The GDPR enhances and unifies personal data protection standards across the EU, granting individuals increased control over their personal data. It also sets uniform data protection rules for all EU member states. Under the GDPR, businesses and organizations that process personal data must ensure that they have appropriate technical and organizational measures in place to protect the personal data of their customers, employees, and other individuals. This includes, but is not limited to, measures such as encryption, data minimization, and employee training.
If a business or organization breaches the GDPR, it can be subject to significant fines. The GDPR gives supervisory authorities the power to impose fines of up to 4% of a company’s annual global turnover or €20 million (whichever is greater) for severe breaches. For a less serious data breach, the maximum fine is 2% of a company’s annual global turnover or €10 million (whichever is greater).
In Germany, there have been several high-profile cases in which the GDPR has been used to impose multi-million euro fines on companies for a data breach. For example, a major German retailer was fined €35 million for failing to implement appropriate technical and organizational measures to protect the personal data of its customers. Also, a German telecoms company was fined €20 million for collecting and using the personal data of its customers without their consent.
BDSG-new and GDPR
The Bundesdatenschutzgesetz (BDSG-new) is the German data protection law that implements the GDPR in Germany. The BDSG-new came into effect on May 25, 2018, the same day the GDPR took effect across the European Union (EU).
The BDSG-new applies when data processing occurs by businesses and organizations in Germany and by German businesses and organizations outside of Germany. The BDSG-new is designed to ensure compliance with the GDPR and to provide additional protection for the personal data of individuals in Germany. Germany’s businesses and organizations must ensure compliance with the GDPR and the BDSG-new to avoid costly fines and other consequences.
As part of the GDPR, the BDSG-new establishes a number of data protection authorities (DPAs) in Germany, which are responsible for enforcing the GDPR and the BDSG-new. In Germany, there are two main DPAs: the Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (Federal Commissioner for Data Protection and Freedom of Information) and the Landesbeauftragte für den Datenschutz und die Informationsfreiheit (State Commissioner for Data Protection and Freedom of Information).
The Bundesbeauftragte is responsible for enforcing the GDPR and the BDSG-new at the national level, including for businesses and organizations with headquarters in Germany. The Landesbeauftragte is accountable for enforcing the GDPR and the BDSG-new at the state level, including for businesses and organizations with operations in individual states.
GDPR fines in Germany of 2022
Since the GDPR came into effect, there have been a number of high-profile cases in which the GDPR has been used to impose significant fines on companies for breaches of data protection rules. In 2022, there have been a number of fines imposed on companies for GDPR violations by German data protection authorities.
These fines have ranged in size and have been based on the severity of the breach and the company’s cooperation with the investigation. Some examples of GDPR fines in Germany in 2022 include a fine of €50,000 imposed on a property development company for failing to provide information about the origin of data, a fine of €1.9 million imposed on a housing association for unlawfully processing sensitive data about potential tenants, and a fine of €900,000 imposed on a bank for analyzing data from customers without their consent.
Housing association BREBAU GmbH was fined €1.9 million on 03-03-2022
The data protection authority (DPA) of Bremen in Germany has imposed a fine of EUR 1.9 million on the housing association BREBAU GmbH for unlawfully processing the personal data of over 9,500 individuals. The DPA found that BREBAU GmbH had processed particularly sensitive data, such as information about skin color, ethnic origin, religious affiliation, sexual orientation, and health status, without a valid legal basis. The company also ignored requests from data subjects for transparency about processing their personal data.
In determining the fine amount, the DPA considered the extraordinary depth of the violation of the fundamental right to data protection as an aggravating factor. However, the DPA also considered that BREBAU GmbH fully cooperated during the investigation, made efforts to mitigate the damage, clarified the facts on its own, and ensured that such violations would not be repeated. As a result, the DPA was able to reduce the amount of the fine.
Volkswagen was fined €1.1 million on 26-07-2022
The data protection authority (DPA) of Lower Saxony in Germany has imposed a fine of EUR 1.1 million on Volkswagen for violating the GDPR. The company had installed cameras on a test vehicle to test and train the functionality of a driving assistance system to prevent traffic accidents. Still, it failed to provide information about the data processing by the cameras in accordance with Article 13 of GDPR.
