A stricter regime for profiling07 June 2016
Germany: Pay-As-You-Drive-Insurance – First German Data Protection Authority Issues Requirements
The evaluated insurance product
The product, offered by a German insurance company, analyzes the driving behavior of driver(s) of an insured vehicle by using a telematics-box which is permanently installed in the car and insurance premiums are adjusted in accordance with driving behavior. Subject to the policyholder’s approval, the box is installed in the vehicle and automatically transmits data on driving behavior every second to a telematics service provider working with the insurer. The data, stored on an EU-based server, includes route, time, speed (and speeding), acceleration and braking characteristics etc.
The telematics service provider calculates a total score and four single scores (speed, driving behavior, night-time driving, city rides) based on the collected data. The scores are designed to estimate the probability of an accident. The telematics service provider sends the scores to the insurer on a monthly basis and as an annual summary. The insurer examines the submitted scores in order to determine an individual's insurance premium for the insured vehicle. If the specified parameters for safe driving behavior are kept, a part of the insurance premium will be refunded to the policyholder to reward cautious drivers.
The data processing does not use real names, but relies on a customer identification number. Each policy holder can access his or her driving data and scores online.
The LDI NRW's requirements
Given that there is a risk that the data collected via the telematics-box could be misused to create a precise profile of the driver's movements, the LDI NRW has set out the following requirements for organisations to obtain data protection and data security compliance:
- Data must be separated. This means that the telematics service provider receives the real-time data, but does not know the names of the policy holders. On the other hand, the insurer knows the names of policyholders, but only receives the scores and the total kilometers and not the raw data.
- Data must be encrypted in the telematics-box and during transmission using the latest technology. It must not be possible to access the hardware.
- If there are multiple drivers of a vehicle, they must be given the ability to decide individually before commencing a journey whether they want to allow tracking or not. The insurer must provide the policyholder with a sticker to place in the vehicle which provides information to drivers about the tracking.
- The collected data can only be used to determine the insurance premium and not for the settlement of claims.
- The policy holders must be fully informed in an understandable way about the processing of data as well as about the parties involved. Moreover the policy holders must be informed that when an accident occurs they can object to the transmission of data to repair shops.
Pay-as-you-drive insurance is one of the first practical examples of how connected cars can be used to develop innovative products and services. The LDI NRW points out in a side note that health insurance companies are already working on developing insurance products that use data about the health-related behavior of their clients. To ensure that these products and services are acceptable not only by data protection authorities but also by customers, companies developing these products should ensure that data protection and data security requirements are taken into account in the conceptual and design phase and are also properly implemented in the final product.
A version of this entry appeared on Hogan Lovells’ Global Insurance Blog on June 18, 2015.
The Regulation aims to strengthen the rights of individuals. It does so by retaining rights that already exist under the Data Protection Directive and introducing the new rights of data...06 June 2016
Grounds for processing03 June 2016