On 16 May, Insurance Europe published an overview of insurers' main obligations under the General Data Protection Regulation (GDPR). Under the GDPR, when insurers process personal data in a situation in which they determine the means and purposes for which the data is processed, they become data controllers and need to comply with several obligations.

Firstly, there is an obligation on insurers to keep consumers informed by providing them with certain information, such as who is processing their data and for what purpose. When this processing of data entails a high risk to an individual's rights and freedoms, insurers are obliged to assess the risks and take measures to mitigate the risks before processing the data. Under the GDPR, if an insurer's core activities involve regularly monitoring individuals or the processing of special categories of data, such as health data, it must appoint a Data Protection Officer (DPO). The DPO is responsible for advising the insurer and will also cooperate with the supervisory authority to ensure compliance with the GDPR. Notification requirements also feature, with an obligation on insurers’ to notify their supervisory authority within 72 hours of detecting a data breach.

Overall, insurers will be responsible for demonstrating their compliance and ensuring insurance consumers can effectively exercise their rights under the GDPR.

An overview of insurers’ main obligations is here.

This article contains a general summary of developments and is not a complete or definitive statement of the law. Specific legal advice should be obtained where appropriate.