Skip to content Skip to sidebar Skip to footer
Menu
Menu
Data Protection & Cybersecurity

Germany’s first GDPR fine issued follows a data breach

December 5, 2018
3 minRead time
GDPR fine Germany
Share This Article
Share Post

The relevance of a GDPR fine have been tested for the first time in Germany following a data breach which creates an interesting precedent for other jurisdictions.

This is an interesting update from my colleagues Jan Spittkaย andย Andreas Rรผdigerย that was initially published on Privacy Matters Blog.

*ย  ย  ย  ย  ย  *ย  ย  ย  ย  ย *

The data breach that led to the GDPR fine in Germany

The State Commissioner for Data Protection and Freedom of Information Baden-Wuerttemberg (LfDI) was the first data protection authority in Germany to impose a fine under the GDPR. The fine of โ‚ฌ 20,000 sanctions the violation by a social media company of its obligation to ensure data security of processing of personal data pursuant to Art. 32 (1) (a) GDPR (obligation to pseudonymise and encrypt personal data).

The company had contacted the LfDI with a data breach notification following a hacker attack in which passwords and email addresses of approximately 330,000 users were stolen and published. It turned out that the company did not hash its customersโ€™ passwords, but stored them in plain text and thus violated Art. 32 GDPR.

How was the privacy fine calculated

In principle, fines of up to โ‚ฌ 10 million, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher, may be issued for such violations (Art. 83 (4) (a) GDPR). According to the LfDI, the very strong cooperation and willingness of the company to implement the guidelines and recommendations of the LfDI were viewed favorably when calculating the relatively low fine.

It appears that the LfDI did not applyย section 43 (4) German Federal Data Protection Actย (BDSG) according to which the notification of a data breach under Art. 33 GDPR may only be used in a procedure under the Act on Administrative Offences against the obligated organization with the organizationโ€™s consent. In the past, the LfDI took the view that this prohibition is not GDPR-compliant and therefore has to be ignored.

The current precedents on GDPR fines in Europe

The fine is the third fine throughout the EU to be made public. So far, fines under the GDPR have also been imposed in Austria (โ‚ฌ4,800 for illegal video surveillance) and Portugal (โ‚ฌ 400,000 for an insufficient data access concept).

You can find interesting on this topic, my blog posts “Are privacy fines really massive under the GDPR?” and “Your To-Do list to get ready for a personal data breach under the GDPR“.

(Visited 1 times, 1 visits today)
Tags:
0LikesShare Post