German State Data Protection Commissioner imposed 1.2 million € GDPR fine

The German State Data Protection Commissioner of Baden-Württemberg (“LfDI Ba-Wü”) imposed a GDPR fine of 1.240.000€ on the German statutory health insurance provider AOK Baden-Württemberg (“AOK”). The fine was a result of the health insurance’s lack of technical and organisational measures pursuant to Art. 32 GDPR. It is the highest fine the LfDI Ba-Wü has ever imposed.

Between 2015 and 2019 the AOK organized various types of lotteries and at the same time collected personal data of the participants, including their contact details and details of such person’s affiliation/membership in health insurance institutions. AOK Baden-Württemberg used personal data of lottery participants to send promotional messages. AOK used technical means to disseminate such advertising, and due to the lack of security and suitability of the technical means, the advertising was also sent to those who did not consent to such advertising. The personal data of more than 500 lottery participants were used for advertising purposes without their consent. Upon learning of such incident, all promotions and the processing of personal data for these purposes were immediately suspended.

The Supervisory authority considered that the technical, organizational security measures used by AOK were not sufficient to prevent such unlawful processing of personal data and therefore not only imposed a fine but also ordered the introduction of new security solutions.

This case and the amount of the fine imposed once again highlight the importance of security requirements for the processing of personal data and the increasingly strict approach of the supervisory authority.

Thus, before direct marketing, we recommend to:

  • assess whether a person’s consent for direct marketing has been obtained and that consent has not been withdrawn;
  • assess whether electronic, technical or other means that are used to send promotional messages, meet security requirements and function properly;
  • review/update the list of customers who have given their consent for direct marketing to ensure that it does not include people who have withdrawn their consent;
  • in the event of unlawful processing of personal data, take immediate measures to minimize the potential harm and stop the unlawful processing of personal data;
  • ensure that the possibility to withdraw consent at any time is readily available.

We remind you that consent for direct marketing must be explicit, shall be given separately for each method of advertising used, shall specify what personal data will be used and for what purposes, and how given consent may be withdrawn.

The article was prepared by attorney at law Loreta Andziulytė and assistant attorney at law Brigida Bacienė

Get in touch