The GDPR (General Data Protection Regulation) defines the rules under which fines are imposed. There is a two-level system of fines, in which the amount of the fine depends on the type of violation. The fines can either amount to up to € 20,000,000.00 or 4 percent of the total annual turnover of a company worldwide. Due to the very wide range of sanctions and the given leeway, it depends on how and when the responsible authorities make use of these sanctions.
In their practice of imposing fines, the supervisory authorities of the federal states had initially been passive since the introduction of the GDPR. The authorities justified this with personnel bottlenecks and with the fact that, after the regulation came into force, they initially wanted to act more in an advisory capacity than as punishers.
Since the beginning of 2019, however, there have been signs that this restraint is being abandoned. In the meantime, significantly higher fines are being called for.
Berlin moves ahead: fines worth millions
As early as August 2019, the Berlin privacy officer set the highest fine to date nationwide. A penalty of € 195,407.00 was imposed on an online food ordering service. This decision is now legally binding. In the press release published on September 19, 2019, it was emphasized that due to the high number of repeated violations, fundamental, structural organizational problems must be assumed. According to the privacy officer, this was a first indication that was taken into account as a particularly aggravating factor.
In a decision of the Berlin privacy officer published on November 5, 2019, a fine of more than € 14,500,000.00 was imposed on a German real estate company. The background was the storage of personal data of tenants without reason. The real estate company had stored their data in an archive system for many years. The company did not regularly check whether the stored information was still needed.
How are fines calculated?
The data protection authority stated in assessing the amount of the fine, among other things, that the practice of storing data over a long period of time had been taken into account. In addition, the archive structure complained of had been created deliberately. The deliberate action had not, however, been regarded as a prerequisite for the imposition of the fine. The consideration of this fact had only been taken into account with respect to its amount. The fine is not yet legally binding. The authority also stated in the press release that such “data cemeteries” frequently exist in supervisory practice.
What does this mean in practice?
The data protection authorities are becoming more active and more willing to impose fines. The authorities are apparently focusing on companies where structural and systematic violations are being committed. There is no need for a specific, serious individual case for this. The mere collection and archiving of data can also constitute an infringement. It even has aggravating effects if archiving has been practiced for many years and even before the introduction of the GDPR (without objections).
We recommend that the current practice of data processing should be subjected to a GDPR check. In most cases, however, it is sufficient to change the data protection practice as quickly as possible.