Key Positions

Data Protection

The insurance industry depends on using large quantities of personal data from insured persons. The data are required in order to provide customers with individual advice, to assess risks to be insured and to verify obligations to pay benefits. Customers can rightly expect their insurance companies to handle such data sensitively and sparingly.

As the first sector in Germany, the insurance industry has therefore worked together with data protection authorities and the Federation of German Consumer Organisations to develop rules of conduct to specify and supplement the Federal Data Protection Act. The code of conduct was approved by the Berlin Commissioner for Data Protection and Freedom of Information in late 2012. With these rules of conduct for the insurance industry, a voluntary self-commitment to uphold data protection has for the first time received the quality seal of the data protection authorities. It will soon be possible to view the insurers who have signed on to these rules of coduct on the GDV website.

Through the code of conduct, it will be clearer for customers how their data is processed in a contractual relationship or during the processing of an application. Accordingly, the companies who adhere to the rules will in the future lay out their data processing procedures and inform their customers, for instance, who is processing their data (the insurers themselves or a service provider) and for what purpose.

Beyond this, additional data processing consent will largely become dispensable by way of these rules of conduct. In principle, consent is now only required to process particularly sensitive types of personal data (e.g. health information). Together with the competent data protection authorities, GDV has drafted a sample consent clause for the processing of this type of particularly sensitive personal data.


The described activities show that the German insurance industry is aware of and meets its responsibilities in handling the data of its customers. Customers can rest assured that their data are treated securely and sparingly. With these rules of conduct, the insurance industry and data protection authorities have reached a common understanding on data protection, which strengthens the interests of customers and is also practicable for companies.

This approach could be productively integrated into the discussions concerning the European Data Protection Regulation. Industry-specific codes of conduct can better specify the necessarily general European Data Protection law than the large number of delegated legal acts foreseen in the proposed regulation. They can give appropriate substance to general clauses and create data protection with fewer bureaucratic burdens.

Given the nature of its activity, the insurance industry depends on collecting and processing data from insured persons. This also includes highly sensitive health information. The new EU Data Protection Regulation should not reach beyond its goal and make risk assessment, rate calculation, coverage verification, claim settlement and other procedures impossible.

Our Positions
It must be possible to process health data in a legally secure fashion
Insurers entrusted with health data have to be able to process these sensitive data in a legally secure fashion. For example, a life assurer must be able to verify an insured person’s claim for disability benefits based on health data. The securest way to do this would be to provide a clear legal foundation in the EU Data Protection Regulation itself. At minimum, however, a legally secure consent arrangement, like the one that exists in Germany today, must be retained.
Data disclosures within corporate groups must remain possible
To protect consumers from financial losses, the principle of line separation organises the German insurance industry. This means that various insurance lines have to be organized in independent companies so that if something goes wrong in one line (e.g. in the claims area) this does not impact other lines (e.g. life insurance). In practice, independent companies are often joined in corporate groups in order to organise tasks such as coverage verification, customer support lines, etc. more cost-effectively. For this purpose, the disclosure of data, including personal data, within corporate groups is indispensable. The European Data Protection Regulation must provide a corresponding rule as well as for the processing of health data. Otherwise, corporate groups would be forced to establish expensive and inefficient redundant structures.
Use of pseudonymised data should be possible
The European Data Protection Regulation must support the processing of pseudonymised data. The arrangement proposed by the EU Commission for the processing of data for statistical purposes already represents a sound approach. However, a simplification should also be created for particularly sensitive data, such as health data, as the data of affected persons is effectively protected through pseudonymisation. Insurers use pseudonymised health data, for instance, to assess risks, calculate tariffs and transfer risks to reinsurers.
Data protection must not hinder efficient fraud protection
Many people still view insurance fraud as a trivial offense. Yet, the damage caused by insurance fraud makes insurance protection significantly more expensive for honest customers. To combat fraud, the German insurance industry has therefore created an information system (HIS), which was recently recognized as an information bureau according to the guidelines of the German data protection authorities. The European Data Protection Regulation must allow data to be processed in the interest of third parties, including data on criminal offenses, so that such systems can continue to be operated in a legally secure fashion in the future.
Don‘t equate tariff calculation with profiling
The prohibition of profiling proposed within the framework of the European Data Protection Regulation is intended to prevent the creation of behavior profiles based on Internet activities. This type of profiling has to be clearly distinguished from risk assessment and tariff calculation by insurers. Insurers are not trying to predict and analyse personal preferences, conduct or attitudes, but they do need to form homogenous risk groups and tariffs in line with such preferences. For example, the owner of a house in a river flood plain should have to pay a higher premium to insure his home against flooding than the owner of a property remote from any bodies of water.