Dutch DPA imposes order subject to penalty on health insurer CZ

Jan 25, 2021

Source: European Data Protection Board

Following an investigation, the Dutch Data Protection Authority (DPA) found that the way health insurer CZ handled applications for prior approval of treatment was in breach of the General Data Protection Regulation (GDPR). According to the DPA’s investigation, in a number of cases CZ processed more medical data than was necessary for the assessment of applications for the reimbursement of costs for rehabilitation care. The applications in question were from insured persons who required specialised medical rehabilitation, following a complex fracture or due to a motor disorder for example. For this breach of privacy legislation, the DPA has imposed an order subject to penalty on CZ.

To cover specialised medical rehabilitation, health insurer CZ requires insured persons to apply for prior approval (authorisation requirement). CZ can set additional conditions for such approval.

Twelve insured persons requested that the DPA take enforcement action against CZ. They argued that CZ had processed too much personal data – including sensitive personal data – when assessing their applications for rehabilitation care.

In breach of privacy legislation (GDPR)

The DPA found that, when assessing the applications of four insured persons, CZ processed more medical data than was necessary and was therefore in breach of the GDPR. According to the DPA’s investigation, CZ’s policy led to more personal data being provided than was necessary for such an assessment.

CZ appealed against the DPA’s decision. The DPA and CZ have, however, also already made a number of agreements, and CZ has taken several measures as a result, such as deleting from its systems the data in question of the twelve insured persons and removing the policy document on applications for prior approval from its website.

When assessing applications for prior approval for specialised outpatient medical rehabilitation, CZ will determine on a case-by-case basis whether additional data is necessary. This will be based on the information that is required according to professional frameworks and the position of the National Health Care Institute.

CZ and the DPA will continue to discuss possible adjustments to the way applications for prior approval are handled, to ensure it is in compliance with the GDPR.

For further information, please contact the Dutch DPA: https://autoriteitpersoonsgegevens.nl/nl

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA’s website or other channels of communication, the news item is only available in English or in the Member State’s official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority.

Recent news

CSC elects 2nd Deputy Coordinator

The Coordinated Supervision Committee (CSC) has elected Matej Sironic from the Slovenian Data Protection Authority (DPA) as its Deputy Coordinator for a term of two years. Sironic will be the second Deputy Coordinator, and will work along with Sebastian Hümmeler from...

read more