Who: Data Protection Authority of Rhineland-Palatinate
Where: Germany
When: 29 December 2014
What happened:
The regional German data protection authority of Rhineland-Palatinate (DPA) imposes a record fine of EUR 1,300,000 on insurance giant Debeka after its sales staff allegedly sought address data of business customers’ employees in order to offer them Debeka’s consumer products. Yet, the case did not only attract the attention of the DPA. The Public Prosecutor initiated investigations against five employees because of an alleged incitement of civil servants to violate secrecy obligations and data protection laws by disclosing details on other officials in order for Debeka to market their services to them. On top of this, Germanys Insurance regulator the Federal Financial Supervisory Authority (BaFin) conducted an investigation and required various improvements of the company’s data protection organisation.
Why this matters:
At first sight, the case is all about a proper marketing use of data. It reminds businesses that data must generally be collected directly from the affected individual or otherwise the individual must have clearly consented to the forwarding of his details to a third party. In particular the call by the BaFin for genuine improvements to Debeka’s business organisation through the strengthening of the internal data protection framework shows however, that it has a much more fundamental impact. Under more, the BaFin required the company
- to fully document the origin of all data on potential new customers,
- to install a proper data protection organisation e.g. by entrusting specific employees with the oversight over the proper collection and use of personal data
- to foster the company’s compliance organisation, e.g. by establishing a whistleblowing hotline
- to currently train the employees in data protection matters.
Never before, a German supervisory authority has stressed so clearly the need for a proper data protection management. All companies which process customer or employee data on a large scale should put their organisation to the test – the best way to avoid fines and publicity for data protection violations.