DATA PROTECTION
Italian Data Protection Authority: access to personal data of third-party beneficiaries of insurance policies. Interpretative measure.
With the provision interpreting the combined provisions of Article 15 GDPR and Article 2-terdecies of the Privacy Code, the Garante has clarified that heirs or those called to the estate who submit to the insurance companies requests for access to the personal data of the third-party beneficiary of a policy in his name by the de cuius in order to know his identity must prove that they are the heirs of the estate and that they are currently involved in (or are about to start) a legal succession dispute. The Authority recalls that it remains prohibited to allow access to personal data of persons other than the de cuius (such as those of the third party beneficiary) as a general rule (Art. 15. 4 GDPR), but if the basis of access is the right of action or defence, the right to privacy (which is not absolute) of the third party may be compressed with fair balancing (only in these cases and provided that the claims are not pretextual or exploratory) and the data of the third party beneficiary of the policy may be disclosed on the basis of the legitimate interest of the third party (called to the estate/heir) pursuant to Art. 6.1, letter (f) of the GDPR. A subtle distinction that in any case does not represent a novelty and had already been highlighted by the Supreme Court, also in United Sections.
Therefore, insurance companies must - before granting access - verify the quality of 'called to the inheritance' (for the Supreme Court it is sufficient to attach the certificate of family status) or of 'heir' (which can be proved by acceptance of the inheritance; the death certificate together with the family status or, if present, the will, but not with the declaration of inheritance, which has only fiscal value; and in any case, in my opinion, critical issues arise with regard to the processing of data of many other third parties mentioned in the evidence documents....). They must also verify that the interest (in acting or defending oneself in court) is concrete and current, that is, really existing at the time of access to the data, instrumental or prodromal to the defence of one's inheritance right in court. Here, on this point, I have my doubts as to whether an assessment that - in many cases - appears to be a probatio diabolica is being placed on the insurance companies. Apart from cases in which the applicant attaches documentary evidence of pending legal proceedings (e.g. an action for reduction), what about letters from lawyers requesting access to third-party beneficiary data on behalf of their clients/heirs to assess possible (but not certain/current at the time of the request) actions? Are these requests 'prodromal' to the establishment of a court case (access granted) or exploratory (access denied)? And if, once access has been granted, no legal action follows (e.g.: the policy does not infringe any legal rights), is access retroactively affected by supervening illegality, with the possibility for the third-party beneficiary to claim treatment damages from the insurance company?
Therefore, insurance companies must - before granting access - verify the quality of 'called to the inheritance' (for the Supreme Court it is sufficient to attach the certificate of family status) or of 'heir' (which can be proved by acceptance of the inheritance; the death certificate together with the family status or, if present, the will, but not with the declaration of inheritance, which has only fiscal value; and in any case, in my opinion, critical issues arise with regard to the processing of data of many other third parties mentioned in the evidence documents....). They must also verify that the interest (in acting or defending oneself in court) is concrete and current, that is, really existing at the time of access to the data, instrumental or prodromal to the defence of one's inheritance right in court. Here, on this point, I have my doubts as to whether an assessment that - in many cases - appears to be a probatio diabolica is being placed on the insurance companies. Apart from cases in which the applicant attaches documentary evidence of pending legal proceedings (e.g. an action for reduction), what about letters from lawyers requesting access to third-party beneficiary data on behalf of their clients/heirs to assess possible (but not certain/current at the time of the request) actions? Are these requests 'prodromal' to the establishment of a court case (access granted) or exploratory (access denied)? And if, once access has been granted, no legal action follows (e.g.: the policy does not infringe any legal rights), is access retroactively affected by supervening illegality, with the possibility for the third-party beneficiary to claim treatment damages from the insurance company?
