On June 25, 2020, German state DPA (LfDI Baden-Württemberg) issued 1.24 million euro fine to AOK Baden-Württemberg- the biggest health insurer in southwest Germany. The fine was issued for the violation of Article 32 of the General Data Protection Regulation (GDPR).

Lack of organizational and technical measures

From 2015 till 2019 the company organized sweepstakes and collected various personal information from participants, including their contact details and affiliation with the health insurance company. The AOK Baden-Württemberg then wanted to use collected data for advertising purposes.

With the help of technical and organizational measures and internal guidelines, the AOK was confident they ensured that only data from those participants who had previously given consent were used for advertising purposes.

However, the measures defined by the AOK did not meet the legal requirements and as a result, the data of 500 participants were used in advertising purposes without proper consent.

Why is the fine so high?

The AOK Baden-Württemberg is an important part of the German health system and the biggest health insurer in southwest Germany with over 4.5 million insured and around 230,000 corporate customers. This was definitely a factor that influenced the DPAs’ decision to issue fine of such magnitude

When defining the amount of the fine, circumstances like the size and importance of the AOK Baden-Württemberg were taken into consideration. Particular attention was also paid to the fact that it is an important part of the health system and that the AOK  responsibility of maintaining and improving the health of the insured was not compromised. The current challenges for the AOK due to the current corona pandemic were also given special consideration.

Conclusion

The State Commissioner for Data Protection and Freedom of Information Dr. Stefan Brink emphasized that “Data security is an ongoing task. Technical and organizational measures must be regularly adjusted to the actual circumstances in order to ensure an appropriate level of protection in the long term.”

With that in mind, AOK made extensive internal reviews and adjustments of its technical and organizational measures and demonstrated a high level of cooperation with a supervisory authority.

For staying up to date on GDPR fines we recommend you check GDPR tracker! You can also read the original press release in German here!