The impact of GDPR on the processing of sensitive data by insurance companies
Autor: Marta Ryskalczyk
From 25 May 2018, all Member States of the European Union will be obliged to apply Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). The Regulation will replace the existing national regulations in the field of personal data protection, including the existing Act on Personal Data Protection. The Ministry of Digital Affairs is currently working on a new act that will clarify the GDPR rules, left to the EU Member States’s legislation.
One of the changes introduced by the GDPR concerns the processing of sensitive data. Under the current Act on the Protection of Personal Data, the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, religious, political party or trade-union membership, as well as the processing of data concerning health, genetic code, addictions or sex life and data relating to convictions, decisions on penalties, fines and other decisions issued in court or administrative proceedings are prohibited.
One of the exceptions provided for in the current Act on Protection of Personal Data which allows the processing of sensitive data, is the written consent of the data subject. Obtaining consent in such a form constitutes an obstacle eg. to conclude contracts, which need to process sensitive data by telephone.
Such a requirement makes difficult eg. concluding life insurance contracts by telephone. Information about the health of the insured person and their history of illnesses is usually necessary to assess the insurance risk and determine the appropriate premium. However, under the current Act on Protection of Personal Data the insurer cannot obtain such information over the telephone as it is sensitive data.
GDPR introduces some changes to the processing of sensitive data, named in the GDPR ‘specific categories of personal data’. The catalog of these data has been extended and includes biometric data defined as data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data. However, the most important change introduced by GDPR is the requirement to obtain explicit consent for the processing of specific categories of personal data from the data subject.
The legislator stated that such consent shall be explicit, the special form in which it has to be expressed is not required, and consequently, there is no obligation to obtain written consent from the client for the processing of such data.
GDPR, however, provides that EU Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health.
The Ministry of Digital Affairs published the draft law on the Protection of Personal Data on 28 March 2017. The provisions of this draft do not refer to specific categories of personal data. However, as the Ministry of Digital Affairs points out, the draft does not exhaust all the regulations necessary for introduction into the new Act on Protection of Personal Data.
If Poland does not decide to introduce a special form of consent for the processing of specific category data, this will allow many entrepreneurs to enter the telephone sale market.