Sensitive data in the distance sales process
Autor: Agnieszka Wesołowska
Sensitive data is data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, religious, party or trade-union membership, as well as the processing of data concerning health, genetic code, addictions or sex life and data relating to convictions, decisions on penalties, fines and other decisions issued in court or administrative proceedings. Processing of such data, as a rule, shall be prohibited.
Processing of sensitive data shall not constitute a breach of the law in cases mentioned in art. 27 of the Personal Data Protection Act (hereinafter referred to as: “the Act”). Practically speaking, in case of insurance contacts, sensitive data can be legally processed when the data subject has given his/her written consent (unless it concerns only the removal of the data).
Although the Act does not explicitly regulate the moment of giving consent, it is recommended to obtain this consent before the moment of the actual collection (which is legally equal to processing) of such data i.e. before the client starts providing sensitive data to the employee of the call center, in the form of answering relevant questions or providing relevant information.
It shall be stressed that collecting data on the client’s medical history, if the information provided by the client includes solely negative answers to the asked questions, as well as collecting any data resulting from medical questions, shall be also considered as processing sensitive data, which implies a legal obligation to obtain the client’s written consent.
The client’s written consent in the distance sales process
Delivery of the consent by a courier
In case of questions on sensitive data, the administrator is obliged to obtain the written consent of the client to collect such data.
At the final stage of the distance sales process, after the conclusion of the contract, without any delay, the client can be sent via courier a “welcome pack” including:
a. General Terms and Conditions of the insurance,
b. policy/certificate of insurance,
c. a form for premium payment or direct debit, if applicable,
d. information required by the Act on consumer rights,
e. a paper form of consent on processing sensitive personal data.
Upon delivery of the latter, the client shall sign the consent on processing his/her personal data, in the presence of the courier. Then, the courier shall take the signed paper form and deliver it back to the insurance company/insurance agent premises. The form shall be attached to the insurance documentation of the given client and kept in records in accordance with the rules set forth in the Act.
Such a practice is very common in the Polish market with respect to various services offered through distance means. For example, such practice is applied by insurance companies, telecommunications companies, loan companies or banks.
Delivery of consent by post
The “welcome pack”, referred to above, including a paper form of consent on processing sensitive personal data, can be sent to the client via traditional post.
In such case, the “welcome pack” shall also include a request to sign the form and send it back at the address indicated in the documents. The client shall be given a specified period of time to send back the signed form.
After the lapse of the specified period of time, in the lack of any response, the client should be sent a reminder (e.g. in the form of a telephone call or an e-mail) with the defining of the next period, in which the insurance company/insurance agent is expected to be provided with a signed consent.
In the event when after the lapse of this additional period of time the insurance company (administrator) is still not provided with the signed consent of the client, there are two optional steps to be taken by the company.
Firstly, the administrator may further process the previously provided sensitive data of the client, without disposing of the written consent of the data subject. However, it must be stressed that in such case the insurance company (administrator) must be aware of taking the risk of illegal processing of sensitive data. If necessary, the Company can try to explain before the General Inspector such a decision by making earlier efforts to obtain the client's consent, which did not reach the desired result; however the risk associated with the illegal processing of sensitive data and related legal consequences cannot be excluded.
The second option would be to remove the sensitive data of such a client from the system after a specified period of time, in relation to the lack of their consent. This would be the recommended option as it is in full compliance with legal provisions, and the activity of removal of the personal data, including the sensitive data, do not require the data subject’s consent.
In this respect it shall also be mentioned the provision of that under Art. 834 of the Civil Code, under which, if an insurance event occurs 3 years after the life insurance contract execution, the insurer cannot raise objections that at the conclusion of the insurance contract false information was provided, in particular that an insured’s illness was concealed. Therefore, in the abovementioned situation, the insurance company would not be entitled to raise such an objection as the relevant sensitive data would have been processed illegally.
As for sending the “welcome pack” by post the question of the effectiveness of the delivery to the client must be considered. Registered mail only can guarantee effective delivery, which can be further evidenced, if necessary. Sending the documents to the client by regular mail may entail the risk of ineffective delivery. The only fully effective, though costly, method of delivery of documents to the client is to send them by registered letter with receipt confirmation signed by the addressee or a person authorized to receive correspondence on the client’s behalf. Such a written confirmation is undeniable evidence of delivering the letter to the client. However, according to my best knowledge, most of the insurance companies in Poland take the abovementioned risk of ineffective delivery and send all correspondence to clients by regular mail.
General statement on state of health
It shall be pointed out that it is a fact that some of the entities performing activity in the insurance market, in particular in direct channels, use practices consisting in replacing the medical questionnaire (anticipated by the client’s consent) by a statement made by the client on their general state of health, yet in my opinion such practices are not fully consistent with the applicable law provisions and as such may cause the risk of breaching the law provisions and entail sanctions for the data processor.
There is also an approach on the market, where a general statement of the state of health of the client, is a kind of exclusion of the insurer’s liability (pre-existing conditions). The general terms and conditions, or insurance application form, include a provision which states, that the insured is not covered if they were previously diagnosed with a certain illnesses or if they behave in a given way (e.g. smokes a given number of cigarettes per day). Such a solution was never examined by any Polish court or by the General Inspector for Personal Data Protection, so it is difficult to assess this kind of provision clearly. However, pre-existing conditions are questioned from time to time by the Insurance Ombudsman in Poland or by the Office of Competition and Consumer Protection.