Going over all fines issued for the violation of the General Data Protection Regulation (GDPR) so far, I have noticed that not all Data Protection Authorities have the same pace nor the same criteria when it comes to who should get the fine and who should just get a slap on the wrist.
Just recently German state DPA has issued a whopping 1.24M euro fine for violation of Article 32. This means that in processing personal data they have failed to implement appropriate technical and organizational measures to ensure compliance.
One of the biggest issues that DPO is facing, when creating their privacy programs, is the lack of judicial practice. What is considered appropriate, what is considered enough?
As I continue to read I came to realize that the AOK Baden-Württemberg, the company that received fine and the biggest health insurer in southwest Germany, actually took steps to ensure they were compliant. Somehow, this wasn't enough.
So, from 2015 till 2019 the company organized sweepstakes and collected various personal information from participants, including their contact details and affiliation with the health insurance company. The AOK Baden-Württemberg then wanted to use collected data for advertising purposes.
According to the German state DPA, the AOK implemented technical and organizational measures, including internal guidelines and data protection training, and wanted to ensure that only data from those individuals who had previously given their effective consent were used for advertising purposes.
So, what went wrong? It is hard to imagine the company that has over 4.5 million clients has not dedicated enough resources to ensure compliance, and moreover, is your organization really compliant, or is it just a mirage and how much could this cost you?
To be fair, the amount of fine will always depend on numerous factors, like annual revenue, the sensitivity of the data, and the severity of the violation, but aside from financial penalty, there is also a company reputation on the line.
That is why this fine sparks my curiosity, I would love to know what their omissions were.
Read more about it here…
