The grace period for data protection violations in Germany is over: Fine of EUR 14.5 million imposed!
The fine affected a large German real estate company. The inadmissible data storage should have arguably led to an even higher fine. This illustrates that breaches of data protection are no longer a trivial offence.
It is widely known that the requirements of the European Data Protection Regulation (EU-GDPR) have not yet been (fully) transposed in many companies. After several European countries had already imposed sensitive fines for non-compliant companies, the German authorities are now following suit. It could have been even worse, however. In principle, a fine of EUR 28 million could have been imposed. Only the immediately initiated measures to remedy the breaches of data protection law reduced the fine.
Catalogue of fines
On the basis of the Guidelines on the application and setting of fines in proceedings against undertakings falling within the scope of the DSGVO, the German Data Protection Conference (DSK) has recently published a calculation model designed to provide a comprehensible, transparent and fair method of setting fines in individual cases.
The allocation of fines in proceedings against companies is carried out in five steps: (i) The company in question is assigned to a certain size category, which is oriented towards annual turnover. (ii) The authority determines the average annual turnover and (iii) the basic economic value. The latