Helsana Zusatzversicherungen AG operates an app-based bonus programme called «Helsana+». Participants in the scheme can do certain activities to collect «Plus» points, which they can convert into rewards such as cashback, non-cash benefits or vouchers from partner companies. It is only open to the Helsana Group’s policyholders, i.e. anyone insured with Helsana Zusatzversicherungen AG, Helsana Versicherungen AG or Progrès Versicherungen AG. In other words, individuals who have only taken out basic insurance with Helsana can also join the scheme. In order to undertake the necessary investigations, Helsana Zusatzversicherungen AG requests participants» consent to access data relating to their compulsory health insurance when they sign up via the app.
FDPIC takes legal action
The Swiss Federal Data Protection and Information Commissioner (FDPIC) felt this approach breached data protection legislation and issued Helsana Zusatzversicherungen AG with recommendations in April 2018. He advised that «Helsana+» should not be used to gather or process any basic insurance data or obtain consent to this data processing and that cash refunds should not be paid to those with only basic insurance. Helsana Zusatzversicherungen AG declined to act on these recommendations, prompting the FDPIC to bring an action before the Federal Administrative Court (FAC) in May 2018.
Data gathering ruled unlawful
The FAC found in its judgment that the consent obtained through the application to acquire personal data by the Helsana Group’s basic insurances (Helsana Versicherungen AG and Progrès Versicherungen AG) did not comply with the provisions of data protection law. Helsana Zusatzversicherungen AG is thus prohibited from using the data acquired and must desist from acquiring it in this way in the future.
Some data used lawfully
By contrast, the use of legally acquired data on individuals with only basic insurance does not in itself violate the Data Protection Act. Even if the insurer were to pursue an unlawful purpose by so doing, namely indirectly reimbursing insurance premiums for compulsory health insurance, its behaviour would only breach data protection law were it to infringe a rule of law aimed at protecting the privacy of premium payers. However, this was not the case with regard to the relevant provisions of the Swiss Health Insurance Act. In this respect, therefore, the data processing carried out as part of the «Helsana+» bonus programme is lawful within the meaning of the Data Protection Act. Given this, the question of whether the scheme amounts to a covert reduction in premiums and thus whether Helsana Zusatzversicherungen AG is in breach of the Health Insurance Act can be left open.
This judgment may be appealed to the Federal Supreme Court.
Judgment of the Federal Administrative Court A-3548/2018 of 19 march 2019
Source: Press release of the Federal Administrative Court of 29 march 2019