The Data Protection Authority (known by the Spanish acronym SPDP) has issued a statement on the processing of personal data which is relevant to the operation of insurance companies and healthcare establishments. It is important to clarify that this statement is not binding and does not generate general legal effects but rather constitutes a specialist technical opinion on the subject of personal data protection.
The statement responds to a query submitted by an Official Letter dated March 25, 2025, which raised the following question:
- “Should insurance companies be considered personal data processors within the meaning of Article 34 of Ecuador’s Personal Data Protection Law when they access patient information collected and transmitted by a healthcare facility, if this transmission is made on behalf of and at the request of the patients who have taken out insurance, i.e., without there being a contractual relationship between the facility and the insurer?”
After a thorough analysis, the Data Protection Authority clarified that insurance companies, as well as healthcare facilities, are controllers of the personal data they receive from data subjects.
The ruling sets out three key scenarios in the processing of personal data:
- First scenario: The healthcare facility processes the data subject's personal data for purposes related to the provision of medical services, acting as the data controller.
- Second scenario: The healthcare facility transfers medical information to the insurance company, which receives the data as the recipient.
- Third scenario: The insurance company or the insurer and/or insurance advisor and broker process personal data for their own purposes, acting as the data controllers.
These scenarios imply that, even if the initial transfer of data is a delivery by the healthcare facility, the insurance company or the insurer and/or insurance advisor and broker must comply with all the legal obligations of the Personal Data Protection Law as data controllers. This includes the adoption of security measures, the guarantee of confidentiality, and transparency in the processing of data subjects' data, especially as it concerns sensitive health data, as these are subject to greater protection.
The Data Protection Authority reaffirms that insurance companies and insurers and/or insurance advisors and brokers are controllers of personal data when they use medical information for their own purposes.
Conclusions:
- Insurance companies and/or insurance brokers and advisors are not data processors, but act as controllers when such data is intended for their own commercial and contractual purposes.
Editorial Board
