Please find our commentary on GDPR (2016) here.
The General Data Protection EU Regulation (the "GDPR") was adopted in April 2016. It applied in all EU Member States from 25 May 2018. The GDPR is binding in its entirety and directly applicable. The GDPR repealed the Data Protection Directive that provided the previous EU data protection rules. The national Data Protection Authorities (DPAs) are in charge of enforcing the new rules and are coordinating their actions through new cooperation mechanisms and the European Data Protection Board (EDPB).
The GDPR only covers the processing of personal data: this is information that relates to a living identified or identifiable person (a data subject). Special categories of data, such as health data, are subject to additional protection and such data will only be processed with express consent from the data subject. Derogations are possible.Data processing covers most activities involving personal data: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure and destruction. Therefore, any private company coming into contact with personal data is likely to be considered as processing such data.
The GDPR is a cross-sectoral legislation. It applies to the insurance distribution sector but is not specific to it. Consequently, compliance with the Regulation has been challenging for intermediaries in some respects.The GDPR takes the form of a Regulation, i.e. it is "binding in its entirety and directly applicable in all Member States.” However, the GDPR makes provision for secondary legislation by way of Delegated and Implementing Acts to be adopted by the European Commission in various areas. The GDPR is also supplemented by guidelines issued by the European Data Protection Board (EDPB). Lastly, whilst the GDPR has the status of a Regulation, it includes some 50 provisions that permit EU Member States to retain national legislation.For example, the GDPR provides for Member States to maintain or introduce further conditions, including limitations with regard to the processing of health data. This may offer a means of addressing some of the challenges specifically faced by insurance intermediaries (see below).
The GDPR and insurance intermediaries
Insurance intermediaries, whether large firms or small offices, are confronted daily with the processing of data and are, therefore, directly affected by the GDPR. The data that insurance intermediaries process is necessary to provide quotations, arrange insurance cover, manage claims and for client relationship management, etc.In most cases, insurance intermediaries will process personal data on their own account and will act as data controllers.In some others, intermediaries will act under clear processing instructions from a data controller (example: an insurer) and will be data processors. Intermediaries could also be joint controllers. The GDPR requires joint controllers to reach an arrangement to determine their respective responsibilities for compliance with the obligations under the GDPR.
A significant GDPR challenge for insurance intermediaries is the processing of sensitive and mainly health data. Under the GDPR, as a matter of principle, it is prohibited to process sensitive data. Exceptions are provided to this general prohibition in the circumstances exhaustively described in Article 9 §2.
However, the processing of health data by insurance intermediaries does not readily fall in one of the exceptions to the general prohibition of the processing of personal data. It should consequently be verified whether the processing of health data by insurance intermediaries can be covered under one of the derogations. The stakes are high: if the processing of sensitive data in the course of the intermediaries’ operations does not fall within the provisions of Article 9§2, then the general principle applies and such processing is prohibited. Moreover, the data subject could require the intermediary to erase the sensitive data on the grounds that they are unlawfully processed. There are today divergences of approaches between Member States on the legal basis for processing health data in an insurance context: In some countries, using the legal basis of Article 9(2)(g), legislation has been introduced allowing the processing of sensitive data without explicit permission to underwrite insurance contracts and to manage claims. In some others the legal basis used is Article 9(2)(h) of the GDPR. In some other countries there are currently no special exceptions for the processing of sensitive data by the insurance sector.
The GDPR is supplemented by guidance issued by the European Data Protection Board (EDPB). The EDPB contributes to the consistent application of data protection rules throughout the European Union and promotes cooperation between the EU’s data protection authorities. The EDPB is composed of representatives of the national data protection authorities, and the European Data Protection Supervisor (EDPS). The EDPB has different main tasks, such as issuing opinions, guidelines, recommendations and best practices to promote a common understanding of the GDPR.
Over the last year, the EDPB published different Guidelines such as the ones on the connected vehicles on processing personal data in the context of connected vehicles and mobility related applications (link), a slightly updated version of its 2018 guidelines on consent under the GDPR (link) providing further clarifications on the fact that consent obtained through cookie walls and scrolling through a webpage are not legally valid.
In February 2019 the EDPB Board adopted its two-year work programme for 2019-2020 and announced the future adoption of additional Guidelines, such asthe Guidelines on the notion of legitimate interest of the data controller (Update of the Article 29 Working Party –“WP29”- Opinion) and the Guidelines on concepts of controller and processor (Update of the WP29 Opinion). These are key issues for BIPAR and its members.
EDPB workshop on data rights under GDPR
On 4th November, the EDPB organised a stakeholders’ workshop in Brussels on the topic of Data Subjects Rights. The right of access to personal data, the right to rectification and right to erasure, the right to restrict processing and right to object, as introduced by the GDPR and implemented by EU Member States were discussed during the workshop.
BIPAR was represented at this event and conveyed BIPAR’s observations on the impact of the implementation of these rights on the insurance distribution sector and its clients:
BIPAR participated and intervened during that even along the following lines:
The objective of the event was to seek stakeholders views on the points they would like to see addressed in future guidelines on data subject rights.
Commission report on the GDPR
Just over one year after the entry into application of the GDPR, the European Commission published end of July 2019 a report looking at the impact of the EU data protection rules, and how implementation can be improved further (link). In general, the report concludes that the new data protection rules have achieved many of their objectives: Most Member States have set up the necessary legal framework and the new system strengthening the enforcement of the data protection rules is falling into place. Businesses are developing a compliance culture, while citizens are becoming more aware of their rights. At the same time, convergence towards high data protection standards is progressing at international level.
As far as the insurance sector issues are concerned, the report refers several times to the contribution from the European Commission Multi-stakeholder Experts Group to the Commission report. BIPAR is represented within that Group via SMEunited of which BIPAR is a member. The Expert Group contribution includes many of the points that were made by BIPAR during the drafting of the paper. These points were prepared after various consultations of BIPAR members.
Among others, BIPAR key points (included in the Multi-stakeholder Experts group paper) are the following:
Building on the 2019 July report, the Commission is expected to issue its report on the implementation of GDPR in June 2020 (Article 97 GDPR). The aim will be to assess the progress made after two years of application. The report is also expected to reflect the Covid-19 crisis reality (use of data to fight the pandemics).
For that purpose, the Commission has to take into account the position of the Council of the EU and the position of the European Parliament, but also other relevant sources, such as the European Data Protection Board (EDPB).
In its position published in February 2020, the EDPB explains that the application of the GDPR in this first year and a half has been successful. The EDPB emphasizes that the GDPR is a technologically neutral framework designed to be comprehensive and to foster innovation by being able to adapt to different situations without being complemented by sector-specific legislation. The EDPB underlines that the GDPR is fully applicable to emerging technologies and it will continue to elaborate on the impact of emerging technologies on the protection of personal data. The EDPB acknowledges that the implementation of the GDPR has been challenging, especially for small actors, most notably SMEs. After only 20 months of GDPR application, the EDPB takes a positive view of the implementation of the GDPR and is of the opinion that it is premature to revise the legislative text at this point in time. Rather than revising the GDPR itself, the EDPB calls upon the EU legislators, in particular the European Commission, to intensify efforts towards the adoption of an ePrivacy Regulation to complete the EU framework for data protection and confidentiality of communications.
In its response to the Commission's consultation on the future report on the GDPR evaluation, BIPAR explains that:
-It is important that the GDPR remains a flexible and technology neutral framework and does not prevent innovation.
-It is important that the upcoming report also reflects the Covid-19 crisis reality, and more in particular the use of data to fight the pandemics, and addresses in this context issues such as the lawfulness of processing, the core principles relating to the processing of personal data, the use of mobile location data and employment.
- Published on June 2020 -