No transfer of personal data to brokers without customer power of attorney ?

The new GdV “Code of Conduct (CoC) Data Protection” – data protection code for short – regulates in Art. 20, among other things: “Personal data of insured persons or applicants may be transferred to an insurance broker if they have granted the broker a broker’s power of attorney.” In some cases, insurance brokers are massively opposed to this requirement. Most recently, an industry publication called for organized resistance, such as when insurers stop cooperating with protesting brokers: Rightly so?


Penal basic rule of professional secrecy

According to § 203 of the German Criminal Code (StGB), insurers (VR) and their agents are obliged to maintain confidentiality towards everyone. This also includes the professional secrecy of insurance undertakings towards insurance brokers as a basic rule. One looks for the pastoral care and confessional secret there in vain.

Even if two lawyers, doctors or accountants have the same client, they may not even disclose who is a “patient” with them. Illegal, therefore, are mobile phone calls in public transport under the use of names, or the patient files on the registration counter in the doctor’s office. Basically, not even a credit inquiry with a credit bureau would be allowed.

For the managers of the insurance companies, this is a question of their suitability and reliability, because criminal proceedings can lead to the end of one’s career (EDEKA) via supervision, which not infrequently also entails the loss of one’s pension benefits in old age. Most recently, a dismissed sales manager virtually begged the public prosecutor to finally open criminal proceedings after years, because he had no chance of any new employment without a final verdict because of a joint visit to a swimming pool in an Eastern European capital.

The broker power of attorney required by the GdV is probably a minimum requirement for the insurer (VR) to be allowed to provide the insurance broker with any information at all. This already includes the information that the contract has been concluded, even if this could only be inferred from the payment of the brokerage fee – even the payment of which could otherwise already be punishable. The mass of the professionals in accordance with § 203 StGB requires in the doubt, also additionally, a Schweigepflichtsentbindung – and this even if it concerns only information to the spouse of the customer or client.


Insurance brokerage profession and duties require customer power of attorney

If an association of insurance brokers therefore believes that the broker is legally – even without a power of attorney – the unrestricted guardian of the interests of the policyholder (contracting party), the legal error of this opinion is written on his forehead. Without a power of attorney, the broker is merely the messenger of the insurance application to the insurer – for which he may then expect a tip, regardless of the outcome. Of course, he could also agree a success fee with the client.

After all, one of the basic duties of an insurance broker is to obtain suitable offers from insurers, possibly renegotiate them, and finally arrange for coverage with the insurer. Without a power of attorney, the insurer will not be allowed to ask him about any problems that may arise with the application, nor will he be allowed to receive any information about the further fate of the application.

Without a power of attorney, no broker will be able to conclude insurance contracts on behalf of his clients with legal effect. The legal (alleged) representative (of another) without existing power of representation (power of attorney) is always liable himself.

However, the way brokers work has now changed considerably, especially when it comes to brokering contracts to consumers. The broker’s activity without power of attorney works until the application is submitted, in that the client signs it himself and the broker only submits it to the insurer like a messenger. This happens very often, especially with first-time brokers, because applicants often only have the confidence to issue a power of attorney after working with a broker for some time. Some brokers, however, believe that they only need a power of attorney in order to be able to terminate a contract in a legally effective manner in good time.

Thus, numerous brokers apparently refrain from having a power of attorney issued by the customer, so that VR who do not have the power of attorney issued to them may make themselves liable to prosecution under § 203 StGB (German Penal Code) if data is disclosed (unless the contracting party has given its consent, in particular in an additional data protection statement).

It would then be excluded on the part of VR to give the broker a cancellation risk notice because the customer has not paid, for example. This in turn means that the brokerage fee cannot be reclaimed within the liability period. Without the power of attorney of the insured person, one can hardly or not at all cooperate with brokers as a VR without constantly running the risk of data protection violations up to criminal liability.


Article 20 of the voluntary commitment: pre-programmed escalation between VR and brokers?

The accession of numerous VR to the data protection code does not remain without consequences. The preamble states: “The rules of conduct are intended to provide the policyholders of the member companies with the assurance that data protection and data security concerns are taken into account in the design and processing of products and services. …“ – and Art 20 para. 4 clearly states:

Personal data of insureds or applicants may be transferred to an insurance broker if they have given the broker a broker’s power of attorney.”.

These VRs have thus committed themselves vis-à-vis the policyholders not to inform the broker of anything at all without a power of attorney. Even if a data protection declaration signed by the customer – which regularly refers precisely to § 203 of the German Penal Code (StGB) – does not contain this restriction to authorised brokers, the data protection code makes this clear and binding as a contractual obligation of the VR towards the contracting party.

