The Duesseldorfer Kreis, an informal association of the German data protection supervisory authorities, and the German Insurance Association (GDV) have published an official model consent and release from professional secrecy declaration for insurance companies. Such a declaration is required whenever personal health data relating to an insured person or an applicant shall be collected from third parties like hospitals and physicians, which is normally done for purposes of risk assessment or verification of liability. The Duesseldorfer Kreis requests all insurance companies to replace their currently used templates by declarations based on the model declaration.
A consent and release from professional secrecy is necessary because, under German law, the collection, processing and use of personal health data relating to an insured person is subject to the conditions enshrined in Sec. 213 Insurance Contract Act (
Versicherungsvertragsgesetz
), which requires opt-in consent.
The model declaration by the Duesseldorfer Kreis and the GDV provides for a certain extent of legal certainty in this respect—especially as the German data protection supervisory authorities have agreed to them. This is positive because, in practice, many of the consent wordings used by insurance companies in the past have not been sufficient. Therefore, it is recommended to replace the currently used declarations. Yet, the model declaration—even though it is eight pages long—still needs to be adapted to the particular case. Adaptions are necessary in order to correctly reflect the data processing steps that actually take place at the individual insurance company using the declaration; e.g., data collections from certain sources, data transfers to other group companies and service providers, etc. Also, it must be indicated which health data are collected, processed and used for which purpose. If the model declaration is not adapted carefully, considering all requirements under Sec. 213 Insurance Contract Act and the additional data protection law provisions, the consent and release from professional secrecy declaration might be invalid and the processing of the health data would be unlawful.
