We would like to ensure that you are still receiving content that you find useful – please confirm that you would like to continue to receive ILO newsletters.
07 August 2018
Insurance activity, policies and products generally rely on personal data and data processing, including the processing of special categories of data (also known as sensitive data) for certain types of insurance coverage. Health data is top of the list of special categories for which processing is required, particularly for:
Under the General Data Protection Regulation (GDPR), which applies from 25 May 2018, the processing of health data for insurance purposes requires the data subject's 'explicit consent'. This poses enormous challenges for the insurance industry and could (when applied fully) jeopardise the ability to provide certain policies which require the processing of health data for their execution and performance. Such data is also essential for the performance of accident at work and personal accident insurance contracts. The challenges for the insurance industry are great with regard to processing the health data of policyholders and their family members and beneficiaries included in group policies.
A number of EU member states have included insurance-specific provisions in national laws passed before the GDPR came into effect, providing specific grounds for the processing of health data in the insurance industry. These provisions were foreseen by Article 9(2)(g) of the GDPR, which states that where data processing is required for public interest reasons, the law of EU member states must be "proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject".
Portugal has no specific national legislation in this regard. However, the Data Protection Act Proposal is under discussion in Parliament and is expected to be approved in the next few months.
The initial version of the Data Protection Act Proposal includes no insurance-specific provisions regarding the processing of health data. The only relevant provision concerns the processing of health data in the context of:
In both cases, data processing must be entrusted to persons subject to professional secrecy or confidentiality duties.
The industry-wide problem of 'explicit consent' remains unresolved. Under the GDPR, explicit consent requires the data subject to give their permission and data controllers must obtain specific consent for each use of health data in this context. Further, the data subject must be able to withdraw consent without any disadvantage. This would be impossible in the context of health data processed for the execution and performance of the insurance policies listed above.
It appears that for certain types of insurance, other grounds foreseen in Article 9(2) of the GDPR could be enough to allow the processing of health data (and other special categories of data) for insurance purposes – in particular, for:
The same applies to reinsurance.
This would be the case for compulsory insurance such as accident at work or compulsory motor liability insurance, which allow the processing of health data required for compulsory insurance purposes under Article 9(2)(g) of the GDPR and do not require the data subject's explicit consent.
The grounds for processing health data for health insurance purposes could also be covered in the specific legitimacy grounds foreseen in Article 9(2)(b), which refer to data processing that is "necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of… social protection law", insofar or to the extent under which health insurance might still be envisaged as a form of social protection.
Although this understanding may be debatable, it seems to be in line with an understanding acceptable to the Portuguese supervisory authority on data protection, which addressed this issue in a May 2018 opinion on the Data Protection Act Proposal.
The supervisory authority's opinion states that, with regard to non-compulsory insurance coverage (other than health insurance), the GDPR provides no specific grounds on which an insurer could base the processing of health data. As a result, this will lead to the explicit consent dilemma for such processing (eg, for life insurance purposes).
The Data Protection Act could (and should) provide specific insurance grounds for the processing of health data in line with a relevant number of EU member states. This could be achieved through legal provisions that:
In that regard, Recital 52 of the GDPR states as follows:
Derogating from the prohibition on processing special categories of personal data should also be allowed when provided for in Union or Member State law and subject to suitable safeguards, so as to protect personal data and other fundamental rights, where it is in the public interest to do so, in particular processing personal data in the field of employment law, social protection law including pensions and for health security.
Arguably, this could be achieved by mirroring the relevant legal provisions under Article 9(4) in the Data Protection Act that allow EU member states to "maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health".
Recital 10 explicitly states as follows:
This Regulation also provides a margin of manoeuvre for Member States to specify its rules, including for the processing of special categories of personal data ('sensitive data'). To that extent, this Regulation does not exclude Member State law that sets out the circumstances for specific processing situations, including determining more precisely the conditions under which the processing of personal data is lawful.
It therefore seems that each EU member state, including Portugal, can provide specific conditions (grounds) for the processing of personal data, including special categories of data. This possibility does not seem to be excluded by Recital 53 of the GDPR.
For further information on this topic please contact Helena Tapp Barroso at Morais Leitão Galvão Teles Soares da Silva & Associados by telephone (+351 21 381 74 00) or email (firstname.lastname@example.org). The Morais Leitão Galvão Teles Soares da Silva & Associados website can be accessed at www.mlgts.pt.
The materials contained on this website are for general information purposes only and are subject to the disclaimer.
ILO is a premium online legal update service for major companies and law firms worldwide. In-house corporate counsel and other users of legal services, as well as law firm partners, qualify for a free subscription.