The State Commissioner for Data Protection and Freedom of Information Baden-Wuerttemberg (LfDI) has become the first authority in Germany to impose a penalty under the General Data Protection Regulation (GDPR) by fining Knuddels, a social media company, €20,000 for breaches of its data security obligations.
Knuddels was hacked in July 2018 and passwords and email addresses of around 330,000 of its users were stolen and made public. When Knuddels learned of the attack it informed its users and notified a data breach to the LfDI. who found that it had violated its obligation to ensure the security of its users’ data under Art.32 GDPR by continuing to store that data in an unencrypted, plain text format with no safeguards in place.
Under Art.83 GDPR, the LfDI had the power to impose a fine of up to €10 million or up to 2% of Knuddel’s annual worldwide turnover of the previous financial year (if higher). Against this, a fine of €20,000 (a mere 0.2% of the maximum penalty the LfDI could have sought to exact) may disappoint those who have anticipated existential fines for businesses, despite comments from supervisory authorities to the contrary and low GDPR fines to date (for example, the €4,800 fine imposed in October by the Austrian Data Protection Authority).
The key reason that the LfDI did not punish Knuddels more harshly was the effectiveness of its data breach response strategy. In its statement, the LfDI praised Knuddels for its “exemplary” transparency and willingness to implement the regulator’s suggestions and described its level of cooperation as “extraordinary”. In this instance the LfDI was more concerned with improving data security than levying the highest fine possible. It was satisfied that Knuddels had already markedly increased the security of its users’ data and would continue to do so and so did not feel it necessary to punish the company more harshly.
This decision serves as a reminder of the importance of ensuring that your business has a stringent and well-tested data breach response strategy in place, not only to ensure that customer data security can quickly be restored if the worst should happen, but also as a potential safeguard against facing the full force of the GDPR fine regime. It is also clear that working closely with your regulator in the event of a breach is as important as ever, if not more so. If you have any questions, Simmons & Simmons has a specialised data breach response team who can assist. For more information please contact Paul Baker, Robert Allen or Felix Zimmerman.
You can read the LfDI’s full press release about the fine here (in German only).
This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.