AOK Baden-Württemberg fined for failing to security of processing Summary Our remarks The health insurance company AOK Baden- • Ensure that internal data protection guidelines Württemberg hosted competitions on various and training include the principle of integrity and occasions between 2015 and 2019, where personal data confidentiality, as well as the legal requirements as such as contact information and health insurance stated in GDPR, Article 32. affiliation was collected. AOK wanted to use this information for advertising purposes if the participants • When doing so, assess the level of risk to the data had consented accordingly. subjects’ rights and freedoms in the processing For this purpose, AOK implemented various technical of personal data to ensure a level of security and organizational measures including internal appropriate to this risk. guidelines and data protection training to ensure that • Appropriate measures to ensure security of only those who had given their valid consent to the processing personal data include, but are not processing received advertisement material. However, limited to (see GDPR, Article 32 for exhaustive list): the measures taken were not sufficient, resulting ° Pseudonymization and encryption of personal data. in over 500 raffle participants’ personal data being used for advertising purposes. No insurance data was ° Ensuring ongoing confidentiality, integrity and concerned. resilience of processing systems. As soon as the allegations came to light, AOK ° The ability to restore availability and access in a immediately discontinued all sales activities. timely manner in case of incidents. The Decision of the DPA ° A process of testing, assessing and evaluating the effectiveness of these technical and organizational The DPA (LfDI) fined AOK Baden-Wuerttemberg measures. 1,200,000 EUR for not meeting the requirements for technical and organizational measures to ensure secure data processing (GDPR, Article 32). During the investigation, AOK conducted comprehensive internal reviews and adjusted their technical and organizational measures. Their cooperation with the DPA also resulted in a reduction in the amount of the fine. Published: 03-03-2022 Journal number: n/a Published: 30-06-20 Journal number: N/A Tags: 05 Data Security 47 Tags: 01 Legal Basis and principles of processing, 02 right to access and obligation to provide information