Pursuant to Art. 40 (5) GDPR, associations and other organizations may have codes of conduct approved by the competent supervisory authority pursuant to Art. 40 (2) GDPR. On this basis, the Austrian Data Protection Authority (DPA) has issued the “Rules of conduct pursuant to Article 40 of the EU General Data Protection Regulation for insurance brokers and consultants in insurance matters“ Approved.
The Code of Conduct provides, among other things, that insurance brokers generally act as controllers, but in exceptional cases as processors (e.g., when they enter data into an insurer’s portal).