GDPR Compliance for EU Insurance Brokers in 2026: A Definitive Guide

The General Data Protection Regulation (GDPR) entered into force on 25 May 2018, but for EU insurance brokers, the compliance journey is far from over. Supervisory authority enforcement has intensified every year since — fines issued by data protection authorities across the EU reached a cumulative total of over €4.5 billion by the end of 2025. Insurance firms, which routinely handle sensitive health, financial, and behavioural data, sit squarely in regulators' crosshairs.

This guide cuts through the generic advice and addresses the GDPR obligations that are specific to insurance distribution: the special categories of data you process every day, the rights your policyholders are exercising, and the retention schedules mandated by both GDPR and your national insurance regulation.

Why Insurance Brokers Face Elevated GDPR Risk

Most GDPR guidance is written for e-commerce or HR contexts. Insurance is different in three critical ways:

• Article 9 data is unavoidable. Health, disability, and biometric data are processed on virtually every life, health, and income protection policy. Unlike other sectors, you cannot opt out of processing these special categories — they are core to underwriting.
• Multi-party data flows are complex. You act simultaneously as data controller (for your own client database), joint controller (with the insurer for claims handling), and sometimes processor (when acting on behalf of an intermediary). Each role creates distinct obligations.
• Retention periods are long and overlapping. Motor policies require records for at least seven years under EU limitation rules; liability policies may require ten or more. Long retention windows mean more data in scope for DSARs, and a greater surface area for breach.

Article 9: Processing Health and Financial Data

Article 9 of the GDPR prohibits processing of "special categories" of personal data — including health, genetic data, biometric data for identification, and data concerning racial or ethnic origin — unless one of the explicit lawful bases in Article 9(2) applies.

For insurance brokers, the two most relevant bases are:

1. Article 9(2)(a) — Explicit Consent. The data subject must give explicit, specific consent (a higher threshold than standard GDPR consent). Pre-ticked boxes and bundled consent are insufficient. Your proposal form must clearly separate the health data consent element, name the specific purposes, and allow granular withdrawal.
2. Article 9(2)(f) — Necessary for Legal Claims. Processing special category data is permitted when necessary to establish, exercise, or defend legal claims. This is the most defensible basis for claims handling and litigation-related processing.

Critically, some EU member states have extended Article 9 rights via national derogations under Article 9(4). Germany's BDSG §22, for instance, imposes additional safeguards. Check the law of each member state where you operate, not just the Regulation itself.

Responding to Data Subject Access Requests (DSARs)

Under Article 15 GDPR, any policyholder, prospect, or former client can request a copy of all personal data you hold about them. Your obligation is to respond within one calendar month of receipt (Article 12(3)), extendable by two further months for complex or numerous requests — but you must notify the individual within the first month that you are extending, and explain why.

Common mistakes insurance brokers make with DSARs:

• Failing to search email archives, not just the CRM. If an underwriter CC'd the client's GP letter to their personal inbox, that data is in scope.
• Redacting third-party data incorrectly — redaction must be limited to what is strictly necessary; over-redaction risks an incomplete response.
• Ignoring verbal DSARs. A DSAR made by telephone or in a meeting is as valid as one made in writing.
• Missing the response deadline because the request landed in a general inbox and was not triaged within 24 hours.

Platforms like PrizMova Europa include a built-in DSAR workflow that automatically timestamps the request, assigns it to a responsible staff member, tracks the 30-day countdown, and exports a data subject report from all connected data stores — ensuring you never miss a deadline.

72-Hour Breach Notification Under Article 33

If you suffer a personal data breach, Article 33 requires you to notify your lead supervisory authority within 72 hours of becoming aware of it — not 72 hours after confirming it. The clock starts when any staff member has reasonable grounds to believe a breach has occurred.