The DPA also found that Volkswagen had not concluded a processing agreement with the company that carried out the test journeys as required by Article 28 of GDPR. Also, the company had not conducted a data protection impact assessment or outlined the technical and organizational protection measures in the list of processing activities as required by Article 35 of GDPR. However, Volkswagen cooperated extensively with the DPA during the investigation.
Hannoversche Volksbank was fined 900,000€ on 28-07-2022
The data protection authority (DPA) of Lower Saxony in Germany has imposed a fine of EUR 900,000 on Hannoversche Volksbank for unlawfully analyzing the personal data of active and former customers without their consent. The bank had analyzed digital usage behavior and evaluated various aspects of their activity, including purchases in app stores, the frequency of use of bank statement printers, and the total number of online banking transfers compared to in-branch services.
The bank also cross-checked the results with a credit agency and used the information via electronic communication channels for promotional purposes. While most customers were provided with information in advance, the DPA determined that this did not replace the required consent. In determining the fine, the DPA took into account that the bank did not make further use of the results of its evaluations and that it cooperated with the DPA during the investigation.
The subsidiary of a Berlin-based eCommerce group was fined 525,000€ on 20-09-2022
The data protection authority (DPA) of Berlin in Germany has imposed a fine of EUR 525,000 on the subsidiary of a Berlin-based eCommerce group for violating the General Data Protection Regulation (GDPR). The company had appointed a data protection officer (DPO) who also served as the managing director of two service companies that processed personal data on behalf of the eCommerce company. These service companies were part of the same group as the eCommerce company.
The DPA determined that this represented a conflict of interest and violated Article 38(6) GDPR. The DPA had previously warned the company about the conflict of interest in 2021. Still, when a subsequent inspection revealed that no new data protection officer had been appointed, the DPA imposed the fine.
A property development company was fined 50,000€ on 21-09-2022
The data protection authority (DPA) of Baden-Württemberg in Germany has imposed a fine of EUR 50,000 on a property development company for violating the GDPR. The company had sent a letter to a property owner offering to purchase their property. Still, it did not provide any information on the origin of the personal data used in the letter. When the property owner asked the company where the data had been obtained, the company did not reply.
Upon investigation, the DPA discovered that a surveyor had used their authority to access the electronic land register and identify several hundred property owners without their knowledge, passing the information on to the company, which then contacted the property owners. The DPA determined that this constituted a violation of both Article 6(1) GDPR and Article 14 GDPR due to the lack of information on the origin of the data.
A surveyor was fined 5,000€ on 21-09-2022
The data protection authority (DPA) of Baden-Württemberg in Germany has imposed a fine of EUR 5,000 on a surveyor for illegally processing customer data of several hundred property owners. The surveyor had used their authority to access the electronic land register to identify the property owners without their knowledge and passed the information on to a property developer, who then contacted the owners.
The DPA determined that both the surveyor and the developer had violated data protection laws by unlawfully processing the personal data of the property owners.
In conclusion, the General Data Protection Regulation (GDPR) has had a significant impact on data protection standards in Germany and across the European Union since it came into effect in 2018. The GDPR has strengthened and harmonized data protection rules across the EU, giving individuals more control over their personal data and establishing a single set of data protection rules for all EU member states. It has also granted data protection authorities in each member country the power to impose fines, reprimands, and other sanctions on individuals who violate the GDPR or national data protection laws that implement the GDPR.
There have been several high-profile cases in Germany in which the General Data Protection Regulation has been used to impose multi-million euro fines on companies for data breaches. These cases demonstrate the importance of businesses and organizations complying with the GDPR and taking appropriate technical and organizational measures to protect the personal data of their customers, employees, and other individuals.
Failure to do so can result in significant financial penalties and damage to a company’s reputation. It is essential for businesses and organizations operating in Germany to understand their obligations under the GDPR and to ensure that they are compliant with this important data protection law.