GDPR in the Insurance Sector — Data Protection in Insurance Operations

The insurance sector is one of the most data-intensive industries — insurance operations are built on collecting, analysing, and processing personal data on a massive scale. Risk assessment (underwriting), premium calculation, claims handling, fraud detection, and distribution through agents and brokers all require access to policyholders’ personal data, often including special category data such as health and genetic information.

At the same time, insurers operate within a dense regulatory framework — alongside the GDPR, they must comply with the Insurance and Reinsurance Activity Act, the Insurance Distribution Act (implementing the IDD Directive), Polish Financial Supervision Authority (KNF) requirements, EIOPA guidelines, and since 2025, the DORA Regulation on digital operational resilience for the financial sector.

This article covers the key GDPR issues specific to the insurance sector — from legal bases for processing, through profiling and scoring, health data in life insurance, to relationships with agents and brokers.

Data Processing Specifics in Insurance

Insurers process personal data at every stage of the policy lifecycle:

Pre-contractual stage (quotation) — collecting data for risk assessment and premium calculation. The scope depends on the insurance type: motor insurance requires vehicle data, claims history, and driver age; life insurance requires health data, medical history, age, occupation, and lifestyle; property insurance requires property data, security measures, and asset values.

Contract conclusion — identification data (name, national ID, address), contact details, payment data, beneficiary and insured person data.

Policy servicing — data changes, renewals, assignments, cancellations, correspondence.

Claims handling — data of injured parties, witnesses, and at-fault parties, medical documentation (for personal insurance), police reports, expert opinions, photos, and recordings.

Fraud detection — pattern analysis, cross-referencing with external databases (Insurance Guarantee Fund, credit bureaus), profiling.

Marketing and cross-selling — offering additional insurance products, customer segmentation, analytics.

Reinsurance — transferring data to reinsurers for risk sharing.

Legal Bases for Processing by Insurers

Insurance companies use several legal bases simultaneously:

Contract performance (Article 6(1)(b) GDPR) — processing data necessary for concluding and performing the insurance contract (premium calculation, policy servicing, claims handling). This is the primary legal basis for most insurance operations.

Legal obligation (Article 6(1)(c) GDPR) — fulfilling obligations under the Insurance Activity Act (e.g., customer identification — AML/KYC, regulatory reporting to KNF, archiving obligations).

Legitimate interest (Article 6(1)(f) GDPR) — detecting and preventing insurance fraud, direct marketing of own products, pursuing and defending claims, actuarial analytics on anonymised data.

Consent (Article 6(1)(a) GDPR) — marketing third-party products, profiling beyond contractual necessity, processing health data in certain situations.

Health Data — Article 9 GDPR in Insurance

Life and health insurance require processing health data — a special category under Article 9 GDPR. Legal bases include:

Article 9(2)(f) GDPR — processing necessary for establishing, exercising, or defending legal claims. Used in personal insurance claims handling requiring analysis of medical documentation.

Article 9(2)(a) GDPR — explicit consent of the insured. Used when collecting health data during underwriting.

Article 38(2) of the Polish Insurance Activity Act — provides an independent legal basis for insurers to process health data of insured persons or beneficiaries contained in insurance contracts or attached documents, for risk assessment or contract performance purposes, to the extent necessary given the purpose and type of insurance.

This is a key provision — it constitutes an independent basis for health data processing by insurers, regardless of the individual’s consent. UODO has confirmed that Article 38 implements the condition from Article 9(2) GDPR.

Profiling and Insurance Scoring

Profiling is an integral part of insurance operations — underwriting involves analysing personal data to classify the customer into a risk group and set the premium. This constitutes profiling under Article 4(4) GDPR.

Types of profiling in insurance:

Underwriting (tarification) — analysing customer data for risk assessment and premium calculation. Factors include age, health status, occupation, claims history, and location.

Insurance scoring — automated point-based risk assessment using algorithms.

Fraud detection — profiling to identify suspicious claims.

Marketing segmentation — profiling customers to offer tailored products.

Telematics — monitoring driving behaviour via telematics devices (Usage-Based Insurance — UBI). Data includes speed, acceleration, braking, time of travel, and route.

GDPR obligations for insurance profiling:

Transparency — the customer must be informed about profiling, its logic, and consequences (Article 13(2)(f) GDPR).

Article 22 GDPR — if the decision to conclude the insurance contract or set the premium is made purely automatically (without human involvement) and produces legal effects, it is subject to Article 22 GDPR. The customer has the right to human intervention, to express their view, and to contest the decision.

DPIA — large-scale insurance profiling requires a DPIA (Article 35 GDPR).

Non-discrimination — profiling must not lead to discrimination based on race, ethnicity, religion, etc. The use of genetic data for insurance purposes is subject to regulatory debate.

Insurance Secrecy and the GDPR

Article 35 of the Insurance Activity Act imposes an obligation of insurance secrecy on insurers. Information relating to individual insurance and reinsurance contracts is covered by this secrecy.

Insurance secrecy and the GDPR operate in parallel — they constitute two separate bases for data protection. Insurance secrecy implements the confidentiality requirement of Article 5(1)(f) GDPR. Release from insurance secrecy (e.g., at the request of a court, prosecutor, or KNF) does not release from GDPR obligations.

