Pension providers and insurers can’t reject consumer requests for their personal medical information until they conduct a data-privacy audit, Denmark’s data regulator said.
The Nov. 25 decision by the Danish Data Protection Agency outlaws company policies that automatically reject such consumer requests but doesn’t require insurers and similar organizations to hand over the data. It could serve as influential guidance, even though interpretations of EU law by national data protection agencies are not legally enforceable across the bloc.
The decision “confirms that a medical analysis is personal data,” Michael Gorm Madsen, an attorney with Bird and Bird, said in an email. The Danish action will likely affect how the EU’s data protection rule should be applied, he said.
“It stresses that data controllers have an obligation to evaluate each specific data subject request on its own merits and in the particular context,” Madsen said. “This will be of interest in other EU member nations.”
The case involved a customer who requested data describing a medical assessment of his abilities that a pension company had requested. Such assessments are internal company documents and not shared, according to the company, Juristernes og Okonomernes Pensionskasse.
The Danish data regulator found that the firm’s approach breached Article 15 of the EU’s General Data Protection Regulation, which requires evaluations after users make personal data-access requests.
“The ruling states that all automatic rejections of access requests will be a violation of the GDPR,” Camilla Andersen, head of section at the DPA, said. “Be they insurance, pensions and other industries, they cannot have these automatic rejection policies in place.”