Collect the consent of people

Person consent is a compulsory prerequisite in the event of sensitive data collection, use of cookies for certain purposes or even the use of data for commercial prospecting purposes electronically.

In any case, It must be an active and explicit approach, preferably written. For example, consent can take the form of a check box in a form (provided that this box is not checked by default).

Guarantee the protection of personal data

Insurance companies must deploy the necessary means so that the data entrusted to them are not the subject of theft, intrusion or modification by a third party.

What are the compulsory security measures for insurers under the GDPR?

The controller must define a security policy describing the security objectives and the measures to achieve them, for example:

  • Management of authorizations to limit access to data.
  • Encryption of digital archives,
  • Authentication using robust identifiers and passwords.
  • Use of cryptographic keys.
  • Automatic systems guaranteeing data traceability: newspapers, audits …

In addition, insurers must provide for a data violation management procedurewith obligation to notify the CNIL within 72 hours and information of the persons concerned as soon as possible, in particular if the leak of data presents a high risk for individuals.

Finally, in certain situations, the controller must carry out a impact analysisfor example in the event of large -scale processing of sensitive personal data.

Define the purposes of treatment

In the insurance sector, the data is generally processed within the framework of two sets of purposes.

Passing, management and execution of contracts

Different treatments can take place as part of the execution of an insurance contractFor example :

  • The study of the specific needs of the insured in order to offer him adapted offers.
  • Assessment of insurance risks.
  • The management of complaints and litigation linked to the contract.

Others can be founded On the legal basis of legitimate interestnotably :

  • The development of actual statistics and studies.
  • The implementation of prevention actions.
  • Communication and customer loyalty operations.
  • Treatments related to the fight against fraud.

Finally, Some treatments are necessary to comply with a legal obligation : Drawing at the source of income tax, taking into account international economic and financial sanctions, fight against money laundering and the financing of terrorism …

Commercial prospecting

In general, electronic commercial prospecting treatments are subject to the consent of people.

However, legitimate interest can be invoked:

  • In case of prospecting by other means.
  • If prospecting relates to goods or services similar to those already provided to the customer.

Be that as it may, the person must be able to oppose this treatment easily and beforehand.

Respect the data retention period

The law provides for certain conservation durations specific to the insurance sector.

If no insurance contract has been concluded, Prospect data cannot be kept for more than 3 years (from their collection or last contact established by the prospect) as part of the management of commercial prospecting.

Nevertheless, the data allowing the defense, the observation or the exercise of legal rights can be kept for 5 years.

When a contract has been concluded, specific prescription deadlines may apply. This is the case of life insurance contracts, for which a period of 30 years from the death of the insured is provided for by the insurance code.

Inform people

Under the GDPR, the controller has the obligation to provide the persons concerned with Converted, transparent information, easily accessible and understandable.

To guarantee the legibility of the information, insurance companies must favor an approach on two levels:

  • On the one hand, essential information Like the identity and contact details of the controller and/or the data protection delegate, processing purposes, recall of the rights of persons …
  • On the other hand, Additional information such as data retention period, the criteria used to determine this duration, the legitimate interests pursued by data processing, the existence of data transfers to countries outside the European Union …

Respect the rights of individuals

Whether an insurance contract is signed or not, the controller must respect and implement the rights of the persons concerned free of charge.

Access and rectification rights

They allow the individual to access all the information concerning him and to know their origin, but also to demand that it be completed, rectified, updated or deleted.

The right of opposition

It allows anyone to oppose the reuse of their contact details by the file manager when signing a contract, in particular for commercial requests.

In addition, the insured can oppose legitimate reasons for the processing of his data, unless he meets a legal obligation.

The right to portability

It allows any individual to receive and reuse the data he has provided to the controller. He can also transmit them, if he wishes, to another controller.

In the insurance sector, the data necessary for risk assessment, determining or evaluation of damages and services (such as claims) are for example considered portable.

The right to limit treatment and the right to erasure

The right to limit processing allows the person to temporarily freeze the use of their data, while the right to erasure makes it possible to obtain their deletion.