Data protection

Data protection

Please find our commentary on GDPR (2016) here.

  • The General Data Protection EU Regulation (the "GDPR") was adopted in April 2016. It applied in all EU Member States from 25 May 2018. The GDPR is binding in its entirety and directly applicable. The national Data Protection Authorities (DPAs) are in charge of enforcing the new rules and are coordinating their actions through new cooperation mechanisms and the European Data Protection Board (EDPB).

The GDPR only covers the processing of personal data: this is information that relates to a living identified or identifiable person (a data subject). Special categories of data, such as health data, are subject to additional protection and such data will only be processed with express consent from the data subject. Derogations are possible.Data processing covers most activities involving personal data: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure and destruction.

The GDPR is a cross-sectoral legislation. It applies to the insurance distribution sector but is not specific to it.

The GDPR and insurance intermediaries

  • Controllers or Processors or Joint Controllers?
  • Legal basis for processing sensitive data

In most cases, insurance intermediaries will process personal data on their own account and will act as data controllers. In some others, intermediaries will act under clear processing instructions from a data controller (example: an insurer) and will be data processors. Intermediaries could also be joint controllers. The GDPR requires joint controllers to reach an arrangement to determine their respective responsibilities for compliance with the obligations under the GDPR.

A significant GDPR challenge for insurance intermediaries is the processing of sensitive and mainly health data. Under the GDPR, as a matter of principle, it is prohibited to process sensitive data. Derogations are provided to this general prohibition in the circumstances exhaustively described in Article 9 §2. However, the processing of health data by insurance intermediaries does not readily fall in one of the exceptions to the general prohibition of the processing of personal data. It should consequently be verified whether the processing of health data by insurance intermediaries can be covered under one of the derogations. There are today divergences of approaches between Member States on the legal basis for processing health data in an insurance context: In some countries, using the legal basis of Article 9(2)(g), legislation has been introduced, allowing the processing of sensitive data without explicit permission to underwrite insurance contracts and to manage claims. In some others the legal basis used is Article 9(2)(h) of the GDPR. In some other countries there are currently no special exceptions for the processing of sensitive data by the insurance sector.

Commission's evaluation report and Parliament's resolution on the application of the GDPR

At the end of June 2020, the Commission published its report on the GDPR evaluation. It is of the view that it would be premature at this stage to draw definite conclusions regarding the application of the GDPR. The GDPR proved to be flexible to support digital solutions in unforeseen circumstances such as the Covid-19 crisis. The EDPB is invited to review its guidelines or clarify key GDPR concepts. BIPAR responded to the Commission's consultation on its draft report.

At the end of March 2021, the EP adopted a resolution on the Commission's GDPR evaluation report. The MEPs agree with the Commission that it is not necessary to update or review the GDPR until the Commission’s next evaluation (in 3 years).

EDPB Guidelines

The GDPR is supplemented by guidance issued by the EDPB.Over the last years, the EDPB has published different guidelines on key GDPR issues. In September 2020, the EDPB published its draft Guidelines on the concepts of controller and processor in the GDPR. The application of these concepts to insurance intermediaries has been challenging and continues to be in some markets. The main aim of the Guidelines is to clarify the meaning of the two concepts and to clarify the different roles and the distribution of responsibilities between these actors. It includes detailed guidance on the main consequences of attributing these different roles as well as a useful flow chart to identify controllers, processors and joint controllers in practice. They are expected to be adopted by mid- 2021.BIPAR participated in the EDPB consultation on the draft guidelines. BIPAR’s key issues concern the possible overlapping of qualifications from different regulations/legislations and its impact on the autonomous character of the concept of controller, the cumulative criteria to act on the purposes and also on the means of a processing operation to qualify as joint controllers, the criteria that are used to determine the qualification of different actors involved in the same processing activity and different requirements pursuant to Article 32.

In February 2021, EDPB published its draft guidelines on examples (including in the insurance distribution sector) regarding data breach notification. The GDPR introduced the requirement for a personal data breach to be notified to the competent national supervisory authority and, in certain cases, to communicate the breach to the individuals whose personal data have been affected by the breach. The EDPB draft guidelines is a “practice-oriented, case-based guidance that utilizes the experiences gained by Data protection Authorities since the GDPR is applicable” and aim to help data controllers in deciding how to handle data breaches and what factors to consider during risk assessment. The draft guidelines contain an inventory of data breach notification cases that are deemed most common by the national supervisory authorities, such as ransomware attacks, lost or stolen devices/ paper documents and internal human risk source. They are expected to be adopted at the end of 2021/early 2022.

The EDPB is also expected to publish draft guidelines on the data subject rights and the legitimate interest in 2021.

The transfer of personal data from the European Economic Area (EEA) to third countries

  • UK adequacy decision

In February 2021, the Commission launched the process towards the adoption of the adequacy decisions for transfer of personal data from the EU to the United Kingdom under GDPR.The decisions, once /if adopted, will replace the current interim solution, agreed under the EU-UK Trade Cooperation Agreement, which allows for companies and organisations to transfer personal data from the EU to the UK up until 30 June 2021. The adequacy decision will be reviewed by the Commission every 4 years. If no adequacy decision is reached at the end of the transitional period (very unlikely), the UK becomes a third country without an adequacy decision. The transfer of personal data between the UK/EEA will be restricted unless appropriate safeguards (SCCs, binding corporate rules and other GDPR tools) are in place, or the transfer benefits from one of the statutory exceptions.

In April 2021, the EDPB issued its non-binding opinion on the Commission's draft adequacy decision. It recognises many areas of convergence between the UK and the EU data protection frameworks. At the same time, the EDPB has identified a number of challenges that will need to be addressed by the Commission. The EDPB invites the Commission to monitor all relevant developments in the UK that may have an impact on the essential equivalence of the level of protection of personal data, and to take swift appropriate actions, where necessary.

In a resolution adopted in mid May 2021, the European Parliament takes the view that Commission draft adequacy decisions are not consistent with EU law and asks the Commission to modify its draft decisions responding to concerns raised by EDPB in its opinion. The resolution states that, if the decisions are adopted without changes, national data protection authorities should suspend transfers of personal data to the UK when indiscriminate access to personal data is possible.

  • Review of the Standard Contractual Clauses

The European Commission is revising its Standard Contractual Clauses (SCCs) for the transfer of personal data to third countries to make sure that the SCCs are fully in line with GDPR, cover more scenarios of transfers of data and to take into account the ECJ rulings (in particular, the July 2020 Schrems II judgement). SCCs are the most frequently used mechanism by firms in the EEA when transferring data abroad i.e. outside the EEA. On 12 November 2020, the Commission published its draft set of new SCCs. BIPAR participated in the Commission consultation, explaining that the practical implementation of some of the SCCs (unrealistic) requirements may prove very challenging to comply with by data importers and exporters.With regards to SMEs data exporters in particular, assessing, for example, the adequacy of the legal system of data importers in protecting the rights of data subjects may be burdensome and difficult. The adoption of the revised SCCs is expected in May 2021.

Looking for an insurance intermediary near your home or business?Find one