A draft law implementing the General Data Protection Regulation (“GDPR”), which is currently under debate in the Romanian Chamber of Deputies, seeks to introduce additional restrictions on the processing of personal data, which could have a substantial impact on health and life insurers.
Under the current wording of the draft, the processing of genetic, biometric or health data for the purposes of an automated decision-making process or for profiling is strictly prohibited, except when performed by or under the control of public authorities. Furthermore, this prohibition cannot be lifted even with the consent of the data subject.
The Economic and Social Council, a consultative body of the Romanian Parliament and Government, has warned that the blanket prohibition on the processing of genetic, biometric or health data could create gridlock for life insurers given the large role health data plays in profiling and customising insurance products. However, as the Council is simply an advisory body, Parliament is not bound to move on its recommendation to lift the ban.
The National Union of Insurers and Reinsurers (“UNSAR”) also reacted to the draft, stating that “the processing of personal data in the insurance industry, especially in respect of life and health insurance products, is a primary activity; assessing the health status of the insured is crucial in calculating the risk underwritten by the insurer though the policy”. UNSAR has urged the legislator to reconsider its position on this issue.
Touching on other areas, the draft also states that where a data controller relies on ‘legitimate interest’ as grounds for processing national identifiers (such as personal identification numbers, health insurance numbers etc), the data controller must assume the following safeguards (list appears cumulative):
(i) adequate technical and organisational measures are in place to comply with data minimisation principles, as well as to ensure the security and confidentiality of such data;
(ii) a Data Protection Officer to be appointed in accordance with art. 37-39 of the GDPR;
(iii) the data controller must observe an approved Code of Conduct as per art. 40 of the GDPR;
(iv) adequate timelines for storage and deletion of such personal data to be established, depending on the nature of the data and the purpose of processing; and
(v) individuals who process such personal data by authority of a data controller or data processor to receive periodical training on data privacy obligations.
The sticking point, however, is that a Code of Conduct has not yet been approved (and this is unlikely to happen before GDPR enters into force on 25 May, 2018), making it unclear what data controllers will do once GDPR kicks in if they cannot rely on other guidelines for processing national identifiers (e.g. contract, consent).