Due to the forthcoming date (25 May 2018) of direct application of the EU General Data Protection Regulation – 2016/679 (GDPR), we observe the process of adapting the Polish legislation to the EU GDPR regulation.
Currently the new Personal Data Protection Act is being drafted, which is intended to comprehensively implement the EU regulations to the Polish legal system. A number of other important Polish Acts are being simultaneously modified, including the Act on insurance and reinsurance activity, which is particularly important from the insurance companies’ point of view.
In accordance to Article 122 (2) of the provisions implementing the Personal Data Protection Act, Article 38 (6), (8) and Article 39 (1) of the Act on insurance and reinsurance activity will be modified. The abovementioned provisions concern sensitive personal data (referred to in Article 9 (1) of the GDPR) in the process of estimating insurance risk, verifying the data given by the policyholder or determining the amount of the benefit on the basis of such information (sensitive personal data includes the results of diagnostic tests, the results of treatment, the course of the illness).
As currently worded, Articles 38 and 39 of the Act on insurance and reinsurance activity require the insurance company to obtain the written consent of the insured or their statutory agent for the processing of personal data. According to the proposed changes, the insurance company will have to obtain only the explicit consent. The Act will read as follows:
Art 38
6. An insurance undertaking’s request for the information referred to in paragraph 2 [i. e. the reasons of hospitalization, diagnostic tests and the results thereof, other provided health services treatment outcomes and prognosis and results of any autopsy, if it has been carried out; the reasons for outpatient treatment, carried out in the course of diagnostic tests and their results, other provided health services, the results of treatment and prognosis; the results of the consultation; the cause of death of the insured] shall require the explicit consent of the insured or the person on behalf of whom an insurance contract is to be concluded, or their statutory agent.
8. The insurance company may obtain, for a fee, from the National Health Fund, the data of names and addresses of benefit providers who have provided medical care in connection with an event of fortuitous event being the basis for determining the amount of compensation or benefit. An insurance undertaking’s request for this information shall require the explicit consent of the insured person or their statutory agent.
Art. 39
1.The insurance company may, with the written consent of the data subject or their legal representative, at the written request of another insurance company, provide that insurance company with the processed data to the extent necessary to assess the insurance risk and verification of data provided by the policyholder or the insured or the person for whom the account of the insurance agreement is to be concluded, establishing the right of the insured to benefit under the insurance agreement and the amount of this benefit, as well as to provide possessed information about the cause of death of the insured or the information necessary to determine the right of the beneficiary to receive a benefit and its amount. At the request of the policyholder or the insured, the insurance company provides information on the statements made by them at the stage of concluding an insurance agreement for the assessment of risk or copies of the documents drawn up at this stage.
These changes respond to the expectations of insurers, who in the process of digitizing insurance services, point to the disadvantages associated with the obligation to preserve the written form of declaration of will in an electronic distribution channel. The new wording of Articles 38 and 39 of the Act on insurance and reinsurance activity, will likely improve the electronic distribution channel for insurance products.