On the application of the GDPR in the insurance field, one of the points that is currently causing concern is the fact that the Privacy Guarantor has not identified insurance agencies and brokers among the private entities required to designate the DPO, Data Protection Officer, responsible for data protection in the company, and that it may be an entity internal or external to the company itself.
This is a fundamental figure in the new system of governance in terms of personal data protection: one of the fundamental tasks of the DPO is to facilitate compliance with the law, not only through consulting and support to operational functions but also through inspection and internal control processes.
In an article published by Agenda Digitale, lawyer Salvatore Coppola explains and comments on what GDPR, DPO and insurance intermediaries regulations say, drawing attention to the fact that intermediaries should not only consider the mandatory appointment of the DPO, but also its appropriateness. “A recent discussion with some agents and brokers on the subject of GDPR and insurance intermediaries shows how much the issue dealt with by the EU Regulation on the protection of personal data is still inexplicably neglected or reduced to mere bureaucratic requirements to be submitted to be “in order”.
In many cases, the reference associations have brought together the members and involved professionals in the field, merely stipulating agreements for the drafting of the information to be issued to customers.
Obviously, those intermediaries who deserve to be well-formed are excluded.
In Italy as at 31 December 2017, 228,676 Italian intermediaries were registered in ROI, in addition to 8,211 foreign intermediaries (IVASS Report of 27/06/2018).
Indeed, the main activity of an insurance intermediary is to propose and assist with insurance cover. Would it be possible to do so effectively without processing personal, family and special data? In reality, insurance intermediaries collect data for financial purposes, collect pay slips, make agreements with companies to apply discounts to their members and so on.
GDPR and insurance intermediaries: co-processing among companies, agents and brokers
Article 4(7) of the GDPR states that the data controller is “any natural or legal person, public authority, agency or other entity which alone or jointly with others determines the purposes and means of the processing of personal data”. When two or more data controllers jointly determine the purposes and means of processing, Article 26 requires them to specifically define – by internal agreement available to the interested parties in its essential content – their respective responsibilities with regard to compliance with obligations, the exercise of the rights of the interested party and information.
By way of example, insurance companies and intermediaries jointly determine the purposes and means of processing their customers’ personal data, establishing their respective responsibilities and tasks with regard to compliance with their obligations under the GDPR. In particular, such agreements relate to the rights of the data subject and the obligations to provide the information expected at the time of data collection.
In this respect, the GDPR provides for the possibility for interested parties to have recourse to any of the Contributors in the exercise of their rights. Well, agents and brokers are in all respects the data controller as they have the opportunity to propose products of different companies, taking into account the profiles and needs of interested insurers.
It should also be noted that when intermediaries process personal data on behalf of the Company (Data Controller), they also become Data Processors and therefore the appointment of the DPO would be an even greater part of the measures available to them in terms of data protection.
Would sub-agents require more in-depth analysis? Are they joint-processors , data processors and/or sub-controllers?
Let’s start from the beginning.
Data Protection Officer: Who is obliged to appoint him?
Article 37(1) of Regulation (EU) 2016/679 provides that the appointment of the DPO is mandatory:
Public authorities and public entites;
Data controllers or data processors who carry out treatments that “by their nature, scope and/or purpose” require the regular and systematic monitoring of the parties concerned on a large scale;
Data controllers or data processors who carry out activities consisting in the large-scale processing of particular categories of personal data (genetic, biometric, judicial, etc.).
It follows from this that in cases not provided for by Art. 37 GDPR the appointment of the DPO is only optional.
Therefore, insurance intermediaries may be included among the data controllers and data processors referred to in points b) and c) who are obliged to designate the DPO.
Large scale: let’s clarify this concept
The Regulation does not unambiguously define what constitutes “large-scale” treatment.
On this point, the WP29 Working Group recommends that the factors listed below be taken into account:
-the number of treatment subjects, either in absolute terms or as a percentage of the reference population;
-the volume of data and/or the different types of data being processed;
the duration, or persistence, of the processing activity;
-the geographical scope of the treatment activity.
For example, the Group cites, among others, the large-scale processing of customer data by an insurance company or bank in the ordinary course of business.
It does not mention, however, that large audience of professionals in insurance brokerage.
