GDPR Folderinsurance sector

The RGPD applies to all professions that collect or process personal data. Whether you are an agent, a broker, an intermediary, an intermediary's agent or an insurance (or reinsurance) expert, you collect personal data from your clients, prospects, accident witnesses, etc. As a result, you must not only comply with the GDPR but also be able to demonstrate this to your clients and the companies you work with. Showing that you respect privacy will increase trust, especially as you collect very personal data to advise your clients.

Today, there are nearly 60,000 insurance intermediaries in France according to the single ORIAS register. These are all companies that are subject to the RGPD since 2018 because they handle personal data in their daily work, some of which are particularly sensitive (health, etc.).

From the outset, companies have made significant efforts to address the issue of personal data protection and business tools have now integrated these provisions. However, this does not exempt intermediaries from complying. 

As a reminder, any processing of personal data must meet a specific objective (purpose) which must have a legal basis (consent, contract, legal obligation, legitimate interest, etc.).

Overall, in the insurance sector, a distinction is made between processing operations whose purpose is the conclusion/execution of CONTRACTS and those whose purpose is commercial PROSPECTING.

In the 1st case, the processing operations respond to the need to execute the CONTRACTS, for example :

• the study of needs in order to propose suitable contracts;
• the assessment of insurance risks to determine a rate;
• the performance of contractual guarantees ;
• contract and customer management;
• the management of complaints and disputes;
• or the exercise of appeals.

Other processing operations are based on legitimate interest:

• the preparation of statistics and actuarial studies;
• the implementation of prevention actions;
• conducting research and development activities;
• communication and customer loyalty operations;
• improving the quality of the service;
• anti-fraud treatments.

With regard to PROSPECTION, the purpose and legal basis of the processing depends on the channel used.

Electronic commercial prospecting (email, SMS, leads, social networks, etc.) is subject to the consent of individuals (in accordance with the French Post and Electronic Communications Code, CPCE). Canvassing is possible but people must first be informed. They must also give their prior consent in the case of individuals or be able to object to it in the case of professionals.

For other methods of canvassing (postal mail, calls, etc.) or if the canvassing concerns people who are already customers, it is rather the legitimate interest that will serve as the basis. It is simply necessary to ensure that the person is able to object easily and a priori to the processing.

Source: CNIL

Actors in the sector who process personal data are either data controllers, data processors or joint data controllers. These qualifications come with specific obligations, so it is important to ask yourself about your status for each processing operation. For example, the controller is
the body which determines the purposes and means of the processing operation. 

The same company may be both a controller (e.g. the general agent in his brokerage business if he has one) and a processor (when he acts on behalf of his company).

Furthermore, the processing of NIR and health data must be subject to particular vigilance.

In general, a distinction is made between processing operations carried out outside the conclusion of an insurance contract and those carried out within the framework of a contract.

• In the absence of the conclusion of the insurance contract (in the context of prospecting management), the data controller may not retain the prospect's data for more than 3 years from the date of their collection or the last contact from the prospect.
• For data that may enable the establishment, defence or exercise of legal rights, it may be kept for a maximum of 5 years from the date of its collection or the last contact from the prospect (this is in application of the limitation period under common law).
• When an insurance contract is concluded, certain specific limitation periods may apply. This is the case for life insurance contracts where the Insurance Code provides for a limitation period of 30 years from the death of the insured for the actions of the beneficiary. 

As you can see, the main principles of the RGPD are simple and their implementation can also be simple with the right tool. Our tool, GDPR Folder accompanies you step by step in this process and guides you at each step to generate your compliance file. You will be able to answer a simple and didactic questionnaire in a few hours for an affordable budget, without expensive external help, and create a PDF file that demonstrates your compliance efforts.

GDPR Folder allows you to "keep your hand" on this subject of personal data which is at the heart of your activity. In addition, you have a badge showing your efforts that you can post on your site to reassure your customers, members or contacts and increase the trust they have in you.

Respect personal data and show it with GDPR Folder. Don't hesitate to contact us for more information or a demo.

Here are a number of useful sites and resources in the insurance sector: