European elections 2014

Data protection – take sector-specific interests into account

The finalisation of the EU Data Protection Regulation and the preparation of the delegated acts foreseen therein will keep data protection on the European agenda beyond 2014. When warranting the responsible handling of data in the interest of consumers, sector specific concerns should not be left out of consideration. The financially expedient procedural routines necessary for the insurance industry must remain permissible and legally secure under the new regulation.

Particular attention should be paid to the following items:

GDVMake the processing of health data legally certain
Life, health and accident insurers can only review the claims of policyholders based on health data. The best way to ensure legally certain processing of such sensitive data by insurers is to create a clear legal foundation in the EU Data Protection Regulation. This also applies to the processing of the health data of persons not party to a contract (e.g. persons injured in a car accident) by liability insurers. In all cases, however, a legally compliant consent arrangement should be built into the regulation.

GDVEnable reinsurers to also process health data
Expedient and necessary data processing does not always take place within the framework of insurance contracts. In order to ensure that the claims of customers and injured parties can be met at all times, risks are reinsured by specialised companies. For this purpose, reinsurers must verify the reinsurability based on data of the affected parties, without a contract actually existing between them.

GDVIt must remain possible to calculate rates and classify risks
Insurers use health data to create statistics, based on which they estimate their risk positions and calculate rates. The data processing arrangement proposed by the EU Commission for statistical purposes adopts a good approach for this. However, a consent requirement for statistical processing of health data would impede processes. It should also be ensured that traditional risk classification into tariff groups, the calculation of premiums and the fight against fraud are not made impossible through profiling provisions which are too broad.

GDVPermit data transfers within corporate groups
Based on statutory requirements, insurance groups often consist of many enterprises active in specific lines that merge into a corporate group. Frequently, general tasks such as customer service by phone are organised jointly within these groups in a cost-efficient manner. For this purpose, it is necessary to transmit sensitive data within the group. If the EU Data Protection Regulation does not foresee a corresponding arrangement, expensive, inefficient and redundant structures will have to be established.

GDVAvoid legal uncertainty through unrestricted revocation rights
Data processing should not be rendered legally uncertain through an unrestricted revocation right on the part of the affected party. Moreover, legal processing of sensitive data would no longer be possible by reinsurers or specialised service providers.

>> Focus: Europe in the election year 2014 – The positions of the German insurers