Explicit consent for processing health-related data by (re)insurers no longer needed in Belgium?
21/01/2022

Yesterday, several press articles mentioned that the FPS Economy had prepared a preliminary draft law on the processing of health-related personal data by (re)insurers. Due (or thanks) to an information leak, the text was made public. This preliminary draft has not yet been submitted to the Chamber of Representatives. Nor has it yet been submitted to the Belgian Data Protection Authority or the Council of State for advice. The text is therefore far from being final.

BACKGROUND

At present, Belgian law does not provide for a specific legal ground for (re)insurers to process health-related personal data in the context of (re)insurance. Hence, (re)insurers must rely upon the exemptions (special legal grounds) set out in Article 9 (2) GDPR on special category data, which includes health-related data.

Contrary to Article 6 GDPR, Article 9 (2) GDPR on legal grounds for special category data does not provide for legal ground to process health-related data “when such processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”. 

Hence, (re)insurers in Belgium have had to rely upon other Article 9 (2) GDPR exemptions, such as:

  • the explicit consent of the data subject for one or more specified purposes;
  • the necessity of the processing for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law; and
  • the necessity of the processing for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.

This has led to (re)insurers in Belgium heavily relying on prior explicit consent of the policyholder, the insureds and the beneficiaries in order to process their health-related data in view of the possible conclusion of insurance contract, the management and performance of these contracts including the management of claims and indemnification of bodily injury.

Using consent as a legal ground for the processing of health-related data has however many disadvantages:

  • gathering explicit consent for policyholders, insureds and beneficiaries is burdensome;
  • (re)insurers do not always have a direct contractual relationship with the data subjects whose health-related data are being processed, making it difficult to obtain their consent;
  • once obtained, consent can be withdrawn at any time; consent is hence not a sufficiently reliable and efficient legal ground for processing operations that are in the end necessary to be able to perform the (re)insurance contract; and
  • the validity of the consent could be challenged as the conclusion and performance of a (re)insurance contract is often simply not possible without the processing of health-related data; hence it could be argued that data subjects do not have a free choice.

Already back in 2020, the Dispute Chamber of the Belgian Data Protection Authority recognised the tension between consent and the necessity for the performance of the (re)insurance contract and invited the legislator to create a more reliable legal ground for (re)insurers to process health-related data.

PRELIMINARY DRAFT LAW

The preliminary draft law now aims to create such specific legal ground, providing greater legal certainty for the processing of health-related data in the context of (re)insurance. Article 9 (4) GDPR indeed provides that Member States may maintain or introduce further conditions, including limitations, with regard to the processing of health-related data.

The preliminary draft law proposes to introduce a new Article 61/5 in the Belgian Insurance Act of 4 April 2014.

Such provision would stipulate that the processing of health-related data must be considered as necessary for reasons of substantial public interest in accordance with Article 9 (2) (g) GDPR, in particular the social and economic protection, which is the object of the insurance coverage.

Based on such legal ground, (re)insurers would be able to process health-related data, be it only to the extent strictly necessary for the performance of their tasks of general interest of social and economic protection and hence for specific purposes, namely:

  • for insurers: the possible conclusion of insurance contract, the management and performance of these contracts; and
  • for reinsurers: the possible conclusion of contracts. 

The processing of health-related data for the purposes of direct marketing, including profiling insofar as it relates to direct marketing, is explicitly prohibited by the preliminary draft law.

The preliminary draft also provides for a specific data retention period. It stipulates that health-related data should not be kept beyond the statutory limitation period laid down in Article 88 of the Insurance Act, except in the case of legal proceedings.

Finally, the preliminary draft law provides that health-related data must be encrypted. 

The preliminary draft law already raised many comments from consumer and patient organisations. These comments will now be examined and discussed. 

The draft is in any event an interesting first step. Of course, the advice of the Belgian Data Protection Authority is also to be awaited. 

We will keep you informed on any further developments on this topic, which is crucial for all (re)insurance companies active on the Belgian market. Stay tuned 

Zie ook : Lydian ( Ms. Olivia Santantonio ,  Mr. Bastiaan Bruyndonckx )

[+ http://www.lydian.be]

Ms. Olivia Santantonio Ms. Olivia Santantonio
Counsel
[email protected]
Mr. Bastiaan Bruyndonckx Mr. Bastiaan Bruyndonckx
Partner
[email protected]

Click here to see the ad(s)

Laatste artikels van Ms. Olivia Santantonio

Belgian B2C guarantee regime revised : new challenges for businesses
06/04/2022

A little late given transposition deadlines, Belgium has finally adopted an Act transposing two Directives relating to the...

Read more

What are the copyright and trademark implications of NFTs?
07/03/2022

NFTs and IP rights have certainly been a hot topic since the beginning of the year.

Read more

EDPB publishes guidelines on DSARs
18/02/2022

On 18 January 2022, the European Data Protection Board (EDPB) published its draft Guidelines on the right of access&n...

Read more

CJEU clarifies competence of non-lead supervisory authorities in cross-border GDPR infringements ...
21/06/2021

On 16 February 2018, the Brussels Court of First Instance condemned Facebook, including Facebook Ireland Limited and Faceb...

Read more

Laatste artikels van Mr. Bastiaan Bruyndonckx

EDPB publishes guidelines on DSARs
18/02/2022

On 18 January 2022, the European Data Protection Board (EDPB) published its draft Guidelines on the right of access&n...

Read more

Klokkenluidersregelingen: stand van zaken
17/12/2021

D'ici demain, 17 décembre 2021, la Directive EU sur les lanceurs d'alerte n° 2019/1937 du 23 octobre 20...

Read more

The BDPA’s recommendation on processing of biometric data
07/12/2021

On 6 December 2021, the Belgian Data Protection Authority (the BDPA) published a recommendation on the processing of ...

Read more

Court of Justice of the European Union allows Reverse Engineering to Correct Errors
12/10/2021

Licensees are in certain cases permitted to decompile software code without infringing the Software Directive. In a judgem...

Read more

LexGO Network