Insurance company – €135,000 Fine (Luxembourg, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A Luxembourg insurance company was fined EUR 135,000 after an employee mistakenly sent sensitive customer information to the wrong person. The company failed to report the breach on time and did not have adequate security measures in place. This case highlights the importance of protecting sensitive data and promptly reporting breaches.
What happened
An insurance company was fined for sending sensitive customer data to the wrong email address and failing to report the breach promptly.
Who was affected
Customers of the insurance company whose sensitive health information was accidentally shared with an uninvolved third party.
What the authority found
The Luxembourg DPA found that the company lacked adequate security measures and failed to report the data breach in a timely manner, violating GDPR rules.
Why this matters
This case underscores the necessity for companies to implement strong security measures and to act quickly in reporting data breaches. It serves as a reminder that mishandling sensitive information can lead to significant fines and damage to reputation.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The DPA of Luxembourg has imposed a fine of EUR 135,000 on an insurance company. On October 19, 2018, an employee of the controller had sent an e-mail to an uninvolved third party instead of the data subject. This occurred due to an error by the employee who had incorrectly entered the e-mail address of the data subject. In addition to the name and gender of the data subject, the e-mail also contained detailed information about the data subject's illnesses. In addition, the attachment contained three forms relating to illnesses that the data subject had reported in connection with the conclusion of a life insurance policy.On November 29, the same incident occurred. The second misdirected e-mail contained, in addition to the data subject's name, very specific questions about a particular pathology, the last name of the life insurance doctor, the address of said doctor, and two blank forms related to said pathology to be filled out by him or his doctor The DPA noted that it had not been informed of the data breach in a timely manner in accordance with Art. 33 GDPR. The company had also not complied with its documentation obligation under Art. 33 (5) GDPR. Furthermore, the DPA found that the controller had failed to implement technical and organizational measures to ensure a level of security appropriate to the risk for the data subjects.
Related Enforcement Actions (0)
No other enforcement actions found for Insurance company in LU
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
5 August 2021
Authority
Commission Nationale pour la Protection des Données
Fine Amount
€135,000
Enforcement Tracker ID
ETid-866
About this data
Cite as: Cookie Fines. Insurance company - Luxembourg (2021). Retrieved from cookiefines.eu
Last updated: