The Data Protection Authority (DPA) of Baden-Württemberg issued a fine of 1,24 million EUR in Germany against a big public health insurance organisation for not implementing adequate technical and organisational measures (Article 32 GDPR). The official press release can be accessed here (in German).
1. Background of the case
The statutory health insurance organisation “AOK Baden Wuerttemberg” conducted lotteries on various occasions and collected personal data of participants including their contact details and health insurance affiliation. In order to use this data for marketing purposes, it asked the participants for their consent. With the help of technical and organisational measures (such as internal guidelines and data protection trainings for the staff) the organisation wanted to ensure that only the data of the participants who had provided consent was used. However, the measures did not prevent that also 500 participants' data were used who had not provided consent. Following its investigation of the case, the DPA concluded that the measures that the organisation had taken were not adequate and held that AOK Baden-Württemberg was in breach of its obligations under Art. 32 (1) (b) GDPR. It issued a fine in the amount of 1,24 million EUR.
2. Violation of Art. 32 GDPR
Though the press release does not go into much detail, this case is another good example that (German) DPAs put a special focus on data security aspects (Art. 32 GDPR) while emphasising the importance of technical and organisational measures. Interestingly, the fine was not issued because the organisation was lacking a legal basis for using this data for marketing purposes in these 500 cases (here: consent). From what we know, the DPA concluded that AOK Baden Wuerttemberg had implemented a process that generally ensures a lawful processing (i.e. obtaining consent) but no adequate measures to ensure the ongoing confidentiality and integrity of the respective processing systems (i.e. use of data without the consent of participants).
3. Determination of the fine
At a first glance, the fine issued appears to be rather “low” if one looks at the fining model that was introduced some time ago in Germany by the Conference of the German Data Protection Authorities (“DSK”).
For your background: With this model fines are calculated based on the annual turnover of companies/groups multiplied by factors that vary depending on the severity of the violations and other circumstances. Since the annual turnover forms the basis for the calculation, the new fining model generally results in very high fines even for minor breaches of the GDPR in case of high turnovers. See here for more details.
According to our information, the DPA did not
apply the fine model on a one-to-one basis because the AOK Baden Wuerttemberg is a public body, rather than a private company. However, the DPA applied the “notion” of the model and took the surplus (not the turnover) as a starting point for its calculation of the fine.
The DPA took also into account the status of the AOK Baden-Württemberg as statutory health insurance. As it is such an important part of the health care system in Germany, when determining the amount of the fine, the authority wanted to ensure that the fulfilment of AOK Baden-Württemberg's statutory task would not be jeopardised, especially in view of the COVID-19 pandemic.
In this respect, the DPA may have “only” referred to Art. 32 GDPR, instead of Art. 6 GDPR (lawful basis), because the base rate for the calculation of a fine is considerably lower (i.e. only the “2% bucket” of Art. 83 (4) GDPR instead of the “4% bucket” of Art.83 (5) GDPR).
Also, the comprehensive internal reviews and adjustments of the technical and organisational measures (in the aftermath) as well as its “good cooperation” with the DPA were considered in favour of the AOK Baden-Württemberg.
When looking at fines, it certainly makes a difference whether a breach or incompliant processing is due to a human/system error, or due to inadequate technical and organisational measures (from the outset). For example, if a call centre agent is not trained in the right way to confirm the identity of a caller, the DPA may issue a fine right away. This may be different if the call centre agent would have been sufficiently trained, but acted in error against this instruction (it would be unlikely for the DPA to issue a fine in this isolated incident).
However, this case clearly illustrates that data security and compliance with Art. 32 GDPR is no “paper trail” task, but should be taken seriously. In times of more and more data being processed (“digitalisation of everything”) and increasing cyber security incidents, being able to document and demonstrate compliance with security measures becomes increasingly important. German DPAs have indicated that data security will be one of the areas they will focus on in future and it likely we will see similar cases down the line.