Inquiry into Allianz plc - June 2022

(IN-21-2-1)

Date of Decision: 28 June 2022

This decision arose from an own-volition inquiry commenced by the DPC pursuant to section 110 of the Data Protection Act 2018 to consider whether Allianz had complied with the GDPR in relation to its processing operations.

The inquiry was initiated after Allianz had notified 49 personal data breaches to the DPC between 25 June 2020 to 31 December 2020. In total approximately 60 data subjects were affected by the personal data breaches.

The decision considered whether Allianz had complied with Article 32(1) GDPR and in particular whether Allianz had implemented appropriate technical and organisational measures to ensure a level of risk appropriate to the risks associated with its processing operations.

The decision found that Allianz had complied with its obligations under Article 32(1) GDPR. It was held Allianz had implemented policies, which were specifically tailored to the risks associated with the processing. Allianz also provided repeated training to sectors of the business, which were the most susceptible to personal data breaches of this kind. Allianz also took proactive measures to counter the increasing risk profile of some business units by implementing additional security measures after some personal data breaches occurred. These measures included an External Email Warning Tool and increased spot checks in the post room.

Accordingly, no corrective powers were exercised in this decision.

For more information, you can download a copy of the full decision at this link: Allianz plc - June 2022 (PDF, 348 KB).