Data protection

Data protection

Please find our commentary on GDPR (2016) here.

The General Data Protection EU Regulation (the "GDPR") was adopted in April 2016. It applied in all EU Member States from 25 May 2018. The GDPR is binding in its entirety and directly applicable. The GDPR repealed the Data Protection Directive that provided the previous EU data protection rules. The national Data Protection Authorities (DPAs) are in charge of enforcing the new rules and are coordinating their actions through new cooperation mechanisms and the European Data Protection Board (EDPB).

The GDPR only covers the processing of personal data: this is information that relates to a living identified or identifiable person (a data subject). Special categories of data, such as health data, are subject to additional protection and such data will only be processed with express consent from the data subject. Derogations are possible.Data processing covers most activities involving personal data: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure and destruction. Therefore, any private company coming into contact with personal data is likely to be considered as processing such data.

The GDPR is a cross-sectoral legislation. It applies to the insurance distribution sector but is not specific to it. Consequently, compliance with the Regulation has been challenging for intermediaries in some respects.

The GDPR takes the form of a Regulation, i.e. it is "binding in its entirety and directly applicable in all Member States.” However, the GDPR makes provision for secondary legislation by way of Delegated and Implementing Acts to be adopted by the European Commission in various areas. The GDPR is also supplemented by guidelines issued by the European Data Protection Board (EDPB). Lastly, whilst the GDPR has the status of a Regulation, it includes some 50 provisions that permit EU Member States to retain national legislation.For example, the GDPR provides for Member States to maintain or introduce further conditions, including limitations with regard to the processing of health data. This may offer a means of addressing some of the challenges specifically faced by insurance intermediaries (see below).

The GDPR and insurance intermediaries

  • Controllers or Processors or Joint Controllers?
  • Legal basis for processing sensitive data

Insurance intermediaries, whether large firms or small offices, are confronted daily with the processing of data and are, therefore, directly affected by the GDPR. The data that insurance intermediaries process is necessary to provide quotations, arrange insurance cover, manage claims and for client relationship management, etc.In most cases, insurance intermediaries will process personal data on their own account and will act as data controllers.In some others, intermediaries will act under clear processing instructions from a data controller (example: an insurer) and will be data processors. Intermediaries could also be joint controllers. The GDPR requires joint controllers to reach an arrangement to determine their respective responsibilities for compliance with the obligations under the GDPR.

A significant GDPR challenge for insurance intermediaries is the processing of sensitive and mainly health data. Under the GDPR, as a matter of principle, it is prohibited to process sensitive data. Exceptions are provided to this general prohibition in the circumstances exhaustively described in Article 9 §2.

However, the processing of health data by insurance intermediaries does not readily fall in one of the exceptions to the general prohibition of the processing of personal data. It should consequently be verified whether the processing of health data by insurance intermediaries can be covered under one of the derogations. The stakes are high: if the processing of sensitive data in the course of the intermediaries’ operations does not fall within the provisions of Article 9§2, then the general principle applies and such processing is prohibited. Moreover, the data subject could require the intermediary to erase the sensitive data on the grounds that they are unlawfully processed. There are today divergences of approaches between Member States on the legal basis for processing health data in an insurance context: In some countries, using the legal basis of Article 9(2)(g), legislation has been introduced allowing the processing of sensitive data without explicit permission to underwrite insurance contracts and to manage claims. In some others the legal basis used is Article 9(2)(h) of the GDPR. In some other countries there are currently no special exceptions for the processing of sensitive data by the insurance sector.

EDPB Guidelines

The GDPR is supplemented by guidance issued by the European Data Protection Board (EDPB). The EDPB contributes to the consistent application of data protection rules throughout the European Union and promotes cooperation between the EU’s data protection authorities. The EDPB is composed of representatives of the national data protection authorities, and the European Data Protection Supervisor (EDPS). The EDPB has different main tasks, such as issuing opinions, guidelines, recommendations and best practices to promote a common understanding of the GDPR.

Over the last year, the EDPB published different Guidelines such as the ones on the connected vehicles on processing personal data in the context of connected vehicles and mobility related applications (link), a slightly updated version of its 2018 guidelines on consent under the GDPR (link) providing further clarifications on the fact that consent obtained through cookie walls and scrolling through a webpage are not legally valid.

In February 2019 the EDPB Board adopted its two-year work programme for 2019-2020 and announced the future adoption of additional Guidelines, such asthe Guidelines on the notion of legitimate interest of the data controller (Update of the Article 29 Working Party –“WP29”- Opinion) and the Guidelines on concepts of controller and processor (Update of the WP29 Opinion). These are key issues for BIPAR and its members.

EDPB workshop on data rights under GDPR

On 4th November, the EDPB organised a stakeholders’ workshop in Brussels on the topic of Data Subjects Rights. The right of access to personal data, the right to rectification and right to erasure, the right to restrict processing and right to object, as introduced by the GDPR and implemented by EU Member States were discussed during the workshop.

