First figures published on GDPR fines in Germany

According to recently published data on the handling of GDPR enforcement, there are significant differences between UK and Germany when it comes to the fines imposed.

Slightly more than a year after the General Data Protection Regulation (GDPR) came into full applicability, German data protection authorities have started to be more active than before. In the immediate aftermath of 25 May 2018, when GDPR became fully applicable, they acted with restraint, supporting companies in their advisory capacity. Now, however, this grade period is over, and the wave of fines begins to roll, albeit slowly, as a recent survey of the magazine “JUVE Rechtsmarkt” (07/2019) shows:

The magazine surveyed the data protection authorities in all German states. They found that throughout Germany, a total of 23,220 data complaints were dealt with and fines amounting to approximately €500,000 were imposed in 107 cases until May of this year. However, both the amount and the number of fines vary considerably between the various German states. For example, the DPA of Baden-Wuerttemberg imposed only ten fines by the end of 2018, but with the highest overall amount of €207,140. The same authority also handed out the highest individual fine of €80,000. In comparison, North Rhine-Westphalia’s DPA imposed 51 fines (highest number overall), but with a total amount of €25,100. The single highest fine issued was merely €1,000.

Compared to the data recently published by the UK Information Commissioner's Office (ICO), huge differences in the national enforcement practices become obvious. The ICO reported that they received around 14,000 personal data breach reports. Of these, around 17.5% required action from the organisation and less than 0.5% (~ 700 cases) led to either an improvement plan or civil monetary penalty. The most striking difference, however, is in the number of fines which have been imposed. As it has been reported earlier last week, the ICO enforced fines of £183m against British Airways and about £100m against the hotel company Marriott.

From a data protection perspective, we are clearly living in interesting times - with data protection authorities sending mixed messages to companies in Europe it is to be expected that the overall number and amount of fines imposed in Germany will rise.

This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.