DPA imposes order subject to penalty on health insurer CZ


Following an investigation, the Dutch Data Protection Authority (DPA) found that the way health insurer CZ handled applications for prior approval of treatment was in breach of the General Data Protection Regulation (GDPR). According to the DPA’s investigation, in a number of cases CZ processed more medical data than was necessary for the assessment of applications for the reimbursement of costs for rehabilitation care. The applications in question were from insured persons who required specialised medical rehabilitation, following a complex fracture or due to a motor disorder for example. For this breach of privacy legislation, the DPA has imposed an order subject to penalty on CZ.

To cover specialised medical rehabilitation, health insurer CZ requires insured persons to apply for prior approval (authorisation requirement). CZ can set additional conditions for such approval.

Twelve insured persons requested that the DPA take enforcement action against CZ. They argued that CZ had processed too much personal data – including sensitive personal data – when assessing their applications for rehabilitation care.

In breach of privacy legislation (GDPR)

The DPA found that, when assessing the applications of four insured persons, CZ processed more medical data than was necessary and was therefore in breach of the GDPR. According to the DPA’s investigation, CZ’s policy led to more personal data being provided than was necessary for such an assessment.

CZ appealed against the DPA’s decision. The DPA and CZ have, however, also already made a number of agreements, and CZ has taken several measures as a result, such as deleting from its systems the data in question of the twelve insured persons and removing the policy document on applications for prior approval from its website.

When assessing applications for prior approval for specialised outpatient medical rehabilitation, CZ will determine on a case-by-case basis whether additional data is necessary. This will be based on the information that is required according to professional frameworks and the position of the National Health Care Institute.

CZ and the DPA will continue to discuss possible adjustments to the way applications for prior approval are handled, to ensure it is in compliance with the GDPR.

Man loopt buiten op straat stad