German DPA issues €1.24m fine for failure to implement appropriate technical and organisational measures

If you are familiar with the GDPR (General Data Protection Regulation), you will have heard the phrase “appropriate technical and organisational measures” more than once.

It’s mentioned numerous times in the GDPR but, it has to be said, the Regulation hasn’t given great guidance on what “appropriate technical and organisational measures” actually are.

Article 32, in relation to security of processing, does make some attempt suggesting that organisations should do the following:

  • Pseudonymise and encrypt personal data
  • Ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
  • Be capable of restoring the availability of, and access to, personal data in a timely manner in the event of a physical or technical incident
  • Regularly test, assess and evaluate the effectiveness of technical and organisational measures for ensuring the security of the processing.

The ICO (Information Commissioner’s Office) in the UK suggests “you consider things like risk analysis, organisational policies, and physical and technical measures.”

However, the German Data Protection Authority of Baden-Württemberg (DPA) is seemingly more definitive on what “appropriate technical and organisational measures” mean, as it has issued a number of fines for failure to implement such measures.

Notably, it issued a €1.24 million in June 2020 and a €9.55 million fine in December 2019, which we discuss below.

AOK Baden-Württemberg (AOK)

The German DPA imposed a fine of €1.24 million on AOK, on 25 June 2020, for failing to implement appropriate technical and organisational measures to ensure the security of personal data, as per Article 32, GDPR.

In this instance, technical and organisational measures were in place, they were just not seen to be appropriate or adequate by the DPA

AOK had obtained consent from individuals for the processing of personal data for advertising purposes and the organisation had implemented technical and organisational controls to ensure that only those who had consented, were included in AOK’s advertising activities.

However, AOK’s 500-plus participants, who had not consented to the processing of their personal data for advertising purposes, inadvertently had their data processed.

AOK cooperated with the DPA and took immediate actions to rectify the situation. Despite the low numbers impacted, and the level of cooperation with the DPA, the fine was still quite substantial.

1&1 Telecom GmbH

The Federal Commissioner for Data Protection and Freedom of Information (BfDI) imposed a fine of €9.55 million on 1&1 Telecom GmbH in December 2019.

The BfDI found that the organisation did not have sufficient technical and organisational measures in place to prevent unauthorised access to customer information.

1&1 Telecom was acknowledged by the BfDI to be very cooperative and transparent. It also appears that the breach was in relation to one case involving a telephone inquiry for the mobile number of a former partner.

Key takeaways

While its good to have technical and organisational measures in place, you need to ensure that they are suitable – i.e. they will ensure a level of security appropriate to the risk.

You can ensure that your GDPR compliance measures are appropriate with the help of our GDPR Toolkit. It contains a complete set of easy-to-use documentation templates, which will help formalise your approach to GDPR compliance while saving you time and money.

The toolkit also includes:

  • Helpful dashboards and project tools to ensure complete GDPR coverage;
  • Direction and guidance from expert GDPR practitioners; and
  • Two licences for the GDPR Staff Awareness E-learning Course.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.