Insurance Distribution — Agents and Brokers Under the GDPR

Distribution through agents and brokers raises complex GDPR role questions:

Insurance agent — acts on behalf of the insurer. Under the GDPR, the agent is typically a processor — processing customer data on the insurer’s instructions. A data processing agreement (Article 28 GDPR) is required.

Multi-agent — acting for multiple insurers. The GDPR situation is more complex — the multi-agent processes data for multiple controllers and needs DPAs with each.

Insurance broker — acts on behalf of the client, not the insurer. The broker is typically a separate data controller — independently determining processing purposes. Data exchange between broker and insurer is disclosure (controller to controller), not processing.

Information obligation in distribution: The customer must receive a privacy notice from each entity processing their data. The Insurance Distribution Directive (IDD) imposes additional information obligations that complement GDPR requirements.

Claims Handling and the GDPR

Claims handling involves intensive processing — of injured parties, at-fault parties, witnesses, and experts:

Medical documentation — for personal injury claims, the insurer needs access to the injured party’s medical records. Legal basis: Article 38(2) of the Insurance Activity Act + Article 9(2)(f) GDPR.

Data minimisation — the insurer should request only medical documents necessary for assessing the claim. Requesting “all medical records for the last 10 years” without justification violates the minimisation principle.

Insurance Guarantee Fund (UFG) — insurers exchange data with the UFG for verifying claims and insurance history. The UFG is a separate data controller.

Experts and assessors — if the insurer commissions an expert opinion, the expert is typically a processor requiring a DPA.

Fraud Detection and the GDPR

Fraud prevention is the insurer’s legitimate interest (Article 6(1)(f) GDPR) — Recital 47 expressly mentions fraud prevention.

Profiling for fraud detection is subject to Article 22 GDPR if it leads to automatic decisions to refuse claims. Data exchange between insurers for fraud detection requires careful legal basis analysis — typically legitimate interest with a documented LIA. Cooperation with law enforcement for suspected crimes is based on legal obligation or legitimate interest.

DORA and Data Protection in Insurance

The DORA Regulation (fully applicable since 17 January 2025) requires insurers to ensure digital operational resilience. DORA and the GDPR overlap in ICT risk management, ICT incident reporting (dual notification to KNF and UODO if personal data is involved), third-party ICT risk management (complementing Article 28 GDPR), and resilience testing (supporting Article 32 GDPR).

KNF and EIOPA Guidelines

The insurance sector is subject to additional regulatory guidance:

KNF recommendations — covering risk management, insurance distribution, and claims handling, indirectly affecting data processing.

EIOPA guidelines — on data governance, cloud outsourcing (EIOPA-BoS-20/002 expressly references GDPR), and AI use in insurance.

IDD — the Insurance Distribution Directive imposes customer information obligations that complement GDPR requirements.

Data Retention in Insurance

Retention periods in insurance are typically long:

Insurance contract documentation — policy duration + limitation period for claims (3 years for insurance claims under Article 819 of the Civil Code, but up to 20 years for personal injury claims arising from crimes).

Claims documentation — contract period + limitation period + archival period under the Insurance Activity Act.

AML/KYC data — 5 years from the end of the client relationship.

Actuarial documentation — long retention periods under Solvency II and KNF regulations.

Marketing data — until consent withdrawal or successful objection.

DPO in Insurance Companies

Insurers are required to appoint a DPO — they process data on a large scale, including special category data. The DPO in an insurance company should have specialist knowledge at the intersection of data protection, insurance law, and financial regulation.

Checklist — GDPR for the Insurance Sector

1. Define GDPR roles across the distribution chain — controller, processor, joint controller — for each entity.
2. Conclude DPAs with agents and other processors.
3. Determine legal bases for each process — underwriting, claims, marketing, fraud detection.
4. Identify health data processing — verify the basis under Article 9 GDPR and Article 38 of the Insurance Activity Act.
5. Prepare privacy notices addressing insurance specifics — profiling, scoring, recipients (UFG, reinsurers, experts).
6. Conduct DPIAs for scoring and automated underwriting.
7. Ensure profiling transparency — inform customers about the logic and consequences.
8. Implement data subject rights procedures — access, rectification, erasure, portability, objection.
9. Define retention periods for each data category, considering limitation periods.
10. Ensure DORA compliance — integrate digital operational resilience requirements with GDPR.
11. Train agents and staff on GDPR in the insurance context.
12. Appoint a DPO with insurance law knowledge.
13. Monitor EIOPA guidelines and KNF recommendations for data processing implications.
14. Manage ICT supply chain risk — in accordance with DORA and Article 28 GDPR.
15. Conduct regular audits — insurance is a high-risk sector for UODO inspections.

Need GDPR Support in the Insurance Sector?

The insurance sector is one of the most demanding regulatory environments — the GDPR, Insurance Activity Act, IDD, DORA, and KNF/EIOPA guidelines create a complex system of requirements that must be applied simultaneously. At the Law Office of Dr Joanna Maniszewska-Ejsmont, we advise insurers, agents, and brokers on GDPR compliance in the insurance context — from audits and documentation, through profiling and scoring, to implementing data subject rights procedures.