On 25 June 2020, the German data protection authority (DPA) of Baden-Württemberg imposed a €1,240,000 fine (in German) on AOK Baden-Württemberg (AOK). The DPA claimed that AOK did not implement appropriate technical and organisational measures (TOMs) to ensure the protection of personal data as required under Article 32 of the EU General Data Protection Regulation (GDPR).
This is not the first time that a German DPA has imposed a fine for Article 32 breaches and follows what seems to be a Europe-wide pattern of high fines for – in some instances relatively minor – issues in the area of TOMs.
Once again, organisations are reminded of the crucial importance of implementing the right TOMs and, in particular, producing sufficient technical and legal documentation in this regard to evidence compliance and to defend against regulatory scrutiny.
This is also crucial because the decision to implement certain TOMs often dates back several years so that it is often difficult to comprehend which TOMs were available at the time and what the rationale was.
What happened?
Between 2015 and 2019, AOK, a statutory health insurance company, organised a series of lotteries. This meant collecting the participants’ personal data, including contact details and health insurance affiliation.
As AOK wanted to use the personal data for advertising purposes, it implemented TOMs, ie data-protection protocols and training, to ensure that only the personal data of participants who had given their consent would be processed for such activities.
However, accidentally personal data of more than 500 lottery participants who had not given their consent were processed.
The fine was notably high for what was a relatively ‘minor’ infringement as:
- only a relatively small number of data subjects were affected;
- AOK cooperated with the authority and
- AOK had TOMs in place (even though insufficient according to the DPA’s opinion).
High fines for Article 32 breaches
Over the last year or so, a number of Europe’s DPAs have imposed fines – some of them quite high – for Article 32 violations. For example:
- the Polish DPA imposed a c.€645,000 fine;
- the French DPA imposed a €400,000 fine (in French);
- the UK DPA imposed a c.€300,000 fine; and
- the Norwegian DPA imposed a €120,000 fine.
But fines in Germany have been particularly high, probably because of the application of the new German model for calculating fines under the GDPR. Particularly striking was the Federal Commissioner for Data Protection and Freedom of Information imposing a fine of €9.55m on a telecoms service provider for failing to prevent unauthorised persons from obtaining customer information via its customer hotline service.
So, despite the difficult operating environment at present, organisations must still ensure that they are complying with the GDPR, including following the TOMs they have put in place. As this German case shows, simply having TOMs is not enough to guarantee leniency from the DPA.