FDPIC: Recom­men­da­ti­on on the “Helsa­na+” bonus program

The FDPIC has car­ri­ed out the cla­ri­fi­ca­ti­on of the facts in the case of Helsa­na+ in accordance with Art. 27 and 29 of the Swiss Code of Obli­ga­ti­ons. FDPA with a Recom­men­da­ti­on (PDF) con­clu­ded becau­se the par­ties did not agree on some points. The recom­men­da­ti­on con­cerns the Helsa­na+” bonus pro­gramoffe­red by Helsa­na sup­ple­men­ta­ry insuran­ce. The bonus program

allo­ws you to collect points for health-con­scious beha­vi­or, social and socie­tal com­mit­ment and soli­da­ri­ty with Helsa­na. The collec­ted plus points can be redeemed for mone­ta­ry values, bene­fits in kind, vou­chers, etc. or in the form of bonus bene­fits (such as dis­counts) with Helsa­na partners.

[Terms of use and data pro­tec­tion for the Helsa­na+ App]

The Pri­va­cy Poli­cy con­tains the fol­lo­wing provision:

The User express­ly agrees that Helsa­na may, wit­hin the scope of pro­ces­sing the Helsa­na+ App, access the infor­ma­ti­on avail­ab­le at the insuran­ce com­pa­nies of the Helsa­na Group. Insu­red data of the user may.

This enab­les the pro­vi­der of the pro­gram, Helsa­na Zusatz­ver­si­che­run­gen AGThe user can be iden­ti­fied by com­pa­ring the data with the user’s insuran­ce data. This invol­ves acces­sing data from the basic insuran­ce (the user’s insuran­ce status).

The FDPIC exami­ned the bonus pro­gram as part of its fact-fin­ding pro­cess and objec­ted to it on two points:

  1. It is against data pro­tec­tion when Helsa­na sup­ple­men­ta­ry insuran­ces AG as part of the regi­stra­ti­on pro­cess to data of the basic insu­rer access. The basic insu­rer is a federal body and can the­re­fo­re only be legal basis take action. Such action was lacking for the dis­clo­sure of data to Helsa­na Zusatz­ver­si­che­run­gen. AG.
  2. Bonus points can be con­ver­ted into mone­ta­ry bene­fits, wher­eby the amount of the bene­fits depends, among other things, on whe­ther the user has basic and/or sup­ple­men­ta­ry insuran­ce with Helsa­na. Accord­in­gly, the pro­ces­sing of the health insuran­ce affi­lia­ti­on has the eco­no­mic effect of a pre­mi­um refund. This vio­la­tes the KVGThe­re­fo­re, the cor­re­spon­ding data pro­ces­sing is inadmissible.

In all other respects, the FDPIC the pro­gram as com­pli­ant with data pro­tec­tion regu­la­ti­ons (cf. the Helsa­na media release).

In the run-up to the recom­men­da­ti­on, Helsa­na deci­ded without pre­ju­di­ce to dis­pen­se with the trans­fer of data from basic to sup­ple­men­ta­ry insuran­ce and ins­tead to obtain pro­of of basic insuran­ce from the users of the app, which avoids the pro­blem of data dis­clo­sure by the basic insu­rer, but in the end amounts to the same thing.

The core of the pre­sent case con­cerns issu­es of con­sent (and insuran­ce law, but that should not be of fur­ther inte­rest here):

  • Signi­fi­can­ce of con­sent in the case of federal bodiesAssu­ming that the Helsa­na Group’s basic insu­rers, when dis­clo­sing insuran­ce data to Helsa­na Zusatz­ver­si­che­run­gen AG act as a federal body wit­hin the frame­work of the bonus pro­gram, the princip­le of lega­li­ty app­lies (Art. 17 para. 1 FDPA). Art. 19 para. 1 lit. b FDPA howe­ver, allo­ws data dis­clo­sure with con­sent “in indi­vi­du­al cases”. An indi­vi­du­al case is likely to exist here becau­se the con­sent con­cerns a clear­ly defi­ned case, which alrea­dy estab­lishes an “indi­vi­du­al case”; moreo­ver, the con­sent even con­cerns only a sin­gle processing.
  • Volun­ta­ri­ness of con­sent: The FDPIC Con­sent to the collec­tion of data by Helsa­na Sup­ple­men­ta­ry Insuran­ces AG (The cor­rect term would pro­bab­ly be: con­sent to the dis­clo­sure of data by the basic insu­rer; pri­ma vista, the collec­tion its­elf does not vio­la­te any pro­ces­sing princip­le and the­re­fo­re does not requi­re a justi­fi­ca­ti­on rea­son) for volun­ta­ry, becau­se con­sent is necessa­ri­ly lin­ked to access to the program.

The repro­duc­tion of the facts in the recom­men­da­ti­on and the legal con­si­de­ra­ti­ons of the FDPIC are too scar­ce for an in-depth ana­ly­sis. Howe­ver, the fol­lo­wing points stand out:

  • The FDPIC con­ti­nues to assu­me a Tie-in out (as alrea­dy befo­re; in addi­ti­on cf. here and here), which he also does not justi­fy in more detail here. Howe­ver, he is appar­ent­ly of the opi­ni­on that the user can­not free­ly deci­de whe­ther he wants to agree to the data dis­clo­sure in que­sti­on becau­se he can­not par­ti­ci­pa­te in the bonus pro­gram without this con­sent. In my opi­ni­on, this is wrong. First of all, no one is requi­red to par­ti­ci­pa­te in a bonus pro­gram. To this end BGE 129 III 35 i.S. Post vs. VgT on the obli­ga­ti­on to con­tract under pri­va­te law:

For the con­cretiz­a­ti­on of this princip­le, howe­ver, it should be noted in advan­ce that the Free­dom of con­tract – and thus also the free­dom to con­clu­de con­tracts – as an ele­ment of pri­va­te auto­no­my. extra­or­di­na­ry high value in the pri­va­te law system. Sin­ce restric­tions on the free­dom to con­clu­de con­tracts alrea­dy result in lar­ge num­bers from expli­cit – most­ly public law – legal pro­vi­si­ons, con­trac­ting obli­ga­ti­ons out­side of express sta­tu­to­ry orders have a pro­noun­ced excep­tio­nal cha­rac­ter and can only be accep­ted with gre­at reluc­tance. Under cer­tain con­di­ti­ons, howe­ver, a duty to con­tract can be deri­ved from the princip­le of pro­hi­bi­ti­on of immo­ral conduct.

  • A pro­hi­bi­ti­on of tying is not the same as a con­trac­ting requi­re­ment, but is rela­ted to it becau­se it also restricts free­dom of con­tract. Cor­re­spon­ding con­si­de­ra­ti­ons are mis­sing from the recommendation.
  • Second­ly, a Tie-in only app­ly if the con­sent rela­tes to data pro­ces­sing that is com­pa­ti­ble with the has not­hing to do with the sub­ject mat­ter of the con­tract. If data pro­ces­sing is requi­red for a con­tract, it is of cour­se per­mit­ted; in this case, the­re is no lin­kage, but a moda­li­ty of con­tract pro­ces­sing. As a rule, con­sent is not requi­red in this case. If it is nevertheless requi­red in excep­tio­nal cases, e.g. becau­se a federal body dis­c­lo­ses data to third par­ties, as in this case, this does not chan­ge the fac­tu­al con­nec­tion bet­ween the con­tract and the consent.
  • In the pre­sent case, the­re seems to be such a fac­tu­al con­nec­tion becau­se the bonus pro­gram is depen­dent on the insuran­ce sta­tus, among other things. Whe­ther this design of the bonus pro­gram is per­mis­si­ble is a dif­fe­rent que­sti­on, which can­not be sol­ved by means of the pro­hi­bi­ti­on of tying. Other­wi­se, the pro­hi­bi­ti­on of tying – should such a pro­hi­bi­ti­on be affir­med at all in Swiss law – would be misus­ed as an instru­ment of con­tent control.