According to the Italian Data Protection Authority (the Garante), a bank that distributes insurance policies is a data processor under the GDPR rather than a data controller.
This position is the main conclusion of the Garante’s opinion issued in response to questions posed by a company operating in the insurance sector.
The concept of data controller and processor under the GDPR as applied to the so-called insurance chain
The GDPR distinguishes between a data controller and a processor, depending on the entity that holds the decision-making power regarding the purposes and methods of processing personal data.
Specifically, under Article 4(7) of the GDPR, the “controller” is the entity that, alone or together with others, determines the purposes and means of the processing of personal data; whereas, under Article 4(8) of the GDPR, while the “processor” is the entity that processes personal data on behalf of the controller. According to Guidelines 07/2020 on the concepts of controller and processor in the GDPR of the European Data Protection Board (EDPB), it is necessary to assess the factual circumstances of the case to correctly identify the decision-maker and correctly assign the parties’ privacy roles and responsibilities.
With specific reference to the insurance sector, the Garante, in its April 26, 2007 decision, had analyzed the activities carried out by operators in the insurance sector and came to the conclusion that the related processing may be divided into a plurality of “stages,” starting from distribution to the claim settlement stage. As a result, personal data of prospective customers and policyholders may be processed by several different parties, with different privacy roles, depending on the “stage,” and this scenario gives rise to the so-called insurance chain.
As a result, it is necessary for insurance companies to carefully assess the actual role played by the parties involved in the processing and determine whether and which of these parties have actual and autonomous decision-making power regarding the purpose of the processing or whether they instead comply with the instructions of the insurance companies.
Opinion of the Italian Data Protection Authority on the role of a bank as a data processor in the distribution of insurance policies
The Garante was asked about the privacy role to be given to banks that sell and distribute insurance policies issued by an insurance company. In its opinion, the Garante noted that according to Article 58(3) of Regulation 40/2018 issued by the Italian Insurance Authority (IVASS),
- distributors are required to propose contracts consistent with the policyholder’s or insured person’s requests and needs for insurance and pension coverage. To this end, distributors collect the necessary information from the customer, regarding specific references to the age, health status, work activity, household, financial and insurance situation of the policyholder and his or her expectations in relation to the execution of the contract, in terms of coverage and duration, also taking into account any insurance coverage already in place, the type of risk, characteristics and complexity of the contract offered; at the same time
- insurance companies, for each product distributed, issue appropriate instructions to guide distributors in the pre-contractual phase, together with useful and relevant information concerning the type of contract offered.
In light of the above, according to the Italian Data Protection Authority, since distributors operate based on instructions issued by insurance companies, the former do not have operational freedom in defining how personal data are processed. Therefore, banks operating under this scheme are always data controllers.
Is the Garante’s paradigm a “one-size-fits-all” model?
In recent years, new insurance distribution models have entered the Italian market. In some of these distribution models, agents are a specialized type of insurance agent who, unlike traditional policy distributors, are endowed with underwriting powers by the insurer. As a result, they perform specific functions usually handled only by insurers, such as defining coverage, underwriting and pricing, appointing retail agents in a given area, and settling claims. In these scenarios, agents have considerable decision-making power that leads them to determine how personal data are processed.
Therefore, one can legitimately question whether the Garante’s paradigm enshrined in the above opinion applies by analogy to other distribution models.
Since the Italian Data Protection Authority provides no further guidance, all that remains is to turn to general data protection principles and evaluate on a case-by-case basis.
On a similar topic, the following article may be of interest “Blockchain is the future of insurance but what are the legal risks?”