Insurability of GDPR Administrative Fines in Cyber Insurance Policies: Opportunities and Legal Uncertainty

Fines and penalties: Are they insured? With emphasis on the insurability of GDPR administrative fines in the framework of cyber insurance policies: on the edge between legal uncertainty and opportunity for insurance growth Dr. Anastasios Tamamidis Head of Legal Services Division at ERGO Hellas 30 May 2024 1 Classification: Confidential /

I.Introduction* The issue of the insurability of fines and (monetary) penalties is constantly in the news as it is of particular concern to both businesses as legal entities and their management members, if it is taken into account that in many cases (antitrust, personal data protection, violations of tax legislation and social security legislation, etc.) the relevant responsibility also affects these natural persons. 1. The existing situation While cyber-attacks can be devastating for a company and paralyze its operations, they can also be accompanied by personal data breaches within the meaning of the GDPR that may, among other, give rise, on the one hand, to an investigation on the protection of personal date carried out by the competent administrative authority and, on the other hand, to pecuniary sanctions at the end of this investigation. Businesses are interested in the issue both, primarily, because they seek to mitigate the risk, they themselves run in the event of fines and penalties being imposed on them, and because often, possibly also at the request of their management or to make themselves more attractive to candidate executives, they wish to cover the members of their management teams. Additionally, insurance undertakings are interested in the topic of insurability of fines and penalties as an opportunity for growth. According to Art. 83 of the GDPR, the local Data Protection Authority (DPA) has the power to impose substantial administrative fines in the event of a breach of the applicable data protection regulations, the amounts of which may be as high as EUR 20m or 4% of the company s total worldwide annual turnover on the basis of the precedent financial year s turnover, whichever is higher. Penalties and administrative fines are really severe, sometimes truly draconian and work to a degree to ensure GDPR compliance through education, enhanced awareness and infrastructure investment. The trend in Europe is the imposition of increasingly harsh fines, especially for personal data breaches and the situation is not expected to get any easier. In today's presentation I will limit myself to the case of fines related to cases of violation of the GDPR as this is the most burning issue in recent years but also because the way of dealing with this case can lead to dealing with the other cases as well, the problematic of which has significant similarities with the case of GDPR violations. The most interesting are the cases in which the GDPR violation is combined with a cyber security attack as these are more complex and their consequences, and thus the risk to be insured, are much more massive and extensive. * The overall text and presentation reflects exclusively the personal views of the author. 10th AIDA Europe Conference, 30-31 May 2024 | Athens, Greece | Dr. Anastasios Tamamidis 1 Classification: Confidential /

3. The question: are GDPR administrative fines insurable? 2. The impact of Covid-19 pandemic Typically, the issue of insurability for GDPR fines is considered in relation to cyber insurance policies. During the covid-19 pandemic era and the relevant public health crisis, concerns about GDPR compliance have been accentuated. Transfer of residual risk, meaning of the risk which remains after taking measures to deal with the data protection issue, in terms of financial losses, administrative fines etc. to a third party such as an insurer, is a significant part of the risk management process. However, it is not necessary to consider the question of insurability of GDPR fines in connection to cyber insurance only, as the scope of GDPR is wider than most cyber insurance policies which are usually triggered in the event of a privacy or security incident, whereas instead a GDPR breach can be triggered due to non-compliance even independently of a privacy or security incident. The pandemic entails more frequent and more varied processing of subjects' personal health data. Remote working has also heightened the importance of data protection in many ways. Nevertheless, we must admit that cyber policies usually already cover or may -with the appropriate wording- cover a large part of the consequences of a data protection breach. Another stimulating issue related to the above, which will not be examined in the context of this presentation, is whether a legal entity is entitled to bring recourse claims against its executives for GDPR violations generating fines against the entity as well as whether these recourse claims are actually insurable under D&O insurance policies. 10th AIDA Europe Conference, 30-31 May 2024 | Athens, Greece | Dr. Anastasios Tamamidis 2 Classification: Confidential /

II. Attempt to approach the question 1. Current situation in the insurance market By way of illustration By way of illustration For the time being For the time being An extract from the general terms and conditions of a Cyber Insurance Policy issued by a Greek insurance undertaking, concerning this issue states: We will also indemnify you for any legally insurable administrative fines and penalties imposed by your supervisory authority as a direct consequence of the data breach . By referring to an expression such as any legally insurable fines and penalties the insurance undertaking intends to protect itself against legislation or even case law, which would enshrine the uninsurability of such fines and penalties as well as to make known to the insured the object and extent of the coverage. Terms with similar wording are used in many insurance policies of different companies in different countries. The situation in the Greek insurance market is rather unclear: On the one hand, several insurance companies in Greece emphasize that they provide this coverage, while on the other hand, others can invoke the insurance law, according to which "it is not possible to cover a risk, if the occurrence of the insured event is due to fraud or gross negligence of the insured or if he by the actions/ommissions has increased the final result". The insurance market allows for some expansion of cover to specifically address certain instances of non- compliance as it relates to GDPR, but the relevant wording should be carefully drafted and reviewed. However, no matter how clear and/or favorable to coverage of GDPR fines an insurance policy is, it is always important to know to what extent this policy is really enforceable as well as how courts will handle the question. The question is whether the above relevant reluctance of insurers is justified or not. The issue of whether insurance is allowed for GDPR administrative fines is not exactly the same as the issue of whether insurance is allowed for the indirect costs related to any personal data breach (legal fees, advertising costs, data recovery costs, third parties claims etc.), and it is generally found that even in jurisdictions that deny the insurability of GDPR fines, it is easier to accept the insurability of the above-mentioned costs since public policy considerations are not likely to be raised - at least not to the same extent - as it happens with fines. In many jurisdictions, one could say that, as a rule, the above costs are indeed a priori insurable, but claims under policies for such costs are not enforceable if it is demonstrated (e.g., by a judgment or admission) that the conduct giving rise to the liability for the fine was deliberate or, in some case, even reckless, given that it seems that the ex turpi causa maxim applies here covering not only fines but also defence costs and in general any costs of the person who acted illegally. An analysis of existing clauses shows a certain hesitation on the part of insurers to offer cover of financial penalties imposed by an administrative authority. 10th AIDA Europe Conference, 30-31 May 2024 | Athens, Greece | Dr. Anastasios Tamamidis 3 Classification: Confidential /

2. Insurability of administrative GDPR fines as a public policy issue from a comparative perspective Insurance policies generally exempt criminal fines as a matter of public policy. If the liability to pay the fine is allowed to be transferred to an insurance company, this means that the insured will not suffer the consequences of committing the offence (apart from the payment of the exemption and the possibility of increased insurance premiums in the future) and that the deterrent function of the sanction is undermined. In fact, from another perspective, it seems that we are in front of one more case of debate which concerns moral hazard . In most counties, although there is a general consensus that, due to opposition to public policy, fines imposed by courts arising from a criminal offence are not insurable, the discussion regarding the insurability of administrative fines is still generally open. Comparative overview A comparative study of many European legal orders shows that there are only few jurisdictions where it is clear that fines can be covered by insurance but even then, there must be no deliberate wrongdoing or, in some cases, even gross negligence on the part of the insured. According to this study, it seems that, without prejudice that it is difficult to make absolute statements, GDPR fines insurance is clearly allowed in Norway and Slovakia, clearly not allowed in Austria, Belgium, Bulgaria, Cyprus, Finland, France, Denmark, Ireland, Italy, Latvia, Luxembourg, Spain, Switzerland, Portugal, Romania, Slovenia and United Kingdom while ambiguity prevails in Croatia, Czech Republic, Estonia, Germany, Greece, Hungary, Lithuania, the Netherlands, Poland and Sweden. GDPR position Regarding administrative fines, GDPR itself is silent on the matter of insurability of fines imposed under it and usually local legislation for the implementation of the GDPR is equally silent on the matter of insurability of fines. Further, in most countries the regulator has not expressed its explicit position on the matter. However, one could say that regulators are generally against the insurance of administrative fines. 10th AIDA Europe Conference, 30-31 May 2024 | Athens, Greece | Dr. Anastasios Tamamidis 4 Classification: Confidential /

More specifically Slovakia Latvia France Germany GDPR uninsurable since according to the prevailing understanding, although there is no express prohibition, civil law generally does not allow the purpose personal sanction circumvented (sections 134, 138 BGB on statutory prohibition and legal transactions public policy, respectively). fines are likely to be In some counties, like Latvia, law provides uninsurability, civil liability policies, fines, late interest and other types of sanctions. GDPR other fines, are usually not insurable since such fines are considered to be quasi-criminal and against against public policy as they are intended to be borne by the party personally. fines, regulatory like Slovakia interesting case since it appears to be the only country Regulator explicitly allowed the coverage fines. is an explicitly for the through insurance monetary payment whose has of a fine as a of to be insurance them of GDPR is contrary to 10th AIDA Europe Conference, 30-31 May 2024 | Athens, Greece | Dr. Anastasios Tamamidis 5 Classification: Confidential /

More specifically Austria UK Germany In this last case, it seems that fines resulting from purely negligent conduct might be considered insurable. It seems that for the so called illegality defence or ex turpi cause - meaning that it is not possible to recover wrongdoing - to be applied there must be an element of moral turpitude or moral reprehensibility involved in the specific conduct. Probably, only if the latter is considered innocent deliberate or negligent , the application of the illegality defence can be avoided. It seems that opposition to the public interest is significant when examining whether a claim with a certain degree of illegality can be indemnified regarding the claimant s behaviour. The relevant judgment can be formed based on factors such as the purpose of the prohibition which has been violated by the claimant, the influence of the satisfaction or denial of the claim on any other relevant public policies, and the proportionality. In UK law, although the discussion on the insurability of GDPR fines is rather still open, it is somehow generally accepted, based on the example from other areas of law such as criminal penalties and fines Competition and Markets Authority, that fines of a penal nature, in the sense that they have been designed to punish the wrongdoer, are not recoverable. Following the identification of three broad categories of conduct for which any fine or penalty may be imposed, i.e., i) intentional wrongdoing, ii) strict liability situations, where no particular fault is required, and iii) negligence, it seems that fines resulting from intentional wrongdoing are not indemnifiable whatever the type of fine, strict/no fault liability fines are likely indemnifiable, while the situation regarding fines based on negligence is more complicated. Insurance protection with regard to the fine is subject to the proviso that the protection is not opposed by a statutory insurance ban. Whether such a ban exists in Germany is highly controversial. According to the prevailing opinion, there is no insurability for an imposed fine, since otherwise the statutory purpose of prevention would be thwarted. However, another part takes differentiated approach is necessary, and a distinction must be made between the type of fine and the degree of culpability, among other things. degree of culpability, suggests the distinction between fines imposed for intentional conduct and those imposed for negligent offences since civil law is supposed intentional behaviours. In Austria, it is observed that the insurance coverage of GDPR fines in relation to future violations is legally unacceptable due to their punitive nature but also, when it comes to the coverage of violations which have committed, the coverage may lack validity if the relevant behavior was intentional. from your own issued by the already been and not the view that a or reckless Regarding this the opinion to only sanction principle 6 of 10th AIDA Europe Conference, 30-31 May 2024 | Athens, Greece | Dr. Anastasios Tamamidis Classification: Confidential /

Important note! When GDPR fines are stated not to be insurable in a specific country, this may mean that the issue is under discussion in the local insurance market and some players may in principle provide cover for such fines, e.g. in the context of cyber insurance policies. Nevertheless, given that GDPR administrative fines are usually treated as regulatory fines in general, it should be stressed that at least in some jurisdictions this would be a dangerous practice since the local Regulator is entitled to impose a fine on an insurance company in case it offered insurance coverage against administrative fines. 10th AIDA Europe Conference, 30-31 May 2024 | Athens, Greece | Dr. Anastasios Tamamidis 7 Classification: Confidential /

3. The issue of insurability of GDPR fines under the light of their possible criminal nature: moving from public order to the intentionality of the act as ground for the uninsurability of administrative fines In general, the controversy over the insurability of fines arises from their possible punitive nature and whether it is contrary to public policy to cover fines which are imposed by regulators and law enforcers to deter wrongdoing. As a general idea, in legal orders like the Greek one, criminal penalties are almost never insured. The uninsurability of criminal sanctions is not expressly provided for as it is the case in other legal systems, however, it is generally accepted that in civil liability insurance there is the limitation of the exclusion of coverage of liability due to fraud (deception), and moreover, when the civil liability arises from fraud and not negligence, it is not considered to be a risk for the policyholder who can be insured. GDPR fines are clearly dissuasive and when a fine is of dissuasive nature public policy would clearly be undermined if a wrongdoer could simply avoid paying the fine through insurance. Especially in UK law, there is a long-established illegality defense (Ex turpi causa non oritur actio) that prevents companies and individuals from using insurance in order to avoid the consequences of their illegal actions. Greek law, like most European laws, remains silent as to the insurability of administrative fines and penalties. Both GDPR and Greek law 4624/2019, do not provide for the insurability or non-insurability of GDPR fines. However, the silence of the legislator cannot be taken as a safe ground in favor of insurance as in some countries, although insurance for regulatory fines is not expressly prohibited, there is nevertheless a risk that such insurance policies may be unenforceable on grounds of public interest. In Greek insurance law, notwithstanding the public policy issue, in relation to the question of the culpability of the insured, it is noted, firstly, that civil liability also has a preventive nature, when this liability is due to a fraudulent act or omission of the civilly liable person and, secondly, that civil liability by an act or omission done with intention constitutes at the same time and by intention the cause of the insured event in civil liability insurance, since the genesis of the insured's civil liability is that which gives rise to the contractual liability of the insurer for the payment of the insurance compensation and, if it depends solely by the will of the insured, there is no uncertainty for the insured as to when the insured risk will occur and therefore, due to the lack of this element, in fact there is no insurable risk at all. 10th AIDA Europe Conference, 30-31 May 2024 | Athens, Greece | Dr. Anastasios Tamamidis 8 Classification: Confidential /

A comparison of Greek law with other systems of law shows that a less aphoristic perception seems to prevail, according to which GDPR fines are generally considered to be uninsurable as a matter of public policy, although it is accepted that these fines could be insurable to the extent that they are related to a data security breach, they are not attributed to malice and the acts and omissions that resulted in the fine do not constitute a criminal offence which has resulted in criminal sanctions. In Spain, supporters of the idea that offering cover for fines is contrary to law invoke the Spanish Regulator which stated that "cover for administrative fines and penalties is not admissible because it could be contrary to public order and because it does not fall within the civil liability insurance object which only aims at compensating the economic damage suffered by the insured as a result of the claim for damages and, indirectly, to ensure that the third party damaged receives compensation. From this perspective, offering cover for the punitive consequences derived from criminal or administrative offences would not be possible". 10th AIDA Europe Conference, 30-31 May 2024 | Athens, Greece | Dr. Anastasios Tamamidis 9 Classification: Confidential /

1. Decision of the French Cour de Cassation dated 14/06/2012 This judgment of the French Cour de Cassation adds a nuance to the above categorical view: public policy is no longer the basis to be taken into account in order to exclude the insurability of such fines, but rather the criterion of the intentionality of the act. According to a certain approach, the specific jurisprudence of the Cour de Cassation can also be interpreted in the sense that - subject to the exception of fines of a criminal nature due to the intentional character of the act - it otherwise supports the possibility of insuring administrative fines in general. However, according to a different more prudent approach, probably, at this stage it cannot be affirmed that the Cour de Cassation has consciously abandoned the reference to public order in order to target the intentional nature of the fault and, hence, open the field of the insurability of administrative sanctions. Following this perception, the responsibility of the insured is technically insurable provided that it emanates from a non-intentional act, or it emanates from an intentional act not from the insured person itself but from another person even if the insured is considered responsible for this person. According to another even more prudent approach, probably, at this stage it cannot be affirmed that the Cour de Cassation has consciously abandoned the reference to public order in order to target the intentional nature of the fault and, hence, open the field of the insurability of administrative sanctions. It seems that only the intentional character of the insured person s act - and not the assurability of the fines by itself - was in question. What case law supports On the basis of the ground of violation of public order, the majority of case law and doctrine in countries like France and Luxembourg have traditionally concluded sanctions are in principle Nowadays, in the same countries, there is a tendency to base the administrative fines no longer on public order - or not only on it - but on their criminal nature. The uninsurability of administrative fines is justified through their assimilation with criminal fines because of their punitive nature. that administrative uninsurable. non-insurability of 2. Decision of the French Cour de Cassation dated 13/06/2019 In the same direction with its decision of 14/06/2012, the French Cour de Cassation by its decision of 13/06/2019 confirmed that the insurer reasonably denied its guarantee with a view to the payment of a pecuniary penalty pronounced by the AMF, since the insured was aware of the harmful facts giving rise to the administrative procedure before the date of underwriting of the contract. This knowledge of the claim prior to the taking effect of the contract deprived the insured of any risk and thus the insurer should not provide its guarantee. 10th AIDA Europe Conference, 30-31 May 2024 | Athens, Greece | Dr. Anastasios Tamamidis 10 Classification: Confidential /

Generally speaking In Greek law, it is supported that the acceptance of the coverage of the administrative fine for a violation of a rule of law that was not done with malice does not offend public order. The particularity of the administrative fines imposed due to violations of personal data protection law is identified, as on the one hand they may also result in criminal sanctions and on the other hand they do not always require that they have been done with intent. It thus becomes clear in relation to fines for breach of the GDPR that, provided that they are not criminal in nature and the breach is not due to intent, there is scope for insurability. Following a general trend in many European legal orders, showing a move from public order to the intentionality of the act as ground for the uninsurability of administrative fines, it may be supported that these fines may be insured if the conduct which led to their imposition was merely negligent - and not fraudulent - and indeed that specific conduct was of such a - low - degree and intensity on the moral scale that it can be reasonably argued that the insurance coverage in this particular case does not contradict the deterrent purpose of the aforementioned fines. In this spirit, administrative fines would therefore be insurable provided that the infringement giving rise to such sanctions was not intentional. n interesting aspect is highlighted by the Swiss system of law, where it is pointed out that an excessively high GDPR fine could be regarded as violating public order and thus such a fine or the part of it considered excessive could be covered and indemnified under an insurance policy. A fine with a criminal character imposed by a foreign authority could be understood as violating Swiss ordre public and therefore classified by Swiss courts as excessive or confiscatory; hence, such a fine would no longer be classified as a penalty in the criminal sense but as insurable compensable damage. 10th AIDA Europe Conference, 30-31 May 2024 | Athens, Greece | Dr. Anastasios Tamamidis 11 Classification: Confidential /

4. The nature of the sanction itself as a criterion for the insurability of GDPR fines: the Engel case law of the European Court of Human Rights According to a certain opinion another element must also be considered before a conclusion can be reached concerning the particular case of fines imposed by the Data Protection Authorities. As indicated, certain laws (for example, Luxembourg), expressly or not, enshrine the uninsurability of criminal sanctions. Consequently, if, by its nature, the sanction imposed by the DPA is of a criminal or quasi- criminal nature, it could not be covered by insurance. It should be admitted that it is not always simple to distinguish between a criminal fine and an administrative one. For the determination of the (quasi- )criminal nature of a fine, an analysis of the so-called Engel criteria identified by the European Court of Human Rights in the case Engel and Others v the Netherlands, is adequate. The classification in domestic law The nature of the offense Engel criteria The severity of the penalty that the person concerned risks incurring 10th AIDA Europe Conference, 30-31 May 2024 | Athens, Greece | Dr. Anastasios Tamamidis 12 Classification: Confidential /

The Court of Justice of the European Union has also had the opportunity to rule on this point, carrying out an interesting interaction exercise between legal orders. In its judgment Bonda, the court endorses the reasoning adopted by the European Court of Human Rights in the qualification of administrative sanctions. It should be noted that these three criteria firstly identified by the European Court of Human Rights are in principle alternative, but a cumulative approach remains conceivable if the separate analysis of each criterion does not make it possible to a clear conclusion" as to the penal nature of the sanction. Furthermore, the European Court of Human Rights, seized of the case Grande Stevens v Italy, applied by its decision the "Engel criteria to judge the criminal or civil nature of administrative fines of amounts between 500.000,00 and 5.000.000,00 EUR imposed by the Italian Authority for the Control of Financial Markets. The Court, in the light of a triple test, and in particular of the high amount of the fines, qualified the above fines as criminal sanctions. In this respect and bringing the above to the GDPR level, according to the above opinion, the sanctions provided for in the Regulation seem to meet the above Engel criteria, especially because the sanctions are intended to have a deterrent and repressive effect and to protect the general interest, and the amounts of the fines reflect an undeniable severity. 10th AIDA Europe Conference, 30-31 May 2024 | Athens, Greece | Dr. Anastasios Tamamidis 13 Classification: Confidential /

Regarding the severity of the penalties, it is noted that Data Protection Authorities do not fine organisations for trivial reasons, which means that where financial penalties are considered appropriate, it tends to be in cases of blatant and serious failures or where, despite warning, the business in question has failed to change its attitude and become GDPR compliant. This means that in most cases, GDPR fines would probably be rather considered as penal in nature. Hence, the fines imposed in accordance with the GDPR, since they refer to violations of the subjects right to privacy, are obviously severe and have a deterrent character, meet the three Engel criteria and are therefore of a criminal nature, which leads to the conclusion that currently they are uninsurable under law in force. Nevertheless, it seems that the issue whether the Engel criteria are met in the case of GDPR fines needs to be further examined. In legal systems such as the Greek one, it is accepted that, unlike monetary penalties, (administrative) fines and (administrative) penalties are administrative sanctions and are not imposed by a (criminal) court but by a public authority. A fine imposed by a court, or an original sentence of imprisonment which is subsequently converted into a pecuniary penalty, is not insurable as it is against public policy to treat as a mere insurable risks human conducts leading to criminal convictions. On the contrary, it seems that administrative fines and penalties are not excluded, a priori and without exception, from the possibility of insurance, because it is not a priori contrary to public policy to treat them as an insurable risk, with the clear condition that they do not constitute a criminal offence at the same time. After all, the purpose of administrative fines and penalties is not exactly the same as that of criminal sanctions, such as pecuniary penalties. If in one case, based on the same human behavior, a pecuniary penalty and an administrative fine are imposed at the same time, then the pecuniary penalty, due to its criminal law nature, certainly cannot be insured, and the administrative fine could be insured, only if there are conditions to establish that this fine is not based on acts or omissions that also constitute a criminal offence 10th AIDA Europe Conference, 30-31 May 2024 | Athens, Greece | Dr. Anastasios Tamamidis 14 Classification: Confidential /

III. Final thoughts and reflections III. Final thoughts and reflections Following the above, if we want to give an answer to the main question, whether GDPR fines are insurable, a safe and correct approach would be that there is not just a simple and general answer. Provided that the abovementioned view (that GDPR fines are not insurable by their -criminal or quasi-criminal nature-, due to the presence of the Engel criteria) is not taken, it seems that the intentionality criterion may prove to be not only legally correct but also very useful in terms of insurers reasonable interests. t seems that the answer to the question of insurability of GDPR fines may be given only in concreto, in the light of the specific case before us, i.e. on the basis of the applicable law, the exact wording of the policy and mainly the special circumstances of the case. It seems that each time there should be an assessment as to the degree of moral reprehensibility involved in the behavior that caused the violation, which leads to an in concreto examination of every case. Jurisprudence and legal doctrine in some European countries seem to support the idea that the matter of insurability of administrative fines moves from its handling on the basis of the opposition of such insurance to the public policy towards its handling on the basis of intentionality, leaving space for insurability even in some cases of negligence, if in the specific case the respective degree in the moral scale is relatively low in a sense that in fact the public interest is not harmed in the end. A relatively low degree of negligence could influence the amount of the GDPR fine, which would be higher that the fine in a case of absence of any sort of culpability and lower than in the fine in a case of malice, but not exclude a priori its insurability. Hence, in a harmonized, symmetrical way, a fine imposed in a case of mere low degree negligence would be relatively low and insurable whereas, on the contrary, a fine imposed in a case of clear intentional conduct would be relatively high and uninsurable. Regarding the significance of intentional character of the insured person s behavior as a factor leading to the denial of insurance coverage, it is noted that usually, following general principles, even when the insurability of coverage of the costs of a personal data breach (legal fees, advertising costs, data recovery costs, third parties claims etc.) is more or less admitted, such costs may finally be not insurable if the action giving rise to the liability for the fine is intentional or a consequence of gross negligence. In general, one of the conditions of insurability in many countries is that the loss was caused by circumstances beyond the control of the insured person. 15 10th AIDA Europe Conference, 30-31 May 2024 | Athens, Greece | Dr. Anastasios Tamamidis Classification: Confidential /

Given that the administrative fines are usually connected to public policy and thus have a deterrent character, it seems reasonable to support the idea that the uninsurability of such fines has to do with and therefore is limited to an intentional or highly negligent conduct of the claimant whereas other costs such as investigation costs, response costs, data subjects notification etc. are not tightly connected to the claimant s conduct and thus are always or almost always insurable with intention or negligence having a less significant role than the one they have in respect of the insurability of the administrative fine itself. With regard to the issue of the applicable law, the above-described variety of legal systems proves, among other, the significance of choice of law since the parties have the ability to choose between legal systems that clearly deny or accept the insurability of GDPR fines while there is also the possibility of choosing as applicable law one that is rather in the grey zone, if this choice better serves the interests of the parties. However, it should be stressed that usually, in terms of insurability, local law is applied in each country since legal rules governing the area of insurability are often considered to be derived from public policy principles which override the parties possible choice of law, meaning that it cannot be assumed that such choice will always prevail as regards the specific matter of insurability. Just to justify the subtitle of this presentation, that is the question of insurability of GDPR fines on the edge between legal uncertainty and opportunity for growth, we could admit that the GDPR, like so many other unexpected events and situations, such as the covid-19 pandemic, should be envisaged as an opportunity and not as a threat. New obligations mean new risks for business. This certainly applies to the GDPR case since the Regulation implements new rights and responsibilities as well as significantly higher penalties and sanctions for the most serious data breaches and prudent businesses will always look to insurance as a means of protecting what s important to them. When it comes to data protection, cyber insurance can be especially useful in helping businesses cover the costs and resources necessary to respond to a data breach effectively. Most probably, a lot of businesses will be led to consider seeking cyber insurance for the first time. 10th AIDA Europe Conference, 30-31 May 2024 | Athens, Greece | Dr. Anastasios Tamamidis 16 Classification: Confidential /

If Charles Robert Darwin actually did say and was right saying that It is not the strongest species that survive, nor the most intelligent, but the ones most adaptive to change , then insurers should adapt themselves to the new reality and maybe offer policies a priori covering administrative fines for GDPR violations or at least costs incurred after a data breach incident, prudently reserving, however, the pure legality of the possibility of this insurance as well as its exact extent, at least until an established and secure treatment of the question is created in legal theory and above all in case law. Since the consequences of GDPR non-compliance are not limited to monetary fines, insurers need to intelligently sensitize their customers and help them move away from the narrow view that it is critical for them to be insured only against administrative fines but to see the issue of insurance in relation to personal data in a more comprehensive and holistic way. While considerations of GDPR liability often focus on the potentially extremely high penalties and fines, specific cases demonstrate that the significant costs may be in forms other than fines and raise important insurance considerations. One example of a potentially large loss imposed by GDPR is the cost of notifying persons whose data an organisation holds when there is a breach incident or even a suspected breach incident, which cost may also be covered by an insurance policy including the corresponding coverage. Insurers should make their customers more aware regarding the fact that when considering the risks associated with non- compliance to GDPR, they should not just focus on fines, no matter how high they truly are, but also on a range of other possible serious consequences for their companies, including a) costs and resources required in order to respond to Data Protection Authorities interventions and investigations, b) business interruption, especially if the company. is required to stop operating while there is an ongoing investigation, c) civil claims for compensation brought by individuals whose rights and interests have been impacted by a GDPR breach, including coverage for legal representation and compensation and costs for claims of individuals affected by the data breach and d) reputational damage, including costs related to advertising, communications and public relations. 10th AIDA Europe Conference, 30-31 May 2024 | Athens, Greece | Dr. Anastasios Tamamidis 17 Classification: Confidential /

Moreover, in case of a serious data breach an insurance policy, even if it covers the related administrative fine and/or costs related to legal fees and litigation, regulatory investigation, remediation, public relations and other costs associated with compensation and notification to affected data subjects, nevertheless cannot cover the reputational harm done in terms of lost market share, clientele and in the end, lost revenue. That is why, cyber insurance, even if it completely covers GDPR administrative fines, which is rather impossible, may not be considered as an alternative to a GDPR compliance strategy and this naturally applies also to insurance companies themselves. Insurance companies must do their best to take advantage of the opportunities provided by the GDPR and treat it not only as a piece of legislation that imposes serious and burdensome obligations on businesses but also as a growth driver, firstly, as an opportunity for new insurance business, such as, subject to conditions, the coverage of administrative fines but mainly of the costs involved in a data breach, but also, secondly, as an opportunity to improve the services they provide to their customers, among other in the sense of compliance with the GDPR and guarantees for the protection of personal data that it establishes. Finally, the policy of insurers to issue policies that include, in respect of the insurance coverage of GDPR fines, the wording any legally insurable administrative fines and penalties or any legally insurable fines and penalties or to the extent insurable by law may be intelligent and practical under the present conditions of legal uncertainty but cannot be long-term considered as totally reliable or legally solid. Besides, the stakeholders will soon be asked to deal with the issue of the enforceability of the insurance policies, the attitude that the regulators will most probably be asked to take and also the jurisprudence that will be created on specific cases regarding the matter of insurability of GDPR fines. 10th AIDA Europe Conference, 30-31 May 2024 | Athens, Greece | Dr. Anastasios Tamamidis 18 Classification: Confidential /

Given the public order nature of GDPR fines, the stipulation of sub-limits on the principal amounts of cover as well as deductibles and exclusions are probably desirable and likely to make the policyholder responsible in terms of compliance to legislation regarding data protection thereby removing much of the anti-insurability argumentation that insurability reinforces and promotes non-compliance with GDPR and relevant obligations. On the other hand, apart from the wording of the terms of cyber insurance policies regarding the insurance for GDPR and/or administrative fines, great care is also required regarding the related promotional actions and advertisements as they should not give the wrong impression to the insured and prospective insured organisations, that these fines are generally covered, i.e. without further conditions. Unfortunately, a cursory online market survey shows that many times cyber insurance policies are advertised with reference to coverage of, among other things, GDPR and/or administrative fines without highlighting the condition that such insurance is legally possible. Last, since the insurability of fines and penalties is still at present a dynamic and fluid matter, I have to admit that I really enjoyed working on the issue and would be happy to hear any comments or questions. 10th AIDA Europe Conference, 30-31 May 2024 | Athens, Greece | Dr. Anastasios Tamamidis 19 Classification: Confidential /

Thank you for your attention! 10th AIDA Europe Conference, 30-31 May 2024 | Athens, Greece | Dr. Anastasios Tamamidis 20 Classification: Confidential /