Data Protection

The processing of personal data by insurers can be categorised as “particularly sensitive”. According to the Regulation (EU) 2016/679 Of The European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”), sensitive data includes data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data intended to uniquely identify a natural person, data concerning health or sex life or sexual orientation.

Furthermore, if the entity considered as the controller processes personal data on the basis of the data subject's consent, it must be able to demonstrate that the data subject has given their consent.

Insurtech fall under the scope of all these data protection rules when transferring data. Consequently, a number of concerns arise for Insurtechs in relation to online insurance distribution.

The main issues that may arise include, but are not limited to:

Having the appropriate measures and policies in place to comply with legal requirements such as deleting data as soon as it is no longer needed, keeping a processing activities register, notifying cyber-attacks and appointing a data protection officer.

Organising document management systems in order to identify the information given to each customer and when this information was given.

Attention should be paid to non-discrimination principle during the application of actuarial pricing schemes.

Sharing of information with the UK, which is now outside the EU.

As French law does not specifically regulate the processing of personal data by insurance companies and intermediaries, the GDPR applies. In relation to online distribution, the mains issues may be as follows:

• Identifying the status of actors: in principle, an insurer is the data controller for processing anything related to the performance of an insurance contract. However, the broker and the insurer could be joint controllers if both determine the purpose and the essential means of processing.
• Determining the legal basis for each purpose. The process should be based on the insurance contract, provided that the processing is strictly necessary for the performance of the contract, or the legitimate interest. For specific cases, the user consent may be mandatory (e.g. for some processing of health data or for commercial prospecting under Art. L34-5 of the French Post and Electronic Communications Code). In any event, insurance companies should not use data collected for a subsequent purpose.
• Limiting the storage period: when an insurance contract is concluded, certain specific limitation periods may apply (e.g. the Insurance Code provides with a limitation period of 30 years from the death of the insured for life insurance contracts).
• Respect for transparency and individuals’ rights: individuals must be informed of the use of their data, as well as of their rights (to access, rectifying, oppose, delete data etc). They must also be able to exercise these rights electronically. If the insurance organisation uses data profiling, it must be subject to (i) transparency requirements; and (ii) specific conditions if it is part of an automated decision-making process.
• Securiting data: All the necessary measures must have been taken to guarantee the security of the data (physical or computer security, securing the premises, managing authorisations and computer access rights, limiting access to data only by third parties authorised by law). These measures must adapt to the sensitivity of the data (e.g. health data or the National Identification Registry or “NIR”).

There is no specific regulation regarding the processing of personal data by insurance companies and intermediaries. However, general principles set forth in the GDPR and the Legislative Decree no. 196/2003 “Italian Privacy Code” apply to Insurtech as well. The main issues that may arise include:

• Implementing the appropriate technical and organizational measures in place to ensure a level of security appropriate to the risk.
• Keeping a record of processing activities.
• Ensuring data is only retained for as long as is necessary.
• Within the limit stated by the GDPR, notifying the competent Data Protection Authority of data breaches including cyber-attacks and communicating it to the data subjects.
• Appointing a Data Protection Officer.
• Carrying out Data Protection Impact Assessments activities, when mandatory according to the GDPR and Decision 467/2018 of the Italian Data Protection Authority (the “Garante”).
• Ensure to rely on a proper legal basis for processing personal data, in particular, if special categories of data are processed.
• Respect the transparency principles by informing the data subjects about the use that will be made of their data and their rights.

The main issues to consider include, but are not limited to:

• Compliance with applicable data protection laws meaning GDPR, as well as the Law of Execution (Law no. 58/2019).
• Having appropriate measures in place to ensure compliance with such applicable data protection laws such as keeping a register of processing activities, ensuring data is only retained for as long as is necessary, thereafter being securely deleted, notifying security breaches including cyber-attacks and the appointment of a data protection officer.
• Ensure compliance with the GDPR, specifically article 22, for automated decision-making processes.
• Transparency and adequate information (Article 13(2), f)),
• Compliance with the right to an explanation which can be particularly challenging given algorithmic opacity. Even so, the considered explanation must:
   - Inform and assist the data subject to understand a particular decision;
   - Provide grounds for contesting;
   - Understand what could be changed based on the decision-making process.
• Implement reinforced security measures, namely by deploying cryptography-based solutions.
• Implementing document management systems to be able to evidence what information is provided to each customer, when it was provided and on what basis.
• Being aware of the risk of unlawfully discriminating against customers and putting in place measures to mitigate these risks.

There is no local legislation covering specific issues in this context. The main issues that may arise include, but are not limited to:

• Having in place the appropriate procedures to comply with legal requirements such as data deletion, keeping a register of processing activities, cyber-attacks notifications and the appointment of a data protection officer.
• Organising document management systems in order to identify and prove the information provided to each customer and when this information was given.
• Special attention to the principle of non-discrimination in the application of actuarial pricing schemes.

The main issues for insurance companies and intermediaries in Ukraine include:

• Compliance with legal requirements such as notification of personal data processing to the special officer, notification of actions with personal data and deleting data as soon as it is no longer needed, etc.
• Adapting privacy systems and processes in light of the upcoming data protection reform in Ukraine.
• Compliance with confidentiality policies and other data protection documents on websites or other online resources.

The main issues to consider include, but are not limited to:

• Compliance with applicable data protection laws meaning Data Protection Act 2018 (“DPA 2018”), UK GDPR (having the meaning given in the DPA 2018), Privacy and Electronic Communications Regulations (“PECR”) compliance and adhering to applicable guidance and codes issued by the Information Commissioner’s Office(“ICO”).
• Having appropriate measures in place to ensure compliance with applicable data protection laws such as keeping a register of processing activities, ensuring data is only retained for as long as is necessary, (thereafter being securely deleted), notifying of security breaches including cyber-attacks and the appointment of a data protection officer;
• Implementing document management systems to be able to evidence what information is provided to each customer, when this was provided and on what basis;
• Being aware of the risk of unlawfully discriminating against customers by using actuarial pricing schemes and putting measures in place to mitigate the risk.

Given mandatory enforcement for all parties that process personal data, Insurtechs must comply with all data protection rules when transferring data.

Due to the nature of activities undertaken by insurers, their processing of personal data can be categorised as “particularly sensitive”. GDPR singles out data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data intended to uniquely identify a natural person, data concerning health or sex life or sexual orientation.

If the controller processes personal data on the basis of the data subject's consent, it must be able to demonstrate that data subjects have given their consent.

The main issues that may arise include, but are not limited to:

• having the appropriate means in place to comply with the legal requirements such as deleting data as soon as it is no longer needed, keeping a register of processing activities, notifying cyber-attacks and the appointment of a data protection officer;
• organising document management systems in order to prove what information was given to each customer and when this information was provided;
• special attention must be paid to the principle of non-discrimination in the application of actuarial pricing schemes.