DPA of Baden-Württemberg (Germany) fined a health insurance company 1’240’000 EUR for insufficient implementation of TOMs resulted in personal data of app. 500 individuals being accidentally processed for advertising purposes without due consent.
The fine is quite high, especially given that there have been some mitigating factors in this case:
- not too many data subjects concerned
- cooperation with DPA
- TOMs were not absent at all, the level of implementation thereof was just insufficient
Besides, no data breaches or other factors posing a (high) risk to data subjects were identified.
The investigation resulted in one of the highest fines issued under Article 32 (if not highest). This can be explained, in particular, by the adoption of the German model for calculating fines under the GDPR.
Anyway, this is another one reminder for controllers and processors about the importance of putting TOMs in place appropriate to the risk as ‘somewhat good’ TOMs will unlikely be enough.
More to read – see below.