Your breach notification must include:

• The nature of the breach and categories of data affected
• Approximate number of individuals affected
• Name and contact details of your Data Protection Officer (or other contact point)
• Likely consequences of the breach
• Measures taken or proposed to address it

For high-risk breaches (e.g., loss of unencrypted medical records), Article 34 also requires direct notification to affected individuals "without undue delay." The phrase "without undue delay" has been interpreted by several DPAs as meaning within 24–48 hours of the supervisory authority notification.

Data Retention Schedules for Insurance Records

Article 5(1)(e) GDPR requires that personal data be kept in a form that permits identification for no longer than necessary. For insurance brokers, "necessary" is shaped by both GDPR and limitation periods under national contract and tort law:

• Motor insurance: Minimum 7 years after policy expiry (EU limitation periods for property damage claims; longer in some jurisdictions).
• Employers' liability / public liability: Minimum 10 years; some jurisdictions (Germany, France) require up to 30 years for bodily injury claims.
• Life and health insurance: Duration of the policy plus 10 years; where health data is involved, check national health records legislation for additional obligations.
• Declined proposals: 3 years from the decision date (sufficient for discrimination and negligence claims).
• Marketing consent records: For as long as you are relying on the consent, plus 3 years thereafter as evidence.

These schedules must be documented in your Record of Processing Activities (ROPA) under Article 30, together with the legal basis for continued retention past the primary processing purpose.

DPO Appointment: When It Is Mandatory

Article 37 requires designation of a Data Protection Officer in three scenarios. For insurance brokers, the most relevant is Article 37(1)(b): where core activities consist of processing special category data on a large scale. The European Data Protection Board (EDPB) has indicated that a medium-sized broker processing health data for tens of thousands of policyholders is likely to meet the "large scale" threshold.

Even where a DPO is not strictly mandatory, many national DPAs encourage smaller brokers to appoint one. The DPO must be registered with your lead supervisory authority and cannot be dismissed or penalised for performing their duties (Article 38(3)).

IDD and GDPR Intersection

The Insurance Distribution Directive (IDD) requires brokers to document demands and needs assessments, which necessarily involves collecting personal financial and health information. This data collection must have its own GDPR lawful basis — typically Article 6(1)(b) (performance of a contract) for non-health data, supplemented by Article 9(2)(a) or (f) for health data. For a full breakdown of IDD requirements, see our guide on the IDD Insurance Distribution Directive.

10-Item GDPR Compliance Checklist for Insurance Brokers

1. Maintain a complete and current ROPA (Article 30) covering all processing activities, data categories, lawful bases, and retention periods.
2. Identify and document the Article 9(2) basis for every health data processing activity — do not rely on consent alone.
3. Implement a DSAR triage process with a named owner, a 30-day countdown system, and a tested data export procedure.
4. Draft and test a breach response plan: who declares a breach, who notifies the DPA, who contacts affected individuals, and where the 72-hour log is maintained.
5. Appoint a DPO if your scale of special category processing meets the Article 37(1)(b) threshold, and register them with your lead DPA.
6. Audit data retention schedules against national limitation periods for each product class you distribute — motor, liability, life, health.
7. Review consent forms: ensure they are explicit, granular, unbundled, and record the date and version of each consent collected.
8. Conduct Data Protection Impact Assessments (DPIAs) before deploying any new automated underwriting, claims scoring, or profiling systems.
9. Assess every data processor (cloud providers, CRM vendors, claims handlers) for a valid Data Processing Agreement and EU data residency commitments.
10. Train all client-facing and administration staff annually; record attendance and test comprehension — regulators increasingly request evidence of training in audits.

Looking Ahead: 2026 Enforcement Trends

DPAs in the Netherlands (AP), France (CNIL), and Germany (various LfDIs) have signalled that 2026 enforcement priorities include insurance sector audits, particularly around automated decision-making in underwriting (Article 22) and adequacy of consent for health data. Brokers using AI-assisted risk scoring should also review their obligations under the EU AI Act, which applies its highest-risk classification to several insurance AI use cases.

GDPR compliance is not a one-time project — it is an ongoing operational discipline. Building it into your agency management workflow, rather than treating it as a separate compliance silo, is the most cost-effective approach for brokers of any size.