In December 2014, the regional German data protection authority (DPA) of Rhineland-Palatinate imposed a record fine of EUR 1.3 million on insurance giant Debeka after its sales staff allegedly sought address data of administration customers' employees in order to offer them Debeka's insurance products. Yet, the case did not only attract the attention of the DPA. The public prosecutor initiated investigations against five employees because of an alleged incitement of civil servants to violate secrecy obligations and data protection laws by disclosing details on other officials in order for Debeka to market services to them. On top of this, Germany's insurance regulator, the Federal Financial Supervisory Authority (BaFin), conducted an investigation and required various improvements of the company’s data protection organisation.
At first sight, the case is all about a proper marketing use of data. It reminds businesses that data must generally be collected directly from the affected individual or otherwise the individual must have clearly consented to the forwarding of his details to a third party. In particular, the call by the BaFin for genuine improvements to Debeka’s business organisation through the strengthening of the internal data protection framework shows, however, that it has a much more fundamental impact. Under more, the BaFin required the company:
- to fully document the origin of all data on potential new customers;
- to install a proper data protection organisation, e.g., by entrusting specific employees with the oversight over the proper collection and use of personal data;
- to foster the company’s compliance organisation, e.g., by establishing a whistleblowing hotline, and
- to train the employees in data protection matters.
Never before has a German supervisory authority stressed so clearly the need for proper data protection management. All companies that process customer or employee data on a large scale should put their organisation to the test—the best way to avoid fines and publicity for data protection violations.
If you want to comment on this post, you need to login.