German Supervisory Authorities have issued 41 fines since the EU General Data Protection Regulation ('GDPR') became enforceable in May 2018. The highest fine in a single case was EUR 80,000, and the majority of fines (33) originated from the state of North-Rhine Westphalia.
Fines were levied for a variety of GDPR violations, such as inadequate technical and organisational security measures, non-compliance with information duties and sending unauthorised marketing emails. The highest fine of EUR 80,000, which originated from the state of Baden- Württemberg, related to sensitive health data being made available on the internet due to inadequate security measures.
First GDPR non-compliance Fine
The first GDPR non-compliance fine in Germany was issued on 21st November 2018. The Supervisory Authority of Baden-Württemberg imposed a fine of EUR 20,000 against a German social media provider for failing to encrypt user passwords. Email addresses and passwords of about 330,000 users of the provider's social media website were hacked and published on the internet.
The provider notified the Supervisory Authority of the personal data breach and provided extensive information concerning its data processing activities. From the information supplied to it, the authority learned that user passwords were stored unencrypted.
Pursuant to Article 32 of the GDPR, companies must implement appropriate technical and organisational measures to secure personal data so that the rights and freedoms of the concerned natural persons are protected. To determine the appropriate measures, organisations must take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing the personal data.
Based on those considerations and the fact that encryption of personal data is listed as an appropriate measure in Article 32(1)(a) of the GDPR the Supervisory Authority of Baden- Württemberg determined that the social media provider should have encrypted user passwords rather than processing them in plain text, to grant a level of protection appropriate to the risks. Consequently, the authority concluded that the provider had violated Article 32(1)(a) of the GDPR and applied a fine pursuant to Article 83(4).
The authorities' fine could have been as high as EUR 10 million or 2% of the company's worldwide turnover of the previous year, whichever is higher. However, when determining the amount of the fine, the Supervisory...