In a recent decision (under number 11/2016), the Hellenic Data Protection Authority (the "HDPA") authorised the sharing by an insurance company (insurer A) of sensitive data (in this case health data) of its insured under an existing life-long life and health insurance contract (as of 2002), to another insurance company (insurer B) that concluded a life insurance contract with the same insured (as of 2012), for the purposes of judicial use thereof by insurer B.

The request of insurer B referred specifically to the receipt of health-related information maintained in the files of insurer A regarding the insured, such as copies of any decisions / opinions of health committees of any social security body as well as any other information regarding the insured’s diseases or disability and the granting of pension, as to the period prior to the conclusion of the life insurance contract with insurer B. Insurer B proposed to use the requested information for establishing an allegation regarding the lack of causal link between a road traffic accident and the insured’s allegedly sustained health damage there-under (i.e. severe spinal cord injuries), for which the insured was seeking compensation in the form of insurance indemnity through a writ filed against insurer B.

In addressing such request, the HDPA took into account various laws, including (a) the provisions of the law 2472/1997 (Greek Data Protection Act) on the terms and conditions for a lawful processing of sensitive data (i.e. health data) and the need for prior notification of data subjects by data controllers regarding the disclosure of their data to third parties; (b) the provisions of Medical Ethics Code on the granting of medical certificates, by way of exception, to third parties (subject to the establishment of a legitimate interest by the latter), and the conditions for the lifting of medical confidentiality; and (c) the provisions of the law 2496/1997 (Greek Insurance Contract Act) on insurance contract definition, the insurance applicant’s pre-contractual information duty to inform the insurer of any element or incident that may be objectively material for the assessment of the risk to be insured and the default rule that a health insurance contract does not, in principle, cover diseases / health injuries attributed to pre-existing conditions.

Upon consideration of said facts and laws, the HDPA came to the following conclusions:

  1. insurer B asking for the disclosure of sensitive data (i.e. health data) relating to the insured contained in the files of insurer A bore the capacity of a third party;
  2. the processing purpose, to which such request related, was actually the defence by insurer B against the insured’s writ;
  3. said processing purpose was compatible with relevant provisions of the Greek Data Protection Act, especially Art. 7 par. 2 elem. c thereof, pursuant to which the processing of sensitive data and the formation and operation of a relevant file is, by way of exception, allowed, upon license by the HDPA, that is granted, among others, where the processing refers to data that is necessary for the acknowledgement, exercise and defence of rights before a court or a disciplinary body;
  4. the principle of proportionality was fulfilled in the relevant context, since the requested information was, in principle, appropriate for the purpose of judicial use thereof, in the form of establishment by insurer B of an allegation that the serious spinal cord injuries, which had been allegedly sustained by the insured in the road traffic accident and for which the insured was seeking insurance indemnity from insurer B, were actually caused through a pre-existing health problem that the insured had not communicated to the insurer B at the time of conclusion of the life insurance contract, giving rise to a coverage denial; and
  5. insurer A in its capacity as data controller bore an obligation to notify the insured of the disclosure of their sensitive data to insurer B.

The HDPA's decision reflects the benchmarks upon which the HDPA assesses requests relating to disclosure of sensitive data to third parties for the purpose of judicial use thereof. The benchmarks set out by the HDPA should be considered in the event that organisations operating in Greece receive a request from a third party for disclosure of insureds’ sensitive data, for the purposes of judicial use.

Submitted by Alkistis Christofilou, Partner and Maria Demirakou, Senior Associate at Rokas Law Firm – Athens, Greece, in partnership with DAC Beachcroft LLP.