CoC data protection
The CoC data protection (Code of Conduct data protection) is a code of conduct of the General Association of the German Insurance Industry (GDV) for the uniform and transparent handling of personal data of insured persons, interested parties and those affected.
Legal basis
The Federal Data Protection Act (BDSG) provides in § 38a BDSG for associations / associations to make appropriate rules of conduct to promote data protection. The Data Protection Code of Conduct is based on this.
The text of the paragraph reads:
" Federal Data Protection Act (BDSG)
Section 38a rules of conduct to promote the implementation of data protection regulations
(1) Professional associations and other associations that represent certain groups of responsible bodies can submit drafts of rules of conduct to promote the implementation of data protection regulations to the competent supervisory authority.
(2) The supervisory authority checks the compatibility of the drafts submitted to it with the applicable data protection law. "
This makes it possible to define uniform specifications. Transparency and commitment are promoted.
validity
The Data Protection Code of Conduct has been "submitted to the Berlin Commissioner for Data Protection and Freedom of Information as the supervisory authority responsible for the GDV in accordance with Section 38 a of the Federal Data Protection Act and has been declared by him to be compatible with applicable data protection law." Excerpt from the Code of Conduct -Data protection of the GDV in the version as of September 7, 2012. The determination of the agreement with data protection law by the Berlin Commissioner for Data Protection and Information Security as the supervisory authority is valid nationwide.
Joined companies
On the website of the GDV, the current list of the Code of Conduct privacy is joined companies accessible. The GDV announced on June 30, 2015 that almost 90% of the affiliated companies had joined the code of conduct .
Commitment
The Code of Conduct - data protection represents a self-commitment in which the affiliated companies undertake to adhere to the described code of conduct. Insurance companies are free to subscribe to the code of conduct.
control
Compliance with the code of conduct is confirmed in accordance with the data protection code of conduct through a self-declaration by the company concerned. The conformity of compliance does not have to be confirmed by an independent audit. However, the companies that have joined are free to conduct internal as well as external audits .
Weak points
On the market, the self-commitment with the currently implemented compliance check was recognized as a weak point with regard to the credibility of the CoC data protection. Canacoon GmbH sees this as the Achilles heel of the code of conduct and describes it as:
“Joining the CoC data protection is voluntary. Confirmation of compliance by the insurance company that has joined takes place according to the assumptions of some insurance companies by means of a corresponding self-confirmation by the insurance company to the GDV. A qualified check of compliance with data protection is not necessarily given by joining alone. So it currently depends on the sustainability of the actors involved. "
The CoC data protection process
For the effectiveness of the CoC data protection, it is important to understand it not as a one-off action but as a continuous process .
It is advisable to implement the CoC data protection process as a CoC lifecycle, this can guarantee constant effectiveness and further development.
The CoC lifecycle is divided into phases:
- the analysis phase
- the planning phase
- the implementation phase
- the efficiency and sustainability review phase
- the correction phase
implementation
Implementing compliance with the code of conduct is a challenge for companies. Various approaches are available for implementation. In some cases, the effects of joining the Code of Conduct are greatly underestimated. The challenges facing processes and IT systems are greater than many companies in the insurance industry initially assumed. The processes and procedures that exist in the company must be included in the implementation, which can certainly lead to additional work.
In order to achieve a greater basis of trust, the self-commitment can be underpinned by means of independent external audits.
Web links
- Rules of conduct for the handling of personal data by the German insurance industry . (PDF) April 11, 2018.
- Almost 90% of the GDV member companies have joined the code of conduct
- Section 38a BDSG
Individual evidence
- ↑ § 38a BDSG old version
- ↑ gdv.de See PDF " Rules of conduct for handling personal data" on the GDV website. Retrieved February 15, 2017
- ↑ gdv.de website of the GDV. Retrieved February 15, 2017
- ↑ canacoon.com website of canacoon GmbH; Retrieved July 7, 2015.
- ↑ canacoon.com website of canacoon GmbH code-of-conduct-data protection; Retrieved July 7, 2015.