General Data Protection Regulation (GDPR)

The General Data Protection EU Regulation (the "GDPR") has applied in all EU Member States since 25 May 2018. The national Data Protection Authorities (DPAs) are in charge of enforcing the rules and are coordinating their actions through new cooperation mechanisms and the European Data Protection Board (EDPB).

The GDPR only covers the processing of personal data: this is information that relates to a living identified or identifiable person (a data subject). Special categories of data, such as health data, are subject to additional protection and such data will only be processed with express consent from the data subject. Derogations are possible. Data processing covers most activities involving personal data: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure and destruction.

The GDPR is a cross-sectoral legislation. It applies to the insurance distribution sector but is not specific to it.

The GDPR and insurance intermediaries

Controllers or Processors or Joint Controllers?

In most cases, insurance intermediaries will process personal data on their own account and will act as data controllers.  In some others, intermediaries will act under clear processing instructions from a data controller (example: an insurer) and will be data processors. Intermediaries could also be joint controllers. The GDPR requires joint controllers to reach an arrangement to determine their respective responsibilities for compliance with the obligations under the GDPR.

Legal basis for processing sensitive data

A significant GDPR challenge for insurance intermediaries is the processing of sensitive and mainly health data. Under the GDPR, as a matter of principle, it is prohibited to process sensitive data. Derogations are provided to this general prohibition in the circumstances exhaustively described in Article 9§2. However, the processing of health data by insurance intermediaries does not readily fall in one of the exceptions to the general prohibition of the processing of personal data.  It should consequently be verified whether the processing of health data by insurance intermediaries can be covered under one of the derogations.

The May 2022 Commission’s proposed Regulation on the European Health Data Space (EHDS) builds on the GDPR and aims to “provide a trustworthy setting for secure access to and processing of a wide range of health data“. BIPAR will study the impact of the proposal on the sector and will monitor the EP and Council readings on it.