Insurance EuropeInsurance Europe
Monitoring bodies for GDPR codes of conduct must remain optional

Europe’s insurers have warned that the European Data Protection Board’s (EDPB) draft guidelines on codes of conduct and monitoring bodies go beyond the text of the General Data Protection Regulation (GDPR). This is because the draft guidelines say the approval of a code of conduct will depend on the appointment of a mandatory body that shall police compliance with the code, when in fact the GDPR says this is optional. 

Therefore, Insurance Europe has urged the EDPB to acknowledge that the draft guidelines go beyond the GDPR’s Level text 1 and clarify that the appointment of a monitoring body is optional.

Drawing up a code is already a lengthy process which requires intensive effort and resources, and the appointment of mandatory monitoring bodies, which is beyond the provisions in GDPR on codes of conduct, would impose excessive burden and costs on national associations across all industry sectors.

Practical experience has shown that, despite the cost, such codes contributed significantly to the understanding and application of data protection rules by insurance companies and contribute to better consumer outcomes. However, the heavy organisational and financial burden for developing a code of conduct, appointing a mandatory monitoring body and maintaining the required structure, for the sole purpose of obtaining approval of the code and monitoring compliance would significantly outweigh the benefits of having an approved code.

Insurance Europe raised other concerns that can be found in its full submission to the EDPB.

Published 10 April 2019