German health insurer fined for data breach

The commissioner for data protection and freedom of information in Baden-Wuerttemberg, southwestern Germany, has levied a €1.24m ($1.40m) fine on a local health insurer.

The case arose from the way AOK Baden-Wuerttemberg handled data from participants in sweepstakes organised between 2015 and 2019. The information collected was used for advertising purposes, provided participants had given their consent.

But AOK’s processes failed to meet legal requirements, with the result that more than 500 competition participants’ personal data was used without their consent.

Once the allegation became known, AOK ceased sales, reviewed processes, set up a task force for data protection in sales and adapted internal processes and control measures, the commissioner’s office said.

More actions will be taken, and adjusted as necessary, in coordination with the commissioner, Stefan Brink.

“Data security is an ongoing task,” he said. “Technical and organisational measures must be regularly adapted to the actual situation in order to ensure an adequate level of protection in the long term.”

Insurance data was unaffected by the data breach, said the commissioner’s office.

Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.