Data protection: one year GDPR and more

Data protection remains a central issue for the insurance industry. We publish a monthly overview of current data protection developments, trends and important case law in an international context. Here you can find comprehensive information on all important data protection topics. The current issue dated 17 May.2019 can be found here1 . On the occasion of the Data Protection Day 2019 for the first birthday of the GDPR, the European Commission has published an infographic2 which contains some interesting statistics about the GDPR since it came into force last year.

Among other things:

– The most common complaints reported to data protection authorities are telemarketing, email marketing and video surveillance;

– Investigations are usually initiated by data protection supervisors on the basis of a complaint;

– The total number of complaints to supervisors is more than twice as high as the number of notifi cations of data breaches;

– 5 EU Member States have not yet enacted national legislation setting out the permissible exceptions to the GDPR.

BaFin: New agreement with UK regulator on post-Brexit cooperation

On 15 April 2019, BaFin concluded an agreement with the British Prudential Regulatory Authority on cooperation after the Brexit. This agreement complements an existing multilateral Memorandum of Understanding between the national insurance supervisory authorities of the remaining 27 EU Member States and EIOPA (European Insurance and Occupational Pensions Authority) and the UK supervisory authorities.

The new agreement provides for the continuation of shared financial supervision and legal supervision of companies that no longer sign new business in the host country for a certain period after Brexit. Under the agreement, the current allocation will be maintained for a transitional period of 21 months after the Brexit. Complaints will continue to be handled by BaFin. BaFin will therefore continue to handle complaints about companies based in the UK which have contracts under performance in Germany. In the case of complaints about German companies that have concluded a contract in the United Kingdom, BaFin will continue to act within its legal possibilities.

European Cyber Security Act

On 17 April.2019, the European Union passed the regulation of the European Parliament and of the Council on ENISA (European Union Agency for Cyber Security) and on the certification of the cyber security of information and communication technologies and for the repeal of the regulation (EU) No 526/20133 , the “Legal Act on Cyber Security”.

This regulation establishes a European framework for the cyber security certifi cation of products, processes and services. ENISA is mandated to develop such a framework for European cyber security certifi cates within the next twelve months. Initially, European cyber security certifi cation schemes will be voluntary. The European Commission must determine by 2023 which European certifi cates will then be binding in the future. National certifi cates will retain their validity until there is an equivalent at European level. When the European certifi cation comes into force, manufacturers, vendors and service providers will be able to use a uniform process in order to obtain a European certifi cate with validity in all member states. This would eliminate the need to apply for certifi cates in several member states.

The future categorization of the security levels “basic”, “substantial” and “high” is intended to strengthen the confi dence of EU citizens and companies in European cyber security standards. In addition, the Commission believes that this could give European companies a competitive advantage worldwide due to the growing demand for secure solutions.

The provisions of the regulation and the corresponding European Framework for Cyber Security are also aimed at ensuring that cyber security measures are taken into account at the product development stage (Security by Design).