Administrative Court upholds decision of the Commissioner for the Protection of Personal Data on excessive collection of medical information

In July 2013 the Commissioner for Personal Data Protection (the Cyprus Data Protection Authority) imposed a fine of €3.000 on an insurance company on the grounds that it had asked for excessive sensitive medical information in the course of assessing a claim for a total disability benefit.

The insurer challenged the decision claiming that the matter lies outside the jurisdiction of the DPA since it is a matter of contractual interpretation of the relevant policy provisions and any dispute between the insurer and the insured in that respect is to be settled by a civil court.

The Administrative Court upheld the decision of the DPA and rejected the challenge of the insurer on the grounds that the DPA had jurisdiction to deal with this matter. Furthermore, it agreed with the DPA that since the insurer had in its possession sufficient medical information to assess the relevant claim, the request for additional medical information and certificates violated the principle that personal data must be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

This decision serves as a reminder that insurers must be careful in requesting data subject to provide additional medical or other sensitive personal data in the course of assessing insurance benefits claims when they already have in their possession sufficient information to allow an informed assessment of the relevant claim. A policy provision which allows the insurer to ask for additional information cannot be invoked to justify a violation of the proportionality principle.

Case: CNP CypriaLife Ltd v Commissioner for the Protection of Personal Data, Case no 5892/2013, 6/9/2016. Full text can be found here (in Greek)