General Data Protection Regulation (GDPR)

The General Data Protection EU Regulation (the "GDPR") has applied in all EU Member States since 25 May 2018. The national Data Protection Authorities (DPAs) are in charge of enforcing the rules and are coordinating their actions through new cooperation mechanisms and the European Data Protection Board (EDPB).

The GDPR only covers the processing of personal data: this is information that relates to a living identified or identifiable person (a data subject). Special categories of data, such as health data, are subject to additional protection and such data will only be processed with express consent from the data subject. Derogations are possible. Data processing covers most activities involving personal data: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure and destruction.

The GDPR is a cross-sectoral legislation. It applies to the insurance distribution sector but is not specific to it.

The GDPR and insurance intermediaries

Controllers or Processors or Joint Controllers?

In most cases, insurance intermediaries will process personal data on their own account and will act as data controllers.  In some others, intermediaries will act under clear processing instructions from a data controller (example: an insurer) and will be data processors. Intermediaries could also be joint controllers. The GDPR requires joint controllers to reach an arrangement to determine their respective responsibilities for compliance with the obligations under the GDPR.

Legal basis for processing sensitive data

A significant GDPR challenge for insurance intermediaries is the processing of sensitive and mainly health data. Under the GDPR, as a matter of principle, it is prohibited to process sensitive data. Derogations are provided to this general prohibition in the circumstances exhaustively described in Article 9§2. However, the processing of health data by insurance intermediaries does not readily fall in one of the exceptions to the general prohibition of the processing of personal data.  It should consequently be verified whether the processing of health data by insurance intermediaries can be covered under one of the derogations.

The May 2022 Commission’s proposed Regulation on the European Health Data Space (EHDS) builds on the GDPR and aims to “provide a trustworthy setting for secure access to and processing of a wide range of health data“. BIPAR will study the impact of the proposal on the sector and will monitor the EP and Council readings on it.

Read more

🍪 This website uses cookies

Cookies allow us to personalize the content and ads served to you, to provide social media features and to analyze our website traffic. We share information about the use of our site with our partners at; advertising and analytical purposes. Our partners may combine this data with other information that you have shared with them or that they have collected from your use of their services.

Show details
Strictly necessary
Necessary cookies contribute to the proper functioning of the website, such as the display of content, the connection, the validation of your session, the response to your request for services, etc. The website cannot function properly without these cookies.
Functionality
These cookies help us personalize content and functionality for you, including remembering changes you have made to parts of the website that you can customize, or selections for services made on previous visits. If you do not allow these cookies, some portions of our website may be less friendly and easy to use, forcing you to enter content or set your preferences on each visit.
Performance
These cookies allow us measure how visitors use our website, which pages are popular, and what our traffic sources are. This helps us improve how our website works and make it easier for all visitors to find what they are looking for. The information is aggregated and anonymous, and cannot be used to identify you. If you do not allow these cookies, we will be unable to use your visits to our website to help make improvements.
Targeting
These cookies are usually placed by third-party advertising networks, which may use information about your website visits to develop a profile of your interests. This information may be shared with other advertisers and/or websites to deliver more relevant advertising to you across multiple websites. If you do not allow these cookies, visits to this website will not be shared with advertising partners and will not contribute to targeted advertising on other websites.

Cookies are small text files used by websites to provide an optimal user experience.
By law, only cookies strictly necessary for the operation of this site may be stored on your device without your consent. For all other types of cookies, we require your permission.

This site uses different types of cookies. Some cookies are placed by third-party services that appear on our website pages.

To learn more about who we are and how we process your personal data, please read our privacy policy .

For any complaint concerning your consent, please indicate the ID of your consent and the date of it (information available on the page cookies ).

At any time, you can modify or withdraw your consent via the cookies page of our website.