The Debeka Krankenversicherungsverein a.G. (Debeka) insurance group accepted the fine of 1.3 million euros issued by the Commissioner for Data Protection and Freedom of Information – LfDI (Landesbeauftragten für den Datenschutz und die Informationsfreiheit) of the German state of Rhineland-Palatinate.
Debeka was fined due to a violation of data protection laws when processing personal data that the company had received from so-called tipsters. Tipsters provide insurance agents with names and contact information of people potentially looking to conclude a contract.
As a result of the data breach, the company policy on tipsters at Debeka has been amended. A monitoring process has been established so that disclosing addresses is only possible if the parties concerned give their formal consent.
As a result of this incident, Data Protection Officers at insurance companies must check whether and to what extent their company organizes and controls the addresses generated by tipsters. The fine against Debeka clearly shows that data protection compliance through corporate policies alone (without accompanying inspections) is not enough for the supervisory authorities. In addition, the LfDI initially aimed to prosecute the board members of Debeka, but refrained from doing so due to the company’s willingness to cooperate, which minimized the amount of the fine.
Debeka demonstrated exemplary crisis communication after learning of the incident. In addition to seamlessly providing information and joint statements to the LfDI, the company is making an extra €600,000 available to set up an endowed chair that will oversee the basic research for ensuring effective data protection and its implementation in practice.