BIPAR was represented at this event and conveyed BIPAR’s observations on the impact of the implementation of these rights on the insurance distribution sector and its clients:

BIPAR participated and intervened during that even along the following lines:

  • The insurance distribution sector uses data to improve the products and services offered to insureds and to rate risks more accurately.
  • Data is used by the sector to prevent financial crime and money laundering. Digital identity can help address financial crime and safeguard customers.
  • Effective use of data by our sector is enabling a better understanding by business of their risks and the role of insurance in mitigating those risks.
  • There is a challenge in getting individuals to understand how the insurance and wider financial services sector uses personal data and getting insureds to read even very good privacy policies.
  • There is a lack of awareness and sometimes misunderstanding of the scope of data subject rights.
  • Data Subject Access Requests are regularly used as a pre-litigation tool rather than for their intended purpose to protect the rights of individuals.
  • There is sometimes a misunderstanding by individuals that their right to privacy is synonymous with a right to anonymity.

The objective of the event was to seek stakeholders views on the points they would like to see addressed in future guidelines on data subject rights.

Commission report on the GDPR

Just over one year after the entry into application of the GDPR, the European Commission published end of July 2019 a report looking at the impact of the EU data protection rules, and how implementation can be improved further (link). In general, the report concludes that the new data protection rules have achieved many of their objectives: Most Member States have set up the necessary legal framework and the new system strengthening the enforcement of the data protection rules is falling into place. Businesses are developing a compliance culture, while citizens are becoming more aware of their rights. At the same time, convergence towards high data protection standards is progressing at international level.

As far as the insurance sector issues are concerned, the report refers several times to the contribution from the European Commission Multi-stakeholder Experts Group to the Commission report. BIPAR is represented within that Group via SMEunited of which BIPAR is a member. The Expert Group contribution includes many of the points that were made by BIPAR during the drafting of the paper. These points were prepared after various consultations of BIPAR members.

Among others, BIPAR key points (included in the Multi-stakeholder Experts group paper) are the following:

  • BIPAR and its members value the importance of codes of conduct in helping them comply with the GDPR.
  • BIPAR notes positively the achievements of the EDPB in fostering a consistent application of the rules in the EU and encourages it to continue its work in preventing fragmentation in the approach taken on the interpretation of the GDPR by DPAs.
  • BIPAR mentions difficulties of its members in complying with requirements vis-à-vis data subjects that are not part of the contracts.
  • BIPAR mentions the difficulties of its members on requesting explicit consent for processing health related data in insurance contracts where the processing of such data is necessary to be able to execute the contract correctly. Different justifications under Article 9 GDPR are being used across Member States for processing health data in an insurance context. BIPAR suggested that a more harmonised approach would be useful.
  • BIPAR would welcome further clarifications by EDPB on these notions including further examples of the determination of controller/processor (e.g. in particular in relation to specialist service providers (insurance intermediaries) where they process personal data in accordance with their regulatory and/or professional obligations).

Building on the 2019 July report, the Commission is expected to issue its report on the implementation of GDPR in June 2020 (Article 97 GDPR). The aim will be to assess the progress made after two years of application. The report is also expected to reflect the Covid-19 crisis reality (use of data to fight the pandemics).

For that purpose, the Commission has to take into account the position of the Council of the EU and the position of the European Parliament, but also other relevant sources, such as the European Data Protection Board (EDPB).

In its position published in February 2020, the EDPB explains that the application of the GDPR in this first year and a half has been successful. The EDPB emphasizes that the GDPR is a technologically neutral framework designed to be comprehensive and to foster innovation by being able to adapt to different situations without being complemented by sector-specific legislation. The EDPB underlines that the GDPR is fully applicable to emerging technologies and it will continue to elaborate on the impact of emerging technologies on the protection of personal data. The EDPB acknowledges that the implementation of the GDPR has been challenging, especially for small actors, most notably SMEs. After only 20 months of GDPR application, the EDPB takes a positive view of the implementation of the GDPR and is of the opinion that it is premature to revise the legislative text at this point in time. Rather than revising the GDPR itself, the EDPB calls upon the EU legislators, in particular the European Commission, to intensify efforts towards the adoption of an ePrivacy Regulation to complete the EU framework for data protection and confidentiality of communications.

In its response to the Commission's consultation on the future report on the GDPR evaluation, BIPAR explains that:

  • The EU and in particular its GDPR, is today a global reference point for data protection rules. It is a huge achievement. The evaluation exercise that the European Commission is currently carrying out of that key Regulation is important.
  • The insurance distribution industry has invested a lot of time and money to comply with the GDPR. Its implementation has been and still is challenging for our industry, especially for SME intermediaries.
  • It is premature to reopen and amend the GDPR today as there is a lack of clear and comprehensive experience in the application of the text. Any review of the GDPR should lead to changes only where there is clear evidence of concrete benefits, based upon a strong economic rationale.

-It is important that the GDPR remains a flexible and technology neutral framework and does not prevent innovation.

-It is important that the upcoming report also reflects the Covid-19 crisis reality, and more in particular the use of data to fight the pandemics, and addresses in this context issues such as the lawfulness of processing, the core principles relating to the processing of personal data, the use of mobile location data and employment.

- Published on June 2020 -

Looking for an insurance intermediary near your home or business?Find one