In November 2014, the French Data Protection Authority (“CNIL”) issued a new “compliance pack” for the insurance sector, following consultations with trade associations.
The CNIL has started promoting compliance packs as a new tool for regulating the processing of personal data in specific sectors. The packs, adopted by the CNIL after stakeholder consultations, are intended to offer actionable information (notably with respect to CNIL filings) to comply with French data protection law.
The new compliance pack for the insurance sector has been prepared in collaboration with several major trade associations representing the largest French insurance groups. The pack includes (i) two preexisting Simplified Standards for the insurance industry, No. 16 relating to insurance policy management and No. 56 relating to client data management (both revised on July 11, 2013, see our previous post here), as well as (ii) three more recent Single Authorizations: Single Authorization No. 31 for the collection of social security numbers and access to the French National Directory of Identification of the Individuals (adopted on January 23, 2014), Single Authorization No. 32 for the collection of data concerning criminal offenses, (adopted on January 23, 2014), and Single Authorization No. 39 for the implementation by the insurance sector of anti-fraud measures (adopted on July 17, 2014).
The compliance pack also includes several practical information sheets to enable insurers and other professionals in the sector to better understand the legal framework applicable to personal data collection and processing in connection with their business.
The compliance pack also announces the creation of a “compliance club” in which the CNIL will to continue to work with the main stakeholders to develop and adapt filing requirements to regulatory changes.
Readers will recall that Simplified Standards enable companies without internal data protection officers that choose to adhere to the conditions set forth in such Standards to make simplified filings with the CNIL, thus avoiding having to file the much more detailed normal filing. Similarly, the Single Authorization procedure allows companies that intend to process personal data for certain specific purposes to implement such processing in compliance with French data protection law if they self-certify to the CNIL that the processing will comply with the specific conditions set forth by the CNIL. Insurance, capitalization, and reinsurance companies and insurance intermediaries that already filed on the basis on the aforementioned Simplified Standards and Single Authorizations are not required to make any additional filing with the CNIL.