In its decision of 19 March 2019, the Federal Administrative Court dealt with fundamental questions of data protection law relating to the "Helsana+" App. What are the requirements for valid consent to data processing by federal bodies? Is data processing unlawful if the purpose of the data processing is unlawful?
The “Helsana+” app enables persons insured with the Helsana Group to secure bonuses for certain activities. Participation in Helsana+, an app of Helsana Zusatzversicherungen AG, is only possible if the participants have health insurance with the Helsana Group. Participants register with Helsana+ by registering in the app. Helsana Zusatzversicherungen AG then compares the registration data for Helsana+ annually with the data collected for compulsory health insurance (data comparison). The comparison is carried out for the purpose of checking whether the participants are still insured with the Helsana Group. The participants give their disputed consent to the data comparison by clicking on the terms and conditions of use and data.
Initially, the Federal Administrative Court had to answer the question of whether the insured had given their valid consent to the data comparison.
The Federal Administrative Court also answered the question of whether the data processing by Helsana Zusatzversicherungen AG under Helsana+ was unlawful if the defendant processed personal data for an unlawful purpose. The Federal Administrative Court first clarified that there is a difference between the EU DSGVO and the Swiss DSG in the area of the lawful or unlawful purpose. In the EU, data may only be processed if there is a legitimate purpose (Art. 5 para. 1 EU-DSGVO). In Switzerland, the purpose only has to be in conformity with standards which at least also aim to protect the personality of a person, since the DPA is designed to guarantee the constitutional right to informational self-determination (Art. 13 para. 2 BV) of every person. In the present case, however, the relevant applicable provisions (Art. 61 and 62 KVG) merely served to implement the principle of reciprocity in social health insurance, but not to protect the personality of the premium payers. Therefore, regardless of whether the purpose of the data processing violated these social security norms, there was no unlawful data processing within the meaning of Art. 4 para. 1 FPA. In an obiter dictum, the Federal Administrative Court then stated that the provisions of health insurance law were not violated anyway.
Data processing under the Helsana+ programme was therefore lawful.
In summary, it can be stated that, firstly, the announcement by Helsana Krankenkassen to Helsana Zusatzversicherungen AG was not legal because the consent was not given in writing and informed. However, the survey by Helsana Zusatzversicherungen was legal. Furthermore, the processing of personal data by Helsana Zusatzversicherungen was lawful, since the purpose of the processing did not impair the right to informational self-determination of the persons concerned.