Increasing digitalization of the insurance business may be hindered by the narrow interpretation that data protection authorities are giving to the General Data Protection Regulation (GDPR), the German Insurance Association (GDV) stated in an article published on its own website.

“The insurance industry, which relies heavily on sensitive and personal data, is undergoing profound changes in business processes. To ensure that the GDPR does not block a successful digital transformation, there is a need for improvement from the point of view of insurers operating in Germany,” the article reads. The German Insurance Association (GDV) has participated in the EU consultation process for the evaluation of the law.

Here are some of the arguments raised by GDV, as stated on the association’s website:

Digital processes simplify the private and business environment. With more than 465 million insurance contracts, the insurance business is designed for broad audiences. In today's world, customers expect their insurance applications to be processed quickly and easily. In order to take account of the increasing digitalization, the regulations on so-called automated individual case decisions must better meet customer requirements.

Too strict data protection as an obstacle to digitalization

The GDPR allows fully automated decisions that are necessary for the conclusion or performance of a contract. However, there is disagreement as to whether this permission also applies to insurance contracts, as clerks can also make the decisions. The data protection authorities follow a restrictive interpretation of the law and require that customers can always choose human processing of requests as an alternative. Insurers should be able to decide on their own responsibility whether to use automated decision-making systems. It is important that customers can request a review of the decisions at any time if they are dissatisfied with the digital result.

Facilitation of data transfer

In a globally networked world, it is essential to ensure smooth and secure data transmission. However, the strict requirements of data protection authorities present companies with challenges that often go beyond the flexible approach of the General Data Protection Regulation. Even supposedly minor risks, such as providing professional email addresses during a business video conference, require the highest level of protection. One solution could be to extend the risk-based approach of the GDPR to the rules on data transfers to third countries. This would allow data protection measures to be better adapted to actual needs, while maintaining the necessary flexibility.

The full statement can be found here.