German health insurer fined for data breach

The commissioner for data protection and freedom of information in Baden-Wuerttemberg, southwestern Germany, has levied a €1.24m ($1.40m) fine on a local health insurer.

The case arose from the way AOK Baden-Wuerttemberg handled data from participants in sweepstakes organised between 2015 and 2019. The information collected was used for advertising purposes, provided participants had given their consent.

But AOK’s processes failed to meet legal requirements, with the result that more than 500 competition participants’ personal data was used without their consent.

Once the allegation became known, AOK ceased sales, reviewed processes, set up a task force for data protection in sales and adapted internal processes and control measures, the commissioner’s office said.

More actions will be taken, and adjusted as necessary, in coordination with the commissioner, Stefan Brink.

“Data security is an ongoing task,” he said. “Technical and organisational measures must be regularly adapted to the actual situation in order to ensure an adequate level of protection in the long term.”

Insurance data was unaffected by the data breach, said the commissioner’s office.


The largest data protection, privacy and security event of 2020, now available on-demand!

Featuring four whole days of keynote sessions, panel debates, and an opportunity to network and chew over all things data-related through discussions in public boards and virtual booths, PrivSec Global is now available to watch on-demand.

You can access the content from all four days, by registering for access to our PrivSec Global platform below.

Learn More and Register

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.