500 unlawful marketing e-mails with insufficient consent cost € 1.24 million

On 25 June 2020, the data protection authority of Baden-Württemberg in Germany imposed a fine of €1.24m on the statutory health insurance company AOK for unlawful e-mail marketing involving the use of about 500 e-mail addresses without proper consent. The German press release is linked here (English version Google translate).  This is equivalent to 2,480 euros per e-mail address. This unlawful marketing resulted from a breach of the technical and organisational measures requirements laid down in Article 32 General Data Protection Regulation ("GDPR").

1. Background

Between 2015 and 2019, the insurance company AOK organized competitions on various occasions and collected personal data of the participants, including their contact details and health insurance affiliation. The insurance company also wanted to use the data of the competition participants for advertising purposes and tried to collect valid consent in this respect. The AOK had already implemented internal policies and data protection training to ensure this. However, these measures did not meet the legal requirements demanded by the regulator, because failures in the processes still led to the personal data of more than 500 sweepstake participants being used for advertising purposes without their effective consent. This processing did not affect insurance related personal data.

2. Amount and proportionality of the fine

Despite the matter only involving a relatively low number of around 500 data subjects  the regulator said the fine would have been much higher than €1.24m without mitigating factors that were considered by the regulator.  Normally the fine in case of an infringement of Article 32 GDPR could even have been up to 2% of the total worldwide annual turnover of the preceding financial year or up to € 10m, whichever is higher. Any organisation with a high annual turnover like the AOK is therefore hit particularly hard, even for infringements that appear minor.

Though not made explicitly clear, the notional higher starting point for the fine (which has not yet been explicitly clarified by the regulator) appears to have been calculated using the model used by the German Data Protection Conference ("DSK"), which is being used by the 17 different data protection authorities in Germany.  The mitigating factors involved the following:
 

• Applicability of the lower level of fines under Art. 83 (4) GDPR (up €10m or 2% of the total worldwide annual turnover, instead of up to €20m or 4% of the total worldwide annual turnover of the preceding financial year).
• The fact that the statutory health insurance scheme has an important duty to protect the health of the insured. It was decided that this should not be endangered through a particularly large fine, especially during the time of the COVID-19 epidemic.
• The organisation stopped all sales measures immediately after the allegation became known.
• The organisation cooperated with the authority throughout the process.
• The organisation founded a task force for data protection in sales as a result of this incident.
• The organisation revised the declarations of consent that they used.
• The organisation adapted internal processes and control structures.

Despite all these mitigating factors and what still appears to be a very large fine, the regulator stressed that it does not aim at particularly high fines, but only at a particularly good and adequate level of data protection. However, whether this objective can be achieved by fines alone seems doubtful in the absence of clear rules on technical and organisational measures.

3. Key Takeaways

The decision highlights the significant risk organisations face under the GDPR for what might seem like relatively minor mistakes. With that in mind the key takeaways are:
 

• The model for calculating fines is not suitable for all cases, and even for rather minor infringements, those organisations with a high turnover in the previous year will be hit extremely hard.
• The lump-sum payment of fines based on a company's turnover and the calculation model can lead to excessive fines. This is a wake-up call that data protection and data security should be a core issue in every company!
• The exact scope of technical and organisational measures in the field of marketing and sweepstakes should be analysed by each organisation.
• Cooperation with authorities, timely remedial action and the fact that an organisation plays an important public role may reduce fines but does not protect organisations from extraordinarily high fines.
• Collaboration should be given a higher priority by the authorities, since only the clarity of facts - even if they may be unpleasant - meets the interest of individuals and their data protection.
• In this light, it seems doubtful to what extent it really does any good if companies cooperate.  It is to be feared that organisations will tend to try to conceal facts in the future, which is contrary to the purpose of data protection.
• Furthermore, the future will show whether this will mark a turning point for generally higher penalties by German authorities.