Regular and systematic monitoring: what it is and when it happens
As for the large-scale concept, the reference to the concept of regular and systematic monitoring of data subjects is not defined in the GDPR; recital 24 shows that the behaviour of the data subject is controlled when natural persons are traced on the Internet or when personal data processing techniques are used, consisting in the profiling of the natural person in order to make decisions concerning him or her or to analyse or predict his or her preferences, behaviour and personal positions.
On the concept of “regular”, the WP29 Working Group has clearly defined it as monitoring “which occurs continuously or at defined intervals over a defined period of time; recurring or repeated at constant intervals; which occurs constantly or at periodic intervals”.
With reference to the adjective “systematic”, the Group has also specified that it has at least one of the following meanings: “which occurs by system; predetermined, organized or methodical; which takes place as part of an overall data collection project; carried out as part of a strategy”.
The Group also provides examples of activities that may involve regular and systematic monitoring of interested parties, including: marketing activities based on analysis of the data collected; profiling and scoring for risk assessment purposes (e.g. definition of insurance premiums, fraud prevention, detection of forms of money laundering); loyalty programs; behavioral advertising; use of CCTV cameras and so on.
It is therefore clear that insurance intermediaries may be among those private entities that process personal data regularly and systematically.
The Art 29 Group and the Italian Guarantor on the appointment of the DPO
The Art 29 Group, in the Guidelines of 13/12/2016 already updated on 05/04/2017, has decided to specify, as provided for by art. 37, par. 4, GDPR, that the mandatory designation of a DPO may also be provided for in further cases based on the law of the Union or of the Member States.
The Group has gone so far as to point out that even where the appointment of a DPO is not mandatory, it may be useful to make such a designation on a voluntary basis and therefore encourages such an approach. In fact, it cannot be denied that in doubt its designation is advisable as it contributes to a better “privacy image” of the Data Processor for the purposes of accountability.
It should be specified that if the designation of a PDO were to take place on a voluntary basis, the same requirements would apply – in terms of criteria for designation, position and tasks – as apply to mandatory designated PDOs.
The Italian Privacy Guarantor also wanted, I would add, to contribute to the identification of those who are obliged to designate the DPO and on 26/03/2018 published on the institutional website, in addition to the Guidelines adopted by the Art 29 Group, the New FAQ on the Data Protection Officer (DPO) in the private and public sectors.
With regard to the private sector, Article 3 states that they are required to designate the DPO if the above conditions are met (Article 37(1)(b), (c), (d), (e), (e), (f), (g) and (g)). b) and c), of the GDPR), the following Holders and Processors (by way of example and not limited to): “credit institutions; insurance companies; credit information systems; financial companies; commercial information companies; auditing companies; debt collection companies; supervisory institutions; political parties and movements; trade unions; CAFs and employers’ associations; companies operating in the utilities sector (telecommunications, electricity or gas distribution); labour supply and personnel search companies; companies operating in the health care, health prevention/diagnostics sector such as private hospitals, spas, medical analysis laboratories and rehabilitation centres; call centre companies; companies providing IT services; companies providing pay-TV services”.
This was necessary in order to offer more guidance to economic operators who were experiencing the entry into force of the GDPR with doubts and apprehension regarding the obligation to designate the DPO.
You may notice that there are insurance companies but not insurance brokerage firms such as brokers or agents.
GDPR and insurance intermediaries: considerations on the appointment of the DPO
Like the passage of a comet that no longer requires a glance, with the passage of the fateful date of 25/05/2018 (date on which the GDPR became fully executive), the attention for the subject has diminished: some economic operators are certain to have to designate the DPO, others, evidently not punctually identified, underestimate the need to appoint the Data Protection Officer.
We should therefore remind ourselves that the cornerstone of European legislation lies in the principle of accountability, which requires data controllers and data processors to adopt a proactive attitude and to constantly seek technical and organisational measures to protect the data processed.
At that time, it was expected that these subjects, who were held responsible by the European legislator, would not stop at the examples of the Italian Guarantor (useful but not exhaustive as declared by the Guarantor) and that they would go further.
In conclusion, assuming that insurance companies are required to appoint the DPO (as explicitly stated in the New FAQs), insurance brokers in turn – with the help of specialist professionals – should consider the appointment of the Data Protection Officer more carefully.