The Baden-Württemberg Commissioner for Data Protection and Freedom of Information (LfDI) has imposed a fine of € 1,240,000 on the AOK Baden-Württemberg health insurance provider. The reason? Data processing errors related to prize draws it ran: the health insurance provider had not obtained the valid consent for data processing of prize draw entrants in 500 cases. An internal whistleblower notified the LfDI about the breach.
Between 2015 and 2019, AOK Baden-Württemberg ran prize draws that, among other things, involved the collection of entrants’ contact details and health insurance memberships. Prize draw entrants were supposed to complete a form beforehand and consent to data processing for further advertising measures by providing their signature and checking a box. However, the data protection authority did not consider this consent to have been validly granted in 500 cases.
As soon as it became aware of the allegation, the AOK discontinued all sales measures in order to thoroughly review its processes and cooperated with the authority, which nonetheless imposed a seven-figure fine. When calculating the fine, the fact that the AOK as a statutory health insurance provider is an important part of the German health system counted in its favor: its ability to carry out this statutory role should not be put at risk, especially accounting for the impact of the coronavirus pandemic. The AOK Baden-Württemberg will accept the fine.
The possibility to use personal data from the prize draw for additional promotional purposes requires that the data controller can provide proof of a valid consent to data processing (Art. 7 (1) GDPR). According to a recent verdict of the Higher Regional Court of Frankfurt (June 27, 2019 – 6 U 6/19), it is permissible in principle to request voluntary consent as a condition for entering a prize draw and this does not breach what is known as the tying ban (although this issue is disputed). In this case, the required box had not been checked although the corresponding signatures had been supplied on the forms. For this reason, Baden-Württemberg’s data protection authorities did not consider this consent to be valid and the data should not have been processed for advertising purposes. This is debatable, especially as a signature alone can also represent consent. However, in the absence of more detailed information on the reasoning for the decision, a more comprehensive discussion of the topic is not possible at this stage.
The data protection authority believes that the use of effective technical and organizational measures could have prevented the breach. Unfortunately, it is also unclear why the data protection authority sanctioned a breach of Art. 32 GDPR (security of processing) and not e.g. Art. 6 GDPR (lack of a legal basis) – therefore, the LfDI approach is also questionable in this respect. Technical measures include not only general security of data and systems, but also a continual, GDPR-compliant review and update of internal databases, which need to be audited and cleaned up on a regularly basis. This goes hand in hand with the implementation of a dedicated concept for blocking and erasing any records where no legal basis for storage and processing applies, or where this legal basis has lapsed (e.g. due to a valid consent being revoked with future effect). From an organizational perspective, the measures in question must, for instance, enable the people responsible for the data processing to work in a manner compliant with data protection law. Specific working instructions, e.g. in the form of guidelines and training, are recommended within the framework of a compliance structure that is consistent with the GDPR. Ideally, this should be supported by technical tools to prevent unauthorized data processing. All measures must be meticulously documented. If a mistake does occur, the company in charge of the data processing will be able to demonstrate that it took any required steps in order to prevent any breaches.
Errors in implementing technical and organizational data protection and data security measures can be very costly for companies. The stated case is reminiscent of the facts of the Deutsche Wohnen SE case from 2019. The real estate company in question stored personal data about its tenants for years without checking whether this was lawful and necessary. In fact, the company’s database did not include any capability for erasing data that were no longer needed. As a result, Deutsche Wohnen SE was hit with a fine of € 14,5 million.
However, the ruling also had severe consequences for the advertising industry. While pre-GDPR the unlawful processing of advertising-related data was usually only sanctioned by ways of warnings and injunctive procedures under private law, now companies are in an additional risk of severe fines under the GDPR regime. If not done so already, advertisers should rethink about how they can engage in direct advertising in a GDPR-compliant manner. A mere reference to section 7 of the German Act against Unfair Competition (UWG) is not sufficient.
In practical terms, it is more important than ever for businesses to check on their own technical and organizational data protection measures, improve them as needed, and develop and document a concept to protect themselves against potential data protection breaches. At last one should definitely heed the words of Stefan Brink, Baden-Württemberg’s Commissioner for Data Protection and Freedom of Information: “Data security is an ongoing obligation”.