Despite its complexity, the new GDPR may open a door for German insurers towards a new efficient approach to data protection.
The new regulation will apply from 25 May 2018. Insurers have often struggled with the principle of informed consent under the current law in Germany. In practice, the insured would give consent only when applying for insurance. This initial consent reflects the situation at that time and will cover the process of concluding the insurance contract. It will not, however, cover all future processes such as the provision of personal information to outsourced service providers. Clearly, this can present operational challenges and limit the insurer’s ability to be flexible during the management of the insurance.
The new GDPR provides some new ‘features’ which might prove to be advantageous to insurers in dealing with these issues. It will allow insurers to process personal data without the consent of the insureds under certain circumstances. In particular, processing of personal data will be allowed if the fundamental rights of the affected policy holders do not outweigh the legitimate interests of insurers. This has to be assessed individually but there is a fair chance, at least from a German perspective, that for instance the processing of data in the context of outsourcing can be justified by improved efficiency in the management of insurance contracts (for the benefit of both insured and insurer). These potential benefits will apply to administrative measures principally and data processing for marketing purposes will still need specific consent from the individual concerned. Here again, however, the GDPR allows for improved efficiency in obtaining the necessary consents, which no longer always have to be in written form. Oral or electronic forms of consent might be sufficient in certain circumstances.