Baden-Wuerttemberg State Commissioner for Data Protection and Freedom of Information imposes fine on AOK Baden-Wuerttemberg –
Effective data protection requires regular monitoring and adjustment
Due to an infringement of the obligations of secure data processing (article 32 of the European General Data Protection Regulation, GDPR), the Department of Fines of the Baden-Wuerttemberg State Commissioner for Data Protection and Freedom of Information (LfDI) has issued a fine of 1,240,000 € against the AOK Baden- Wuerttemberg. At the same time, the Department of Fines, in constructive collabora-tion with the AOK, also paved the way for an improvement of the technical and organ-isational measures for the protection of personal data at the AOK Baden- Wuerttemberg.
From 2015 to 2019, the AOK Baden-Wuerttemberg hosted raffles on different occa-sions. Within this context, the AOK collected the participants’ personal data, including contact details and health insurance affiliation. Inter alia, the AOK wished to use this data for advertisement purposes, provided that the participants had consented ac-cordingly. Through technical and organisational measures, which included internal guidelines and data protection trainings, among others, the AOK wanted to ensure that only data of raffle participants who had given their prior and valid consent would be used for advertisement purposes. These measures set by the AOK did not, how-ever, comply with legal requirements. The personal data of more than 500 raffle par-ticipants were therefore used for advertisement purposes without their consent. No insurance data was concerned.
The AOK Baden-Wuerttemberg discontinued all sales activities immediately after the allegation became known, in order to thoroughly check all procedures. In addition, the AOK created a task force for data protection in sales and made adjustments which concerned, in particular, internal procedures and control structures, besides the dec-larations of consent. Further measures are to be taken in close coordination with the LfDI.
Within the frame that article 83 (4) GDPR sets for fines, the comprehensive internal reviews and adjustments of the technical and organisational measures, as well as the constructive cooperation with the LfDI, spoke in the AOK’s favour. Thus, an increase in the protection level for personal data related to the AOK’s sales activities was achieved within a short amount of time. In the future, the AOK will continue and, if necessary, adjust, these improvements and additional control mechanisms, in ac-cordance with the specifications and recommendations set by the Baden-Wuerttemberg State Commissioner of Data Protection and Freedom of Information.
When assessing the fine, the Commissioner considered factors such as the size and the relevance of the AOK Baden-Wuerttemberg. He also paid special consideration to the AOK being a statutory health insurance and thus an important part of our health system, as the AOK has the statutory obligation to preserve, restore or improve the health of the insured persons. The GDPR requires fines to not only be effective and dissuasive, but also proportionate. Determining the amount of the fine, the Commis-sioner therefore had to ensure that the fulfilment of this statutory obligation would not be endangered. To this end, particular attention was paid to the challenges the AOK currently faces due to the Corona pandemic.
“Data security is an ongoing task”, the Baden-Wuerttemberg State Commissioner for Data Protection and Freedom of Information, Dr. Stefan Brink, stresses. “Technical and organisational measures need to be adjusted to the actual conditions on a regular basis, so as to ensure an appropriate level of protection in the long term.” In this con-text, great importance is regularly attached to ensuring conditions of data protection compliance, as well as to the good cooperation of controllers with the LfDI. Brink con-cludes, “Our aim is not to issue fines which are as high as possible, but rather to reach a data protection level which is as good and appropriate as possible.”
If you have any questions you can reach call the number +49 (0)711 615541-23. For further information about data protection and freedom of information on the web please visit www.baden-wuerttemberg.datenschutz.de or www.datenschutz.de.
The German version of this press release is available at www.baden-wuerttemberg.datenschutz.de.
The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.