Are insurers liable for breach of the GDPR on account of their appointed intermediaries?
Insurers acting out of their traditional borders through a local intermediary should choose carefully their intermediaries when distributing insurance products, and use any means at their disposal to control them properly. Distribution of insurance products through an intermediary can be a fast way to distribute insurance products and enter a territory with a minimum of investments. However, it implies a strict control of the intermediary’s activities.
The reason is that Insurers in FOS can be held jointly liable with the intermediary if this one violates personal data regulation and its obligations as set by the GDPR (Regulation 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data).
In a decision dated 18 July 2019 , the CNIL (Commission Nationale Informatique et Libertés), the French authority in charge of personal data protection rendered a decision against ACTIVE ASSURANCE, a French intermediary, for several breaches of the GDPR. The intermediary was found guilty and fined EUR 180,000 for failing to properly protect the personal data of its clients. Those were found easily accessible on the web by any technician well versed in data processing. Moreover, the personal access codes of the clients were too simple and therefore easily accessible by third parties.
Although in this particular case insurers were not fined by the CNIL, the GDPR considers that they can be jointly liable with the intermediary in case of breach of personal data. In particular, the controller is liable for any acts of the processor he has appointed, this one being considered as a sub-contractor (clauses 24 and 28 of the GDPR).
This illustrates the risks to distribute insurance products through an intermediary without controlling its activities. Acting through intermediaries, in particular for insurance companies acting from foreign EU countries in FOS under the EU Directive on freedom of insurance services (Directive 2016/97 of 20 January 2016 on insurance distribution) requires a strict control through enacting contractual dispositions whereas are defined:
- a clear distribution of the duties between insurer and distributor (who is controller/joint controller/processor ?) as regards technical means used for protecting personal data (who shall do/control what ?) and legal requirements (who must report to the authorities in case of breach of security/ who shall reply to requests from data owners?, etc.);
- the right of the insurer to audit the distributors’ technical means used for this protection at any time during the term of the contract. In addition to this, one should always keep in mind that this audit should be conducted efficiently by the insurer at regular times. As Napoleon rightly said: “You can govern from afar, but you can only administer closely”.