What kind of personal data is normally being processed in the insurance sector and how critical are the processings?

At least two major events in the relationship between insurance and the insured require the collection and evaluation of comprehensive datasets.

The need for detailed information arises for the first time when insurance is requested: The insurer has a deep interest in satisfying both economical and legal duties that may, in the case of statutory health insurances, result from legal provisions and / or insurance terms. Private health insurers must ensure that the risks brought by new insurees into the insurance pool are reflected in the individual insurance conditions so that newcomers are prevented from becoming a burden for the insurance community. This may, reliably, only be guaranteed by means of meaningful information about the person's health.

The mistrust resulting from the naturally opposed interests of (potential) insurees and the insurer reinforces the insurer's wish to directly request health reports from health practitioners such as doctors or hospitals.

The involvement of third parties in the examination of the person's health situation may, again, be deemed necessary if a damage case occurs. Different means and technologies are imaginable which would allow the insurer to verify the existence and / or severeness of the damage case claimed by the insured.

Which privacy laws and provisions have to be respected in the insurance sector?

Several national laws such as the VVG (for private insurers) and the SGB V (for statutory health insurers) regulate the collection and exchange of personal data between data subjects and insurer as well as between insurer and medical practitioners. Such laws are deemed special provisions in relation to the genuine data protection provisions in the GDPR or the Federal Data Protection Act that deal on a more abstract level with the processing of health data. Where consent requirements are stipulated in special provisions, the respective consent requirements / conditions outlined in the GDPR usually apply.

As a result, insurers must consider the whole legislative landscape when assessing the admissibility of data processings concerning the insured.

Which compliance risks must be considered and what has been the focus of supervisory authorities and courts?

If data on the insured person is not processed in accordance with the law, this can have a severe personal impact on their life. This would be the case, for example, if they were denied insurance benefits on the basis of data on previous illnesses.

Against this background, data processing in the insurance sector has already been the subject of various statements by authorities and court judgements.