Page 20 - BIPAR Annual Report 2020_EN short
P. 20

General Data Protection




          Regulation (GDPR)








           The General Data Protection EU Regulation (the “GDPR”) was adopted in April 2016. It applied in all EU                         Legal basis for processing sensitive data   version of its 2018 guidelines on consent under the GDPR
                                                                                                                                   A significant GDPR challenge for insurance intermediaries   (link) providing further clarifications on the fact that consent
          Member States from 25 May 2018. The GDPR is binding in its entirety and directly applicable. The GDPR
                                                                                                                                   is the processing of sensitive and mainly health data. Under   obtained through cookie walls and scrolling through a
                    repealed the Data Protection Directive that provided the previous EU data protection rules.
                                                                                                                                   the GDPR, as a matter of principle, it is prohibited to process   webpage are not legally valid.
                                                                                                                                   sensitive  data.  Exceptions  are  provided  to  this  general
                 The GDPR only covers the processing of personal data: this is information that relates to a living                prohibition in the circumstances exhaustively described in   In  February 2019 the EDPB Board adopted its two-year
                                                                                                                                   Article 9 §2.                                       work programme for 2019-2020 and announced the future
             identified or identifiable person (a data subject). Special categories of data, such as health data, are
                                                                                                                                   However, the processing of health data by insurance   adoption of additional Guidelines, such as  the Guidelines
             subject to additional protection and such data will only be processed with express consent from the                   intermediaries does not readily fall in one of the exceptions   on the notion of legitimate interest of the data controller
               data subject. Derogations are possible.  Data processing covers most activities involving personal                  to the general prohibition of the processing of personal   (Update of the Article 29 Working Party –“WP29”- Opinion)
                                                                                                                                   data.    It  should  consequently  be  verified  whether  the   and the Guidelines on concepts of controller and processor
                data: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval,
                                                                                                                                   processing of health data by insurance intermediaries can   (Update  of  the  WP29  Opinion).  These  are  key  issues  for
           consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment
                                                                                                                                   be covered under one of the derogations. The stakes are   BIPAR and its members.
               or combination, restriction, erasure and destruction. Therefore, any private company coming into                    high: if the processing of sensitive data in the course of the

                                contact with personal data is likely to be considered as processing such data.                     intermediaries’ operations does not fall within the provisions   EDPB workshop on data rights under GDPR
                                                                                                                                   of Article 9§2, then the general principle applies and such   On 4th November, the EDPB organised a stakeholders’
                                                                                                                                   processing is prohibited.  Moreover, the data subject could   workshop in Brussels on the topic of Data Subjects Rights.
          The GDPR is a cross-sectoral legislation. It applies to the insurance distribution sector but is not specific            require  the  intermediary  to  erase  the  sensitive  data  on   The right of access to personal data, the right to rectification
            to it. Consequently, compliance with the Regulation has been challenging for intermediaries in some                    the grounds that they are unlawfully processed. There   and right to erasure, the right to restrict processing and right
                                                                                                                                   are  today  divergences  of  approaches  between  Member   to object, as introduced by the GDPR and implemented by
                                                                                         respects.
                                                                                                                                   States on the legal basis for processing health data in an   EU Member States  were discussed during the workshop.
                                                                                                                                   insurance context: In some countries, using the legal basis
                                                                                                                                   of Article 9(2)(g), legislation has been introduced allowing   BIPAR was represented at this event and conveyed BIPAR’s
               The GDPR takes the form of a Regulation, i.e. it is “binding in its entirety and directly applicable in all
                                                                                                                                   the processing of sensitive data without explicit permission   observations on the impact of the implementation of these
              Member States.” However, the GDPR makes provision for secondary legislation by way of Delegated                      to underwrite insurance contracts and to manage claims.   rights on the insurance distribution sector and its clients:

             and Implementing Acts to be adopted by the European Commission in various areas. The GDPR is also                     In some others the legal basis used is Article 9(2)(h) of
                                                                                                                                   the GDPR. In some other countries there are currently no   BIPAR participated and intervened during that even along
              supplemented by guidelines issued by the European Data Protection Board (EDPB). Lastly, whilst the
                                                                                                                                   special exceptions for the processing of sensitive data by   the following lines:
              GDPR has the status of a Regulation, it includes some 50 provisions that permit EU Member States to                  the insurance sector.                               -      The  insurance  distribution  sector  uses  data  to

            retain national legislation.  For example, the GDPR provides for Member States to maintain or introduce                                                                    improve the products and services offered to insureds and
                                                                                                                                   EDPB Guidelines                                     to rate risks more accurately.
              further conditions, including limitations with regard to the processing of health data. This may offer a
                                                                                                                                   The  GDPR  is  supplemented  by  guidance  issued  by  the   -   Data  is  used  by  the  sector  to  prevent  financial
           means of addressing some of the challenges specifically faced by insurance intermediaries (see below).
                                                                                                                                   European Data Protection Board (EDPB). The EDPB     crime and money laundering. Digital identity can help
                                                                                                                                   contributes to the consistent application of data protection   address financial crime and safeguard customers.
                                                                                                                                   rules throughout the European Union and promotes    -      Effective use of data by our sector is enabling a
                                                                                                                                   cooperation between the EU’s data protection authorities.   better understanding by business of their risks and the role
          The GDPR and insurance intermediaries
                                                                                                                                   The EDPB is composed of representatives of the national data   of insurance in mitigating those risks.
                                                                                                                                   protection authorities, and the European Data Protection   -   There is a challenge in getting individuals to
                                                                                                                                   Supervisor (EDPS). The EDPB has different main tasks, such   understand how the insurance and wider financial services
          Controllers or Processors or Joint Controllers?                                                                          as issuing opinions, guidelines, recommendations and   sector uses personal data and getting insureds to read
          Insurance  intermediaries,  whether  large  firms  or  small  offices,  are  confronted  daily  with  the  processing  of  data  and   best practices to promote a common understanding of the   even very good privacy policies.
          are, therefore, directly affected by the GDPR. The data that insurance intermediaries process is necessary to provide    GDPR.                                               -      There is a lack of awareness and sometimes
          quotations,  arrange  insurance  cover,  manage  claims  and  for  client  relationship  management,  etc.    In  most  cases,                                               misunderstanding of the scope of data subject rights.
          insurance intermediaries will process personal data on their own account and will act as data controllers.  In some others,   Over the last year, the EDPB published different Guidelines   -   Data Subject Access Requests are regularly used as
          intermediaries will act under clear processing instructions from a data controller (example: an insurer) and will be data   such as the ones on the connected vehicles on processing   a pre-litigation tool rather than for their intended purpose
          processors. Intermediaries could also be joint controllers. The GDPR requires joint controllers to reach an arrangement to   personal  data  in  the  context  of  connected  vehicles  and   to protect the rights of individuals.
          determine their respective responsibilities for compliance with the obligations under the GDPR.
                                                                                                                                   mobility related applications (link),  a slightly updated   -   There is sometimes a misunderstanding by



                                                            20                                                                                                                     21
   15   16   17   18   19   20   21   22   23   24   25