Should an employer enter into a data processing agreement with an insurance company for group employee insurance?

ANSWER

A data processing agreement should be concluded when a data controller entrusts personal data to another external entity for processing on the controller's behalf and for the controller's benefit.

In the relationship with an insurance company, there will therefore be no entrustment of personal data processing. When seeking to conclude a group employee insurance agreement, the employer discloses or makes available the personal data it processes to the insurer as an independent data controller. Upon receiving the data, the insurer will process it for its own processing purposes (not the employer's purposes).

This means that, between the employer and the insurer, what occurs is not entrustment of personal data processing but disclosure or making the data available. In practice, the parties should therefore regulate the issue of making employees' personal data available within the group insurance agreement. The insurer should undertake to keep the disclosed personal data confidential. From the moment it receives the data from the employer, it becomes an independent data controller and all obligations imposed on controllers under the GDPR apply to it.