Is a broker a data controller? How to act in accordance with GDPR

Regulation 2016/679 (GDPR) and accompanying acts Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 have caused a lot of confusion in Polish law. One might think that the well-known acronym GDPR might make things more difficult only in matters of using an image or sharing information about a given personal entity with third parties. However, it turns out that GDPR has brought many changes and related ambiguities in most business sectors, including the insurance industry.  Indeed, not all legal issues have been clarified, and one such issue is the nature in which insurance brokers act – are they data controllers or data processors?  It is therefore crucial to take a close look at how data protection issues affect insurance agents and brokers.

Personal data protection in insurance.

In addition to the GDPR, the Act of 1 October 2018 implementing the Insurance Distribution Directive is also relevant here. Indeed, the insurance sector is one of those sectors where personal data is processed on a large scale for obvious reasons – both a broker and an agent have access to their clients’ sensitive data and use it for various purposes, for example a broker uses it to create a broker’s slip. It is therefore necessary to consider whether, in view of the above, brokers and agents are controllers or processors of personal data.


In the case of insurance agents, the case is not so complex – the agent will be a processor, as follows from Article 4(8) of the GDPR. This thesis is also confirmed by the Inspector General for the Protection of Personal Data. In this situation the administrator of the personal data shall be the insurance company for which the agent works and the agent shall receive access to the data on the basis of the entrustment agreement.


The matter gets somewhat complicated in the case of a broker. There are no clear legal regulations related to recognizing them only as a controller or only as a data processor – although it is more common to call a broker a controller. However, there are situations in which they process data. Looking for legal regulations on this issue, we will only learn that they do not specify in what capacity a broker acts.

Insurance brokers and GDPR

According to the opinion of the Chief Inspector of Personal Data Protection, the processing of the client’s personal data by their broker may be performed on the basis of Article 6(1)(b) of the GDPR. In practice, however, the broker does not have any purpose to undertake data processing – in fact, they do it only in situations which are clearly indicated by the client. There may be cases in which the broker will share the client’s personal data (pursuant to the aforementioned act). It is worth mentioning, however, that the broker, when providing the Insurance Company with the client’s data in order to receive an offer proposal, acts on the basis of an entrustment agreement concluded with the client. Therefore, it can be said that the broker acts both as a personal data controller and a processor – depending on the type of activity provided.

Broker versus Client – a natural person

A broker should always act with the best interests of their client and their interests in mind. This stems not only from professional ethics in the broadest sense, but also from the Insurance Distribution Act. The same Act obliges the broker to perform various duties of a specific nature. Given the fact that the status of a controller is related to the imposition of legal obligations on a given entity, a broker acting for and on behalf of their client will be a controller of personal data.

Broker versus Client – a legal person

In this case, the issue is a bit more complex, as there is an entrustment of personal data processing within the scope of employee data. Here the client, who is a legal person, is the data controller, while the broker becomes the processor of the data in the course of providing their services. The data controller must take into account that they should clearly define the scope of data processed on their behalf by concluding an entrustment agreement.


We can therefore see that the issues related to GDPR in the insurance sector are often quite unclear and complex. This does not change the fact that they are very significant, given that brokers have access to their clients’ personal data and, depending on the terms of the contract, act as data controllers as well as processors. However, in a world of rapidly evolving technology, CRM software for brokers and brokerage firms comes to the rescue, not only facilitating work by helping to systematise information or create reports and analyses, but also protecting sensitive user data and enabling work in compliance with GDPR. Increasingly, people performing brokerage activities choose to use such software in order to streamline their duties and improve the quality of their cooperation with clients.

Zobacz również

See also