GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) does not enter into effect formally but arouses a lot of emotions.
Some people recognize GDPR as a risk for market development, especially the insurance market, in the light of new sanctions which are predicted for infringements of data protection rights and new rights which the new institution – the President of the Office of Personal Data Protection – will obtain. Other people treat GDPR as an opportunity for life insurance development. It means the abolition of the written consent requirement for sensitive data processing, which is absurd and unprecedented in most EU countries.
I would like to note a different significant aspect of GDPR, which can have an impact on the insurance market, especially the life insurance market. I refer to the rule limiting data processing (also storage) only by the period when it is necessary to achieve the aims of this processing. It means that a data administrator should define a deadline after which that data will be eliminated. Additionally, under Art. 13 sec 13 a) of GDPR, a client has to obtain information about the period of data storage, and if it is impossible – the criteria of determining this period.
What does it mean in practice?
Let’s imagine a situation in which a client fills in a life insurance application. He passes on true information which has an impact on insurance risk. As a result an insurance company offers him exclusions of liability or increases premium or even refuses the conclusion of an insurance agreement. What can the client do? If he is honest, he will accept the insurer’s offer or seek a better offer in another insurance company. What will happen if ethics and decency are strange terms for the client? In practice, this client may demand that the insurance company stops processing his data or enforce the right to be forgotten.
Also this client may expect that in an ineffective agreement conclusion the insurance company will eliminate his data immediately because the aim of data processing – conclusion of an agreement – has passed. Moreover it will be difficult to formulate and cite the data processing to archival purposes because GDPR allows for these aims only in the public interest.
As a consequence GPDR can lead to a situation when a dishonest client submits the life insurance application again (e.g. after 2 months) but he completes it in the way to conclude a standard insurance agreement trusting that during 3 years nothing will happen. After this time the insurer cannot appeal against the lie (Art. 834 of the Civil Code). In this situation the insurance company does not have the right to appeal against information obtained before when the client filled in the first insurance application. The insurer should not have this data formally.
Does this problem have any solution?
We have the opportunity to discuss this issue and other interesting subjects on 21st September during the event BACK TO THE FUTURE II – the future of insurance.
