Page 21 - BIPAR Annual Report 2020

Page 21 - BIPAR Annual Report 2020_EN

P. 21

General Data Protection

Regulation (GDPR)

The General Data Protection EU Regulation (the “GDPR”) was adopted in April 2016. It applied in all EU  Legal basis for processing sensitive data version of its 2018 guidelines on consent under the GDPR
A significant GDPR challenge for insurance intermediaries (link) providing further clarifications on the fact that consent
Member States from 25 May 2018. The GDPR is binding in its entirety and directly applicable. The GDPR
is the processing of sensitive and mainly health data. Under obtained through cookie walls and scrolling through a
repealed the Data Protection Directive that provided the previous EU data protection rules.
the GDPR, as a matter of principle, it is prohibited to process webpage are not legally valid.
sensitive data. Exceptions are provided to this general
The GDPR only covers the processing of personal data: this is information that relates to a living prohibition in the circumstances exhaustively described in In February 2019 the EDPB Board adopted its two-year
Article 9 §2. work programme for 2019-2020 and announced the future
identified or identifiable person (a data subject). Special categories of data, such as health data, are
However, the processing of health data by insurance adoption of additional Guidelines, such as the Guidelines
subject to additional protection and such data will only be processed with express consent from the intermediaries does not readily fall in one of the exceptions on the notion of legitimate interest of the data controller
data subject. Derogations are possible. Data processing covers most activities involving personal to the general prohibition of the processing of personal (Update of the Article 29 Working Party –“WP29”- Opinion)
data. It should consequently be verified whether the and the Guidelines on concepts of controller and processor
data: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval,
processing of health data by insurance intermediaries can (Update of the WP29 Opinion). These are key issues for
consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment
be covered under one of the derogations. The stakes are BIPAR and its members.
or combination, restriction, erasure and destruction. Therefore, any private company coming into high: if the processing of sensitive data in the course of the

contact with personal data is likely to be considered as processing such data. intermediaries’ operations does not fall within the provisions EDPB workshop on data rights under GDPR
of Article 9§2, then the general principle applies and such On 4th November, the EDPB organised a stakeholders’
processing is prohibited. Moreover, the data subject could workshop in Brussels on the topic of Data Subjects Rights.
The GDPR is a cross-sectoral legislation. It applies to the insurance distribution sector but is not specific require the intermediary to erase the sensitive data on The right of access to personal data, the right to rectification
to it. Consequently, compliance with the Regulation has been challenging for intermediaries in some the grounds that they are unlawfully processed. There and right to erasure, the right to restrict processing and right
are today divergences of approaches between Member to object, as introduced by the GDPR and implemented by
respects.
States on the legal basis for processing health data in an EU Member States were discussed during the workshop.
insurance context: In some countries, using the legal basis
of Article 9(2)(g), legislation has been introduced allowing BIPAR was represented at this event and conveyed BIPAR’s
The GDPR takes the form of a Regulation, i.e. it is “binding in its entirety and directly applicable in all
the processing of sensitive data without explicit permission observations on the impact of the implementation of these
Member States.” However, the GDPR makes provision for secondary legislation by way of Delegated to underwrite insurance contracts and to manage claims. rights on the insurance distribution sector and its clients:

and Implementing Acts to be adopted by the European Commission in various areas. The GDPR is also In some others the legal basis used is Article 9(2)(h) of
the GDPR. In some other countries there are currently no BIPAR participated and intervened during that even along
supplemented by guidelines issued by the European Data Protection Board (EDPB). Lastly, whilst the
special exceptions for the processing of sensitive data by the following lines:
GDPR has the status of a Regulation, it includes some 50 provisions that permit EU Member States to the insurance sector. - The insurance distribution sector uses data to

retain national legislation. For example, the GDPR provides for Member States to maintain or introduce improve the products and services offered to insureds and
EDPB Guidelines to rate risks more accurately.
further conditions, including limitations with regard to the processing of health data. This may offer a
The GDPR is supplemented by guidance issued by the - Data is used by the sector to prevent financial
means of addressing some of the challenges specifically faced by insurance intermediaries (see below).
European Data Protection Board (EDPB). The EDPB crime and money laundering. Digital identity can help
contributes to the consistent application of data protection address financial crime and safeguard customers.
rules throughout the European Union and promotes - Effective use of data by our sector is enabling a
cooperation between the EU’s data protection authorities. better understanding by business of their risks and the role
The GDPR and insurance intermediaries
The EDPB is composed of representatives of the national data of insurance in mitigating those risks.
protection authorities, and the European Data Protection - There is a challenge in getting individuals to
Supervisor (EDPS). The EDPB has different main tasks, such understand how the insurance and wider financial services
Controllers or Processors or Joint Controllers? as issuing opinions, guidelines, recommendations and sector uses personal data and getting insureds to read
Insurance intermediaries, whether large firms or small offices, are confronted daily with the processing of data and best practices to promote a common understanding of the even very good privacy policies.
are, therefore, directly affected by the GDPR. The data that insurance intermediaries process is necessary to provide GDPR. - There is a lack of awareness and sometimes
quotations, arrange insurance cover, manage claims and for client relationship management, etc. In most cases, misunderstanding of the scope of data subject rights.
insurance intermediaries will process personal data on their own account and will act as data controllers. In some others, Over the last year, the EDPB published different Guidelines - Data Subject Access Requests are regularly used as
intermediaries will act under clear processing instructions from a data controller (example: an insurer) and will be data such as the ones on the connected vehicles on processing a pre-litigation tool rather than for their intended purpose
processors. Intermediaries could also be joint controllers. The GDPR requires joint controllers to reach an arrangement to personal data in the context of connected vehicles and to protect the rights of individuals.
determine their respective responsibilities for compliance with the obligations under the GDPR.
mobility related applications (link), a slightly updated - There is sometimes a misunderstanding by

20 21

16 17 18 19 20 21 22 23 24 25 26