Germany: First data protection authority issues GDPR fine

The State Commissioner for Data Protection and Freedom of Information Baden-Wuerttemberg (LfDI) was the first German data protection authority to impose a fine under the GDPR. The fine of € 20,000 sanctions the violation by a social media company of its obligation to ensure data security of processing of personal data pursuant to Art. 32 (1) (a) GDPR (obligation to pseudonymise and encrypt personal data).

The company had contacted the LfDI with a data breach notification following a hacker attack in which passwords and email addresses of approximately 330,000 users were stolen and published. It turned out that the company did not hash its customers’ passwords, but stored them in plain text and thus violated Art. 32 GDPR.

In principle, fines of up to €10 million, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher, may be issued for such violations (Art. 83 (4) (a) GDPR). According to the LfDI, the very strong cooperation and willingness of the company to implement the guidelines and recommendations of the LfDI were viewed favorably when calculating the relatively low fine.

It appears that the LfDI did not apply section 43 (4) German Federal Data Protection Act (BDSG) according to which the reporting of a data breach under Art. 33 GDPR may only be used in a procedure under the Act on Administrative Offences against the obligated organization with the organization’s consent. In the past, the LfDI took the view that this prohibition is not GDPR-compliant and therefore has to be ignored.

The fine is the third fine throughout the EU to be made public. So far, fines under the GDPR have also been imposed in Austria (€4,800 for illegal video surveillance) and Portugal (€400,000 for an insufficient data access concept).

For further information please contact Jan Spittka (Senior Associate, Cologne) or Andreas Rüdiger (Associate, Cologne).