This is also by no means limited to “particularly sensitive” customer data. This is also the reason for VR’s interest in cooperating only with those brokers who “voluntarily” always work with a broker’s power of attorney. However, to simply assume such powers of attorney as a fiction on the part of the VR is not acceptable, especially when it becomes clear that many brokers act as intermediaries for a significant proportion of their customers without any powers of attorney at all.

Previously – without the now stronger restriction imposed by the data protection code – VR allowed the disclosure of data to brokers, which is punishable without permission, to be covered by the data protection declaration “as far as necessary”. However, this was also problematic, because what disclosure of data to brokers is necessary if the VR could alternatively also correspond with the policyholder himself would already have to be questioned, because even then, data disclosure that was not necessary was already punishable.


Enforcement of the right to informational self-determination

Finally, customers could satisfy themselves as to whether insurers have complied with the requirements of the Federal Data Protection Act (BDSG) or even violated Section 203 of the German Criminal Code (StGB) by demanding that their insurer provide all the information required by the BDSG and also provide information as to the legal basis on which the data is passed on.

If, for example, there is no power of attorney from the broker with the VR, criminal conduct on the part of the VR can be established in this way. Such information in accordance with the BDSG then contains, for example, the disclosure of data to lawyers or experts of the insured person, including copies of the powers of attorney of the insured person to these – the same would be required of the insurance broker. However, violations of § 203 StGB are only prosecuted upon request. The industry can least use such further scandals or negative press – which is precisely why it has voluntarily imposed the data protection code on itself.
The inventors of the data protection code led themselves and VR into a trap in that VR accordingly committed themselves to the data protection code vis-à-vis the VN, i.e. also to a certain conduct vis-à-vis brokers. Perhaps it was tacitly taken for granted that brokers always worked with powers of attorney. The brokers are now saying that the relationship between the broker and the policyholder is none of the VR’s business – and that a voluntary commitment by the VR need not interest them.

This could have increased the risk of VR board members being dismissed, for example by means of complaints to the State Data Protection Commissioner and BaFin as well as criminal charges. The sales department should write the data protection code strategists in their books that they have done a disservice to the industry, for example by failing to inform or train insurance brokers about the importance of powers of attorney in legal transactions.

The attempt, as VR, to have the brokers sign once in each case that they always have a power of attorney from the contracting party can be considered a failure. Brokers cannot sign this without suffering great economic damage if they do not succeed in obtaining a power of attorney from many policyholders at the same time as the application.

VR can hardly refer to such a declaration of the broker in order to falsify the existence of a power of attorney if they do not check it at least randomly with each broker. Otherwise, they run the risk not only of violating the data protection code, but also the criminal code at the same time.

It remains, as VR, to have the power of attorney of the broker presented in each individual case. However, this does not seem to be a feasible approach if brokers regularly do not have any powers of attorney at all for a large number of applications – the broker distribution channel would be considerably impeded. A BoD proceeding in this manner would have to quickly realize that brokers often have no power of attorney at all. He would then also no longer be able to say that he had always assumed that powers of attorney were available. Thus, however, this deviating finding would all the more oppose the way of faking the existence of this power of attorney required according to the data protection code by means of an obligation of the broker to obtain the power of attorney of the contracting party.


Insurance brokers without a broker’s power of attorney forfeit their commission?

If an insurance broker seriously breaches his duty of loyalty towards his client, he loses his claim to brokerage by forfeiture, § 654 BGB, even without any damage having occurred. Not all brokers have yet understood that they do not have to pay back the forfeited brokerage to the VR, because the VR only pays (by virtue of commercial custom) what the client as principal owes the broker. It would be a considerable breach of fiduciary duty if the broker – due to the lack of his own power of attorney or the lack of an effective release from the duty of confidentiality at the VR – instigates or aids and abets the VR’s criminal breach of professional secrecy.

This is all the more so if the broker had undertaken vis-à-vis the BoD to only submit applications from clients who had given him a power of attorney, but in some cases later did not receive any powers of attorney at all. Whether the VR can successfully plead in the event of a later criminal complaint by the contracting party that he assumed the presentation of a power of attorney because of the broker’s self-commitment can be doubted.

By the way, the forfeiture of the brokerage fee also applies if the broker cannot fulfil his duties as a trustee due to a lack of power of attorney, and works more like an agent, as a so-called main broker with a VR for each type of insurance or line of business, quasi as a bogus broker.


Are insurance boards already sitting on the knife’s edge?

