Resources department, the Legal Department (for implementing the new legal framework), as well as the IT and Security departments for shaping and protecting the new data bases.