Data reuse and privacy liability: the qualification of the agency in insurance networks

by Beatrice Mordonini

The Italian Data Protection Authority (Decision No. 89/2026, web doc. No. 10227039) recently addressed the qualification of privacy roles and the related liabilities within the relationship between insurance companies and appointed insurance agencies. In particular, the Authority imposed an administrative fine of EUR 15,000 on an insurance agency for multiple breaches of personal data protection law, ultimately attributable to an incorrect qualification of its role in the processing activities.

The facts underlying the decision

The case originated from several complaints alleging the receipt of promotional e-mails without consent, as well as the failure to respond to a request for access to personal data. The communications in question promoted services attributable to an insurance company on whose behalf the agency operated as an appointed agent.

During the investigation, the Data Protection Authority requested clarification regarding the measures adopted by the agency to ensured compliance with data protection legislation in connection with its marketing activities. The agency stated that it acted as a data processor on behalf of the appointing insurance company and therefore considered that the obligations relating, inter alia, to the handling of data subject requests, the preparation of the privacy notice, and the possible collection of consent rested with the latter, in its capacity as data controller.

The qualification of privacy role: the relevance of the actual processing activities

This interpretation was not shared by the Authority, which instead focused on the actual manner in which the data had been used.

As a general rule, the insurance company must be regarded as the data controller of customer data collected through agencies, which typically act as data processors on the basis of specific agreements entered into pursuant to Article 28 of the GDPR. Within this framework, the agency does not exercise autonomous decision-making powers regarding the purposes and means of the processing, but merely processes the data on behalf of the insurance company.

However, although the data had originally been collected within the context of that relationship, the Data Protection Authority emphasized that the data were subsequently used by the agency for additional purposes, namely promotional activities attributable to its own independent initiative. In this context, the Authority found that the agency had acted autonomously in determining the purposes and means of the processing and should therefore be qualified, with regard to such activities, as an independent data controller 1.

The Authority therefore reaffirmed a fundamental principle of the GDPR: the qualification of the parties’ privacy roles does not automatically derive from contractual provisions, but must instead be assessed in light of the actual manner in which the data are processed.

The handling of data subjects’ rights requests

The different qualification of the agency’s role is also relevant with regard to the handling of data subjects’ rights requests. Indeed, the agency failed to respond to the access request, considering that the matter was already being handled by the insurance company.

The Data Protection Authority criticized this conduct, observing that the status of data controller entails the obligation to provide a direct and timely response to data subjects. At the same time, the Authority recalled that, even if the agency had correctly acted as a data processor, it would nevertheless have been required to assist the controller in handling such requests pursuant to Article 28 GDPR.

The legal basis for sending promotional communications

The agency had initially considered relying on the so-called “soft spam” exemption under Article 130(4) of the Italian Privacy Code and, subsequently, on legitimate interest as the legal basis for sending promotional communications.

The Data Protection Authority rejected both arguments. On the one hand, the Authority reiterated that the soft spam exemption applies exclusively to the data controller that originally collected the data in the context of the sale of a product or service. On the other hand, reliance on legitimate interest is not permissible where the specific regime set out in Article 130 of the Italian Privacy Code governs the sending of electronic marketing communications.

The promotional communications were therefore sent without a specific and independent consent for commercial purposes attributable solely to the agency. As a result, the processing was deemed to lack a valid legal basis, as no valid consent had been obtained that could be attributed to the agency and its autonomous purposes.

Transparency obligations

From this perspective, the principle of transparency is also relevant. The only privacy notice provided to the data subject was the one issued by the insurance company at the time the data were collected, while no additional notice had been prepared by the agency in relation to subsequent (so-called secondary) processing activities carried out in its capacity as an independent data controller.

Processing for further purposes must therefore be considered to have taken place in the absence of adequate information being provided to the data subjects, as the original notice could not be deemed sufficient to cover additional and autonomous uses of the data.

Practical implications

The decision under review extends beyond the specific case and draws attention to a recurring critical issue in complex organisational models. The qualification of privacy roles cannot be regarded as a static element defined solely on the basis of formal designation (e.g. in a contract), but must be continuously assessed in light of the actual activities performed.

In particular, the reuse of data by another party for purposes that go beyond the original ones entails a reassessment of the privacy role, together with all the associated liabilities.

From this perspective, before carrying out any personal data processing activity, a substantive assessment of the operations involved is required in order to correctly identify the processing activities being undertaken. Such analysis constitutes, in fact, the prerequisite for the proper qualification of privacy roles and for the consequent allocation of responsibilities.

 

1 In its defence submissions, the agency clarified that its self-classification as a mere data processor was a good-faith error. This mistake stemmed from reliance on its status as a “distributor” under Article 82 of IVASS Regulation No. 40/2018.
This provision requires distributors, when promoting insurance contracts through distance communication techniques (e.g. sending advertising materials, distance selling, market research, or commercial communications), to obtain the prior consent of the policyholder. However, in the absence of an objection and subject to prior information about the right to object, consent is not required if the policyholder has already provided their contact details in the context of marketing an insurance contract relating to the same or other classes of business, provided that the product is distributed by the same undertaking. On the basis of this provision, the agency (albeit incorrectly) considered that, as a distributor, it could be qualified as a data processor for the purposes of marketing activities, acting exclusively in the interest of the data controller. 
The Data Protection Authority confirmed that Article 82 of IVASS Regulation No. 40/2018 is not in conflict with Article 130 of the Italian Privacy Code. Consistently with Article 130 - a provision of primary law - the IVASS rule also establishes, as a general principle, the requirement of prior consent for marketing activities.
Only exceptionally may the distributor carry out promotional communications without consent, subject to the right to object, where the data subject has already provided their contact details in the context of the marketing of an insurance contract distributed by the same undertaking.
It follows that the status of “distributor” may coincide with that of “data processor” only where the entity has been expressly authorised by the controller. In the absence of such a prerequisite, the distributor must be classified, depending on the specific circumstances, as either a data controller or joint controller, since a processor cannot independently determine the purposes and means of processing without effectively becoming a controller.