DKV Seguros y Reaseguros, S.A.E.

Kirjeldus

The Spanish DPA has imposed a fine on DKV Seguros y Reaseguros, S.A.E.. An individual had filed a complaint with the DPA after receiving multiple e-mails from the controller containing information from an unknown person. The controller had sent 51 emails with medical certificates containing the names, surnames and data on medical tests of the data subjects to the wrong recipient. The complainant had alerted the controller to the wrong mailing several times, but the controller did not respond until it learned of the complaint to the DPA. The controller had not reported the data breach to the DPA. In the course of its investigation, the DPA found that the controller had failed to implement appropriate technical and organizational measures to ensure a level of data protection security appropriate to the risk. The original fine of EUR 220,000 was reduced to EUR 132,000 due to voluntary payment and admission of responsibility.