The Spanish personal data protection agency (AEPD) has reminded intermediaries of the importance of adopting clear policies on personal data protection - Proceeding No.: PS/00403/2018

Spain

Mapping of claims against insurance intermediaries

Spain stands out in a study of its market structure where agents operating on an exclusive basis are the overwhelming majority of insurance intermediaries, far ahead of brokers or bancassurance operators. Agents fall into two categories: they can work exclusively with one insurance company (first category: tied agents) or with several insurance companies (second category: multi-tied agents). The same distinction applies to bancassurance operators, who can operate as tied or multi-tied agents. The courts have placed particular emphasis on the distinction between these two categories of intermediaries, one representing the insured and the other representing the insurer.

The Spanish personal data protection agency (AEPD) has reminded intermediaries of the importance of adopting clear policies on personal data protection – Proceeding No.: PS/00403/2018

In 2019, the Spanish Data Protection Agency (AEPD) published its approach to GDPR and the consequences for insurance intermediaries. The approach, favourable to the intermediary involved in the case in question, should encourage distributors of insurance to be particularly careful in the procedures they put in place for the protection of customers’ personal data in order to reduce their professional liability exposure.

Facts

The background to this claim was an invitation or “friend request” that a representative of an insurance agency sent to a customer’s daughter on the social media, Facebook. The daughter explained that she had answered a phone call that the insurance agency had made to her mother, who had taken out a life insurance policy, now offering her a home insurance policy. The daughter requested that the details for the proposed policy be first sent to her and she would pass it on to her mother. After receiving a second telephone call advising that the insurance proposal had been accepted by the insurer, the insured’s daughter was invited to go to to the intermediary’s office and met the agent in question in passing. A few days later, she received an invitation via Facebook and recognised the agent from his photos. She then approached the Spanish Personal Data Protection Agency – the AEPD – to find out how her data had been used.

Decision

The AEPD did not find the intermediary liable in this case because it had taken care to specify in the contracts with its agents their obligations under GDPR. The AEPD $ that the insurance agency had acted diligently and taken sufficient measures to ensure that its agents – who had access to the data collected or held in its records – were aware of the rules governing data protection and the obligations they imposed.

CGPA comments

This decision underlines the importance for insurance intermediaries to put into place a full set of procedures for data protection that clearly describe the role and obligations of their agent(s). It was because the intermediary had put in place such a clear set of procedures that he was not held liable in this case, in which the AEPD found that the agent had sent his invitation in a strictly personal capacity.

Publications

The Spanish personal data protection agency (AEPD) has reminded intermediaries of the importance of adopting clear policies on personal data protection – Proceeding No.: PS/00403/2018

Facts

Decision

CGPA comments

CGPA Europe

Latest News

Legal Mentions