Please find our commentary on GDPR (2016) here.
The General Data Protection EU Regulation (the "GDPR") was adopted in April 2016. It applies in all EU Member States from 25 May 2018. The GDPR is binding in its entirety and directly applicable.The GDPR repealed the Data Protection Directive that provided the previous EU data protection rules.
The GDPR only covers the processing of personal data: this is information that relates to a living identified or identifiable person (a data subject). Special categories of data, such as health data, are subject to additional protection and such data will only be processed with express consent from the data subject. Derogations are possible.
Data processing covers most activities involving personal data: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure and destruction. Therefore, any private company coming into contact with personal data is likely to be considered as processing such data.
The Regulation, a cross-sectoral text, did not take into consideration the characteristics of the insurance sector and some of its provisions may, therefore, be difficult to comply with by intermediaries and may generate unintended consequences for the insurance sector and individuals as well as excessive and unnecessary administrative burdens, especially for SMEs.Although data protection compliance is not new for intermediaries, the GDPR will introduce new duties and responsibilities for intermediaries. Sanctions applicable in case of breach of data protection will be much higher than before.The GDPR takes the form of a Regulation, i.e. it is "binding in its entirety and directly applicable in all Member States.” However, the GDPR makes provision for secondary legislation by way of Delegated and Implementing Acts to be adopted by the European Commission in various areas. The GDPR is also supplemented by guidelines to be issued by the Article 29 Working Party ("WP29"), the European Data Protection Board, made up of representatives of the national Data Protection Authorities of each EU Member State. Lastly, whilst the GDPR has the status of a Regulation, it includes some 50 provisions that permit EU Member States to retain national legislation.For example, the GDPR provides for Member States to maintain or introduce further conditions, including limitations, with regard to the processing of health data. This may offer a mean of addressing some of the challenges specifically faced by insurance intermediaries (see below).
In order to facilitate the application of the GDPR as of May 2018, in January 2018 the Commission published a guidance, which recalls the main elements of the new data protection rules:
The Commission also launched a practical online tool to help citizens, businesses, in particular SMEs, and other organisations, to comply and benefit from the new data protection rules. BIPAR participated in the preparation of this tool.
BIPAR commentary on the GDPR: Together with the law firm Steptoe, BIPAR issued in July 2016 a commentary on the GDPR for its national associations. It aimed to offer guidance to the members of insurance intermediaries' associations in order to prepare for the application of the GDPR. It provides concrete explanations of the data protection requirements intermediaries will have to comply with under the GDPR and, more in particular, regarding key elements for intermediaries such as the legal basis for the processing of data, the data subject’s rights, the privacy programme management, the supervisory oversight, the rules regarding fines and responsibilities and the transfer of data outside the European Union.
Insurance intermediaries, whether large firms or small offices, are confronted daily with the processing of data and are therefore directly affected by the GDPR. The data that insurance intermediaries process is necessary to provide quotations, arrange insurance cover, manage claims and for client relationship management etc.In most cases, insurance intermediaries will be processing personal data on their own account and will act as data controllers.In some others, intermediaries will act under clear processing instructions from a data controller (example: an insurer) and will be a data processor. Intermediaries could also be joint controllers. The GDPR requires joint controllers to reach an arrangement to determine their respective responsibilities for compliance with the obligations under the GDPR.
In the context of the GDPR implementation, in some markets it has been observed that, by imposing the role of “processor “unilaterally on intermediaries, i.e. processing clients’ personal data on behalf of a “controller”, certain product providers/insurers seek to restrict intermediaries’ access to clients’ data, in particular in the data traffic between client and insurer. This is a serious issue and in May 2018, BIPAR raised the awareness of its member associations of the fact that, provided that the intermediary meets the relevant conditions, the intermediary can be a controller, a joint controller or a processor of personal data on behalf of a controller under GDPR. Where applicable, the division of responsibilities and data access between the intermediary and the insurer or product provider can be dealt with, for example, by way of agreements or association’s codes of conduct.
One of the novelties in the GDPR is the obligation for data controllers and data processors to appoint a “Data Protection Officer”. BIPAR asked the law firm DALDEWOLF to write an article for BIPAR on the issue and to examine the question under which conditions an organisation should appoint a DPO in order to comply with the GDPR, since for insurance intermediaries, the answer to this question is not self-evident.
According to DALDEWOLF, “An insurance intermediary has a certain margin to assess whether or not its activities are such data intense activities that the designation of a DPO is mandatory.Regardless of the conclusion, it is of utmost importance that the internal analysis be documented and that the reasoning and the factors taken into consideration for the analysis be apparent in the documentation. Moreover, an intermediary may not consider it mandatory for it to appoint a DPO, but it may well see the benefits of doing so on a voluntary basis.The data protection supervisory authorities and the Article 29 Working Party encourage the voluntary designation of a DPO to facilitate compliance”.
One of the biggest GDPR challenges for insurance intermediaries is the processing of sensitive personal data. Under the GDPR, as a matter of principle, it is prohibited to process sensitive data. Exceptions are provided to this general prohibition in the circumstances exhaustively described in Article 9 §2. However, the processing of sensitive data (e.g. health data) by insurance intermediaries does not readily fall in one of the exceptions to the general prohibition of processing of personal data. It should consequently be verified whether the processing of health data by insurance intermediaries can be covered under one of the derogations. The stakes are high: if the processing of sensitive data in the course of the intermediaries’ operations does not fall within the provisions of Article 9§2, then the general principle applies and such processing is prohibited. Moreover, the data subject could require the intermediary to erase the sensitive data on the grounds that they are unlawfully processed. Also, the intermediary would be vulnerable to fines. BIPAR asked the law firm DALDEWOLF to write an article for BIPAR on the issue. In its article DALDEWOLF examines several legal grounds for the derogation to the general prohibition of processing sensitive data:
The GDPR is supplemented by guidance issued by the Article 29 Working Party ("WP29"), the European Data Protection Board. So far, the WP29 has published guidelines on the following issues: Data Protection Impact Assessment (DPIA), Data portability, Data Protection Officer (DPO), Lead Supervisory Authority, Consent, Transparency, the Application and setting of administrative fines, Automated individual decision-making and profiling and personal data breach notification.
The WP29 also issued working documents on Binding Corporate Rules (BCR) and on Adequacy Referential. These are important with regard to international transfers as BCR can be one of the legal basis to transfer personal data from the EU to third countries. The Adequacy principle is another legal basis (the third one being the example of the EU-US Privacy Shield). This will be of significant relevance in the context of Brexit, and more in particular for the transfer of personal data from the EU to the UK that is very likely to be considered as a third country for the purposes of the GDPR, after it exits the EU.
Before publishing its guidelines, the WP29 consulted concerned stakeholders. BIPAR submitted its comments on some of the guidelines. To provide interpretation on further aspects of the GDPR the WP29 will continue its work regarding the guidelines on certification, the territorial scope of the GDPR (Article 3 GDPR) and codes of conduct (Article 40 and 41 GDPR). Moreover, the WP29 has been granted a mandate to develop guidance in relation to Article 6(1)b GDPR, in particular in the context of the provision of “free” online services.
On 19 April the WP29 published a position paper on Article 30(5) of the GDPR. Article 30 deals with the obligation for companies’ data controllers and processors to keep a record of processing activities. There is, however, an important exemption to this obligation in paragraph 5 for companies with less than 250 employees. The problem is that one of the mentioned conditions for exemption is that processing of personal data is “not occasional”. Together with UEAPME (European association representing SMEs, of which BIPAR is a member) BIPAR is concerned that a strict reading of that condition could result in all SMEs losing the exemption. However, in its position paper, WP29 has a strict reading of Article 30.5 of the GDPR but ‘(…) for many micro, small and medium-sized organisations (…) recognises that Article 30 represents a new administrative requirement for controllers and processors, and therefore encourages national Supervisory Authorities to support SMEs by providing tools to facilitate the set-up and management of records of processing activities”.
In order to prepare for the timely and proper implementation of the GDPR, the Article 29 Working Party organised different Fablab workshops over the last two years. The latest one took place on 18 October 2017 in Brussels and enabled participants, including BIPAR, to discuss transparency and international transfer. The Fablab’s objective is to “feed” the Article 29 Working Party in order to develop its best practices and guidelines.
On 27 November 2017 BIPAR attended a conference organised by the European Commission (DG Justice) and UEAPME on the GDPR implementation by SMEs. The event allowed BIPAR to have a direct dialogue with the Commission concerning the implementation of the GDPR and to share experiences and good practices in order to identify drivers and challenges with respect to the processing of personal data by SMEs and organisations.
This Group advises the European Commission on all issues related to the GDPR implementation. A representative of the European Federation of SMEs – of which BIPAR is a member - is a member of this Expert Group.
Together with the law firm Steptoe, on 16 April 2018 BIPAR organised a webinar for its member associations. It addressed some key issues for insurance intermediaries such as consent, DPO, data breach and sanctions and liability.