Baden-Württemberg: LfDI Baden-Württemberg fines AOK Baden-Württemberg €1.2M
The Baden-Württemberg data protection authority ('LfDI Baden-Württemberg') issued, on 30 June 2020, a decision ('the Decision') fining Allgemeine Ortskrankenkasse ('AOK') Baden-Württemberg €1,240,000 for unlawful data processing in a direct marketing context and insufficient internal technical and organisational privacy measures. In particular, AOK Baden-Württemberg organised several online lotteries and collected personal data of the participants as well as their health insurance affiliation. Moreover, the LfDI Baden-Württemberg held that with the help of technical and organisational measures, including internal guidelines and data protection training, AOK Baden-Württemberg had aimed to ensure that only data from those contestants who had previously given their effective consent were used for advertising purposes. However, the LfDI Baden-Württemberg found that the measures defined by AOK Baden-Württemberg did not meet the legal requirements and that as a result, the personal data of more than 500 competition participants were used without their consent for advertising purposes.
Furthermore, the LfDI Baden-Württemberg stated that the extensive internal reviews and adjustments of the technical and organisational measures, as well as constructive cooperation with the LfDI Baden-Württemberg were favourable factors when determining the fine pursuant to Article 83(4) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). In addition, the LfDI Baden-Württemberg considered the size and importance of AOK Baden-Württemberg when calculating the penalty.
You can read the press release, only available in German, here.