Actually – not only – the insurers with CoC data protection code self-commitment should explain to the insurance brokers what is now the matter. Some do not dare to do so, out of sales interest – others also want to save the effort, for example for education and implementation. Thus one does not require the presentation of the broker’s powers of attorney, although one committed oneself opposite the customers accordingly. In addition, insurers risk that ambiguities caused by differences in the wording or meaning of data protection codes and data protection declarations are to the detriment of the user – thus in such cases the ongoing violation of the German Criminal Code and the Federal Data Protection Act (BDSG) seems virtually pre-programmed, and not only after a revocation by the insured party.

Instead, they are trying to build up a fiction that brokers always have powers of attorney, and – having greatly increased in importance as a result of the CoC – want to have this confirmed as an obligation of brokers, just to be on the safe side. This, however, will only lead to trouble and will probably be branded as conditional intent by the public prosecutor later on.

And then you agree with the broker, get out of the affair with generalities in which you say something different than the brokers are supposed to understand, but cancel the brokerage commitment, but for completely different reasons, namely because of poor claims ratio. Thus, one shirks from fulfilling one’s (possibly only self-imposed or voluntarily entered into) obligations towards the customer in a really proper manner, as well as from speaking plain language with the brokers.

Since the CoC, board members can no longer rely solely on the data protection declaration, although it is known that many brokers have not even obtained a power of attorney from the customer. The CoC is now no longer a voluntary commitment on the part of the VR, but a contractual obligation to the UN, non-compliance with which would even be punishable.

Industry association leaders have probably not considered that many brokers have not even received a power of attorney from the insured. They often act as a broker who arranges a contract (e.g. the first one) for the policyholder. They have it signed by the policyholder, with all the documents, and then submit it to the VR – a power of attorney is not required for this (as a messenger).

A broker’s power of attorney may only be given to the broker after years of a more trusting relationship with the insured. Did GDV not know this, or is it just unconsciously encouraging the next wave of regulation through BaFin circulars and the upcoming amendment to the Insurance Supervision Act (VAG)?


Ineffective powers of attorney are not covered by the CoC

If the CoC data protection code is part of the contractual content of the VR with the policyholder, the insurance broker is out for the time being without a power of attorney – even a cancellation risk notification would often be impossible.

In terms of content, insurance brokers often use free samples from the Internet or from reference books without publisher’s liability. The most frequent case of an ineffective power of attorney with an insurance broker is a power of attorney that is too comprehensive in terms of content – a violation of the Legal Services Act that leads to the double nullity of the power of attorney and the brokerage contract, § 134 BGB. On the other hand – and this is also case law of the Federal Court of Justice (BGH), judgement of 29.05.2013 (Ref. IV ZR 165/12) – it is not reasonable to expect the VR to correspond with a broker with limited power of attorney, because he has to continuously check what he is allowed to communicate and what he is not allowed to communicate, in order not to enter the area of the punishable. Therefore, he was obliged to correspond only in the case of a comprehensive power of attorney. The broker must therefore have a comprehensive power of attorney, but not one that is too comprehensive in terms of content, in order for an insurer to be obliged to correspond with him.

It has already happened to numerous insurance brokers that the insurer has rejected the cancellation by the insurance broker, § 174 BGB. Sufficient for this is a power of attorney of the customer not presented in the original, as well as a legally invalid power of attorney. In future, too, insurers will always have to check whether their brokers are sufficiently authorised – “voluntary” self-obligations on the part of insurance brokers in this respect are obviously insufficient.

by Dr. Johannes Fiala and Dipl.-Math. Peter A. Schramm


by courtesy of (Dentistry Publishing)

Our office in Munich

You will find our office at Fasolt-Strasse 7 in Munich, very close to Schloss Nymphenburg. Our team consists of highly motivated attorneys who are available for all the needs of our clients. In special cases, our law firm cooperates with selected experts to represent your interests in the best possible way.

About the author

Dr. Johannes Fiala Dr. Johannes Fiala

Dr. Johannes Fiala has been working for more than 25 years as a lawyer and attorney with his own law firm in Munich. He is intensively involved in real estate, financial law, tax and insurance law. The numerous stages of his professional career enable him to provide his clients with comprehensive advice and to act as a lawyer in the event of disputes.
»More about Dr. Johannes Fiala

On these pages, Dr. Fiala provides information on current legal and economic topics as well as on current political changes that are of social and/or corporate relevance.

Arrange your personal appointment with us.

Make an appointment / call back service

You are already receiving legal advice and would like a second opinion? In this case please contact Dr. Fiala directly via the following link.

Obtain a second legal opinion

The first telephone call about your request is free of charge.