GDPR and Processing Health Data in Insurance Relationships: The Role of Statutory Legal Bases journal article Karin Sein, Gerald Spindler European Health & Pharmaceutical Law Review, Volume 6 (2022), Issue 3, Page 98 - 116 The processing of health data is unavoidable in the insurance sector both in the pre-contractual phase for risk assessment as well as after the insured event has taken place to determine the insurer’s payment obligation. Health data processing is particularly relevant in the case of life, health and accident insurance but can also play a role in eg travel insurance. However, the processing of health data as sensitive data cannot be based on contract performance as there is no equivalent to Art. 6(1)(b) GDPR in Art. 9 GDPR that regulates the processing of sensitive data. Therefore, in some Member States insurance companies process health data based on consent. In other Member States, the processing is based on either insurance-specific national rules or some statutory legal basis in Art. 9(2) GDPR. In this article, we show, first, that consent-based processing of health data poses several problems in insurance relationships. We will, then, give a comparative overview of several jurisdictions in the EU and show that different Member States have either adopted different national rules for health data processing in the insurance sector and/or use different legal bases in Art. 9(2) GDPR. We conclude that there is no uniform understanding in the EU on how and on which legal basis health data can be processed in the insurance relationships. To overcome this legal uncertainty, we propose to introduce a provision in the GDPR allowing insurers to process health data to the extent necessary for the purposes of the conclusion of an insurance contract, the determination of the insurer's payment obligation and the recovery of recourse claims – using the Dutch legislation as a blueprint.
Development and Innovation Activities with Health Data: On What Legal Basis? Examples of Estonia, Finland, and the EHDS Proposal Maret Kruus
Conducting a Data Protection Impact Assessment in Health Science: A Comprehensive Guide Marcelo Corrales Compagnucci, Alan Dahi, Peter Alexander Earls Davis