Following an audit carried out in the insurance sector, the Commissioner for Personal Data Protection (the Commissioner) published her findings about the improvements to be made and accomplished before the end of June.
This report aims to point out the main areas for which insurance companies are lagging far behind and what is needed in order to comply with the General Data Protection Regulation (GDPR).
Who will benefit from the report?
The report is of particular relevance for the whole insurance sector, for both legal entities and independent professionals who process personal data in the course of their professional activities. Processing of personal data in this sense includes collecting, storing, transmitting, deleting, and other processing operations with respect to personal data.
Which topics does the report cover?
The findings mention shortcomings regarding the following:
Records of processing activities carried out by entities of the insurance sector
The Commissioner points out that all of the information provided by Article 30 (1) of GDPR, must be included in the Registry of processing activities. This information could be found in the below link:
Therefore, each of the above information shall be included in the insurance companies’ Registry.
Data Protection Impact Assessment (DPIA)
As regards the information that must be included in DPIA, the Commissioner noticed that certain information is omitted from insurance companies’ DPIAs. Specifically, entities of the insurance sector did not include in their DPIA the appropriate information in order to indicate the reasons of their conclusions derived from the initial assessment of risk. However, such information shall be included in their DPIAs. Information included in a DPIA is of essential importance in order to clarify the assessment of the risk, the DPIA’s necessity and proportionality, and to facilitate the management of risks to the rights and freedoms of the data subjects (the policyholder) resulting from processing of their personal data through the necessary measures.
The Commissioner found that processing agreements made in the insurance sector are incomplete. Specifically, the Commissioner indicates that every processing agreement made between an insurer and any other party acting on behalf of the former in relation to processing of personal data, for example an insurance broker (as a processor), shall specify the security measures to be kept by these processors depending on the nature of the risks involved in the processing activity and the nature of the data that needs to be protected. Accordingly, each processor shall implement and maintain appropriate security measures, which must be included in the processing agreements, in order to ensure an adequate level of protection of the personal data processed by the said processor. These security measures must be appropriate to the risks that are presented by the processing activity, in particular to accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data which are transmitted, stored or that are subject to other processing activities.
Policies drafted for the security of client’s envelopes shall be reviewed in order to include issues such as security incident management, data erasure and destruction process, security of communications and examples of consequences which may derive from unauthorized user access. In essence, insurance companies are called to include within their policies technical and organizational measures that will be applied in order to come up with above mentioned incidents.
Any forms provided to clients or potential clients shall comply with the Commissioner’s recommendations. Specifically, among others, the Commissioner’s report is applicable to consent forms given by insurance companies which provide life insurance and general insurance.
When an insurance company processes personal data for more than one purpose, then the insurance company is expected to provide the client and potential client with a separate consent form. The consent form shall comply with the following in order for the given consent to be considered as free, specific, explicit and illustrative about the processing of the data:
Data Subjects’ rights
Insurance sector omitted to establish the appropriate procedures in favor of the data subjects in order to be informed about their rights and the way they can exercise these rights. Therefore, as every controller, insurance companies shall establish procedures in order for the policyholders to be informed of their rights provided pursuant to GDPR as well as the way they could exercise such rights. GDPR provides that every natural person should be aware of his/her rights in relation to the processing of personal data and how to exercise his/her rights in relation to such processing. Insurance companies are expected to facilitate the exercise of the data subject's rights by maintaining mechanisms to request and, if applicable, to obtain, free of charge, access to and rectification or erasure of personal data and the exercise of the right to object.
Security of processing
As every controller, insurance companies shall review their existing technical and organisational measures to ensure a level of security appropriate to the risk. Those measures shall be assessed and reviewed, according to the Commissioner’s recommendations.
The above-mentioned points, have been found to be incomplete in an audit carried out by the Commissioner on insurance sector. Thus, insurance sector is called to improve and revise its procedures in order to be in compliance with GDPR. The Commissioner also determined a deadline for compliance. Insurance sector shall comply with every and each of the abovementioned findings within one month from the announcement of the report i.e. by 27/06/2019. As it can be seen from the report, no fine or penalty has been imposed on any insurance company yet. However, this will not be the case if an insurance company is found in breach of the relevant obligations and the report published by the Commissioner.Back to News