The Spanish personal data protection agency (AEPD) has reminded intermediaries of the importance of adopting clear policies on personal data protection – Proceeding No.: PS/00403/2018

In 2019, the Spanish Data Protection Agency (AEPD) published its approach to GDPR and the consequences for insurance intermediaries. The approach, favourable to the intermediary involved in the case in question, should encourage distributors of insurance to be particularly careful in the procedures they put in place for the protection of customers’ personal data in order to reduce their professional liability exposure.


The background to this claim was an invitation or “friend request” that a representative of an insurance agency sent to a customer’s daughter on the social media, Facebook. The daughter explained that she had answered a phone call that the insurance agency had made to her mother, who had taken out a life insurance policy, now offering her a home insurance policy. The daughter requested that the details for the proposed policy be first sent to her and she would pass it on to her mother. After receiving a second telephone call advising that the insurance proposal had been accepted by the insurer, the insured’s daughter was invited to go to to the intermediary’s office and met the agent in question in passing. A few days later, she received an invitation via Facebook and recognised the agent from his photos. She then approached the Spanish Personal Data Protection Agency – the AEPD – to find out how her data had been used.


The AEPD did not find the intermediary liable in this case because it had taken care to specify in the contracts with its agents their obligations under GDPR. The AEPD $ that the insurance agency had acted diligently and taken sufficient measures to ensure that its agents – who had access to the data collected or held in its records – were aware of the rules governing data protection and the obligations they imposed.

CGPA comments

This decision underlines the importance for insurance intermediaries to put into place a full set of procedures for data protection that clearly describe the role and obligations of their agent(s). It was because the intermediary had put in place such a clear set of procedures that he was not held liable in this case, in which the AEPD found that the agent had sent his invitation in a strictly personal capacity.