LfDI: Fine of EUR 1.24M against health insu­rance com­pa­ny for sen­ding adver­ti­sing emails wit­hout consent

EN 
EN  DE  FR 

from

on

Indu­stries

Aut­ho­ri­ty

Laws

,

Topics

Take-Aways (AI)
  • The LfDI impo­sed a fine of EUR 1.24 mil­li­on on AOK Baden-Würt­tem­berg for data pro­tec­tion vio­la­ti­ons in sweepsta­kes (2015−2019).
  • More than 500 par­ti­ci­pan­ts’ data were used for adver­ti­sing pur­po­ses wit­hout their con­sent; insu­red per­sons’ data remain­ed unaffected.
  • The LfDI cri­ti­ci­zed ina­de­qua­te tech­ni­cal and orga­nizatio­nal secu­ri­ty mea­su­res, vio­la­ti­on of Art. 32 GDPR.
  • Miti­ga­ting fac­tors: size of the AOK, inter­nal impro­ve­ments, cons­truc­ti­ve coope­ra­ti­on and con­side­ra­ti­on of the coro­na­vi­rus pandemic.

The Sta­te Com­mis­sio­ner for Data Pro­tec­tion and Free­dom of Infor­ma­ti­on Baden-Würt­tem­berg (LfDI) has filed a com­plaint against a health insu­rance com­pa­ny (AOK Baden-Würt­tem­berg). impo­sed a fine of EUR 1.24 mil­li­on (cf. Media release).

The LfDI iden­ti­fi­ed a vio­la­ti­on of the GDPR in the fact that AOK had coll­ec­ted per­so­nal data of the par­ti­ci­pan­ts, inclu­ding cont­act data and health insu­rance affi­lia­ti­on, in the con­text of sweepsta­kes from 2015 to 2019. This data was to be used for adver­ti­sing pur­po­ses. The AOK wan­ted to ensu­re through tech­ni­cal and orga­nizatio­nal mea­su­res (inclu­ding inter­nal gui­de­lines and data pro­tec­tion trai­ning) that only data from par­ti­ci­pan­ts who had con­sen­ted was used. Nevert­hel­ess, per­so­nal data of more than 500 par­ti­ci­pan­ts was used for adver­ti­sing pur­po­ses wit­hout con­sent (but not insu­red per­sons’ data). It was thus clear to the LfDI that the AOK had taken ina­de­qua­te secu­ri­ty mea­su­res. had, which vio­la­ted Art. 32 GDPR.

Accor­ding to the media release, the fine was cal­cu­la­ted on the basis of the fol­lo­wing factors:

  • the size and importance of the AOK Baden-Würt­tem­berg, in par­ti­cu­lar the fact that the Aok is a sta­tu­to­ry health insu­rance com­pa­ny and thus “an important part of our health care system”,
  • that com­pre­hen­si­ve inter­nal reviews and adjust­ments of the tech­ni­cal and orga­nizatio­nal mea­su­res have been car­ri­ed out,
  • the “cons­truc­ti­ve coope­ra­ti­on” with the LfDI,
  • that no insu­red par­ty data was affected,
  • that the buses must not jeo­par­di­ze the ful­fill­ment of AOK’s sta­tu­to­ry mis­si­on, with spe­cial con­side­ra­ti­on given to the chal­lenges posed by the Coro­na pandemic.

In other words, the fine could have been con­sider­a­b­ly hig­her wit­hout the­se cir­cum­stances. – How is repor­ted, the AOK will not con­test the buses.

It is curr­ent­ly open whe­ther the amount of the fine is based on the appli­ca­ti­on of the con­tro­ver­si­al sanc­tion model of the DSK and why the LfDI loca­ted the breach at Art. 32 GDPR and not, for exam­p­le, Art. 5 (prin­ci­ples), Art. 6 (legal basis), Art. 24 (prin­ci­ple of the obli­ga­ti­on to ensu­re com­pli­ance with the GDPR) or Art. 25 GDPR (pri­va­cy by design).

The decis­i­on shows that the aut­ho­ri­ties know how to distin­gu­ish bet­ween paper com­pli­ance and com­pli­ance in prac­ti­ce, and that the grace peri­od for fines (inclu­ding the infor­mal grace peri­od due to the Coro­na pan­de­mic) has pro­ba­b­ly expired.