The State Commissioner for Data Protection and Freedom of Information Baden-Württemberg (LfDI BW) imposed a fine of € 1.24 million on AOK Baden-Württemberg (AOK BW) for the unlawful processing of personal data of more than 500 lottery participants.
What is allowed to be done with data from lotteries?
AOK BW organised several competitions in the years between 2015 and 2019. For this purpose, AOK BW collected personal data of the raffle participants, in particular their contact data and their health insurance affiliation. AOK BW used the personal data of the competition participants for advertising purposes, among other things.
Can data from competitions also be used for advertising?
The LfDI BW found that the participants in the competition had not consented, or at least not sufficiently consented, to the processing of their personal data for advertising purposes. The use of the personal data of the participants in the competition by AOK BW was therefore illegal under data protection law.
What is the fine for a data breach?
It is not known on what grounds the LfDI BW calculated the fine of € 1.24 million. More interesting is the reason why the fine was not much higher! The comprehensive internal reviews and adjustments of the technical and organisational measures as well as the constructive cooperation with the LfDI BW spoke in favour of AOK BW. Furthermore, the LfDI BW took into account the current importance of AOK BW in the fight against the Covid 19 pandemic. A higher fine could have possibly jeopardised the performance of AOK BW.
What does a company have to observe with regard to data protection law in raffles?
The following risks and recommendations for action can be derived for you from the decision of the LfDI BW:
- Take the consent requirement for advertising measures seriously, especially on your website! The AOK BW has collected a fine for about 500 violations. With advertising and tracking measures on websites, several thousand violations subject to fines are likely to add up quickly.
- Do not neglect the topic of technical-organisational measures. An effective declaration of consent is of no use to you if the personal data is not stored in a sufficiently secure manner.
- You must expect that the supervisory authority will "turn your data processing upside down" and probably find violations that you are not thinking of now.
- Fines can reach considerable amounts and bring you or your company to the brink of extinction. In the current uncertain economic times, you should not risk anything here.
We are happy to support you so that your data processing becomes or remains DSGVO-compliant. If you have received mail from a data protection supervisory authority, please contact us. We will be happy to assist you in any official proceedings.
GoldbergUllrich Lawyers 2020
Julius Oberste-Dommes LL.M. (Information Law)
Specialist lawyer for information technology law