German healthcare company to get GDPR fine this month, regional regulator says

A large German healthcare-services company will this month be fined for breaches of EU privacy rules, the data-protection commissioner for the state of Rhineland-Palatinate has told MLex.

Dieter Kugelmann said the unidentified company, based in the state, had failed to properly implement controls mandated by the 11-month-old General Data Protection Regulation, making it possible for data breaches to occur.

Kugelmann's office has been investigating the company, which handles sensitive health records, since January following a complaint that it had violated the GDPR. The rules impose stricter conditions on entities handling sensitive data.

In an interview with MLex, Kugelmann said the German company may decide to appeal the decision, especially if the regulator hands it a large fine. Under the GDPR, fines can be up to 20 million euros ($23 million) or 4 percent of a company's global turnover, whichever is larger. 

The regulator said he wasn't disclosing the name of the company as the procedure is ongoing. But the probe concerned "a pile of data breaches," including denying individuals access to data that the company holds about them.

"In this case, the core point is that the enterprise says that [there] has been a small fault [and that] only a limited number of people are concerned," Kugelmann said. "But the whole organization is lacking the correct structure. The reason why the breach happened is a lack of technical implementations of the GDPR structure."

"The core difference, finally, is: Is it only a single case concerning limited persons, or is it a case showing that the whole enterprise is organized in the wrong way, not in line with the GDPR, IT security and data protection compliance aspects?"  

This logic reflects the Rhineland-Palatinate authority's approach to enforcing data-protection compliance at big enterprises: "They really have to take care about compliance, more than smaller firms," Kugelmann said. 

His office is responsible for regulating the data-processing activities of 210,000 companies in the western German state, many of which are in the chemical, pharmaceutical, automotive and machinery industries. Major businesses include chemical maker BASF, drugmaker Boehringer Ingelheim and Internet-services company United Internet.

Kugelmann said imposing sanctions on big players was in part a prevention tactic to get smaller companies to comply with the law.