One bank and an insurance company may be overstepping their authority by demanding customers' medical test results - including radiology and an HIV test - as a condition for granting a mortgage and taking out an insurance contract. The Ombudsman has received complaints from citizens. The Ombudsman is asking the Data Protection Authority and the Financial Ombudsman for their views.
RPO intervenes: Mortgage loan only after X-ray and HIV test
Published July 16, 2025 10:46
Fot. Thinkstock / Getty Images
The Ombudsman has reported signals of potential violations of civil rights by one banking institution and an insurance company in the process of assessing credit risk. According to the complaints, it appears that as a condition for obtaining a mortgage and life insurance - which is supposed to provide security for loan repayment - the results of laboratory tests, X-rays and an HIV test must be presented.
The applicants alarm that such requests have no medical justification, and that the data they send is not properly secured. In their view, there are serious violations of the Polish Constitution, RODO, the EU Charter of Fundamental Rights and national laws protecting patients and sensitive data.
They point out, among other things:
- Violation of medical confidentiality,
- discrimination based on health status (Article 32 of the Polish Constitution),
- illegal processing of personal data, including health data, in violation of Article 9 of the RODO and the principles of data minimization and purpose limitation,
- unauthorized transmission of medical data without safeguards, which may be in violation of Directive 2002/58/EC,
- the lack of a legal basis for forced HIV testing, which, according to the Law on Prevention of Infectious Diseases, can only be performed with the patient's voluntary and explicit consent.
In addition, they note, according to the Atomic Law, radiological examinations can only be ordered by medically qualified persons, and the patient must be informed of the risks and consent to them.
According to the complainants, requiring this type of testing by financial institutions can lead to illegal processing of sensitive data and violations of patient and consumer rights.
The RPO responded to these signals and asked two institutions - the Office of Personal Data Protection and the Financial Ombudsman - to clarify whether similar cases had already been reported to them and what action had been or would be taken.
The case raises serious questions about the limits of the authority of financial institutions, especially in the context of health data processing and access to basic financial services without risk of discrimination.
Source: RPO
