Insurance secrets may now be transferred to non-EU countries without the consent of the data subject if two conditions are met.

The two conditions are: firstly, that the scope, purpose and legal title of the data transfer is regulated by law; and, second, that the non-EU country provides an adequate level of data protection.

In practice, the country will be deemed to provide an adequate level of data protection if:

  • the European Commission has determined that it does
  • the Safe Harbour principles are applied, or
  • an ‘EC Model Clause’ is concluded in respect of the data transfer.

Since 1 January 2012, entering into other individual data transfer agreements or applying Binding Corporate Rules for International Data Transfers (BCRs) is no longer considered to provide ‘adequate protection’.

This change, which gives greater flexibility to insurance companies, has been made to the Insurance Act in order to reflect the data transfer provisions of the Data Protection Act.

Law: Insurance Act (Act LX of 2003 on Insurance Companies and the Insurance Business); Data Protection Act (Act CXII of 2011 on the Right of Self-Determination in Respect of Information and the Freedom of Information)