Back to Cases
technologyHealthcare · 2021
AOK Baden-Württemberg
The Baden-Württemberg State DPA (LfDI BW) fined statutory health insurer AOK Baden-Württemberg €1.24 million for unlawfully passing the personal data of 500,000 policyholders — including names, addresses, and insurance numbers — to partner lottery operators for direct marketing without member consent. Members were not informed their data would be shared with third-party lottery companies, and the LfDI found no adequate legal basis for the transfer under GDPR Art. 6. AOK had organised branded prize draws with lottery partners and provided member data to enable the lottery operators' own follow-on marketing campaigns.
Fine Imposed€1.2M
Authority
BW-DPA-DE
Regulation
Bundesdatenschutzgesetz (Federal Data Protection Act 2018)
Max fineGDPR maxima apply (€20M / 4% global turnover); BDSG §43 adds up to €300,000 for certain specific violations
Statusactive
Key Takeaways
- Health insurers cannot repurpose member data for third-party marketing partnerships without explicit consent — GDPR purpose-limitation prohibits using health-linked membership data for commercial lottery or marketing programmes even when the insurer derives financial benefit.