The relevance of a GDPR fine have been tested for the first time in Germany following a data breach which creates an interesting precedent for other jurisdictions.
* * *
The data breach that led to the GDPR fine in Germany
The State Commissioner for Data Protection and Freedom of Information Baden-Wuerttemberg (LfDI) was the first data protection authority in Germany to impose a fine under the GDPR. The fine of € 20,000 sanctions the violation by a social media company of its obligation to ensure data security of processing of personal data pursuant to Art. 32 (1) (a) GDPR (obligation to pseudonymise and encrypt personal data).
The company had contacted the LfDI with a data breach notification following a hacker attack in which passwords and email addresses of approximately 330,000 users were stolen and published. It turned out that the company did not hash its customers’ passwords, but stored them in plain text and thus violated Art. 32 GDPR.
How was the privacy fine calculated
In principle, fines of up to € 10 million, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher, may be issued for such violations (Art. 83 (4) (a) GDPR). According to the LfDI, the very strong cooperation and willingness of the company to implement the guidelines and recommendations of the LfDI were viewed favorably when calculating the relatively low fine.
It appears that the LfDI did not apply section 43 (4) German Federal Data Protection Act (BDSG) according to which the notification of a data breach under Art. 33 GDPR may only be used in a procedure under the Act on Administrative Offences against the obligated organization with the organization’s consent. In the past, the LfDI took the view that this prohibition is not GDPR-compliant and therefore has to be ignored.
The current precedents on GDPR fines in Europe
The fine is the third fine throughout the EU to be made public. So far, fines under the GDPR have also been imposed in Austria (€4,800 for illegal video surveillance) and Portugal (€ 400,000 for an insufficient data access concept).
You can find interesting on this topic, my blog posts “Are privacy fines really massive under the GDPR?” and “Your To-Do list to get ready for a personal data breach under the GDPR“.