DPA imposes order subject to penalty on health insurer CZ

To cover specialised medical rehabilitation, health insurer CZ requires insured persons to apply for prior approval (authorisation requirement). CZ can set additional conditions for such approval.

Twelve insured persons requested that the DPA take enforcement action against CZ. They argued that CZ had processed too much personal data – including sensitive personal data – when assessing their applications for rehabilitation care.

In breach of privacy legislation (GDPR)

The DPA found that, when assessing the applications of four insured persons, CZ processed more medical data than was necessary and was therefore in breach of the GDPR. According to the DPA’s investigation, CZ’s policy led to more personal data being provided than was necessary for such an assessment.

CZ appealed against the DPA’s decision. The DPA and CZ have, however, also already made a number of agreements, and CZ has taken several measures as a result, such as deleting from its systems the data in question of the twelve insured persons and removing the policy document on applications for prior approval from its website.

When assessing applications for prior approval for specialised outpatient medical rehabilitation, CZ will determine on a case-by-case basis whether additional data is necessary. This will be based on the information that is required according to professional frameworks and the position of the National Health Care Institute.

CZ and the DPA will continue to discuss possible adjustments to the way applications for prior approval are handled, to ensure it is in compliance with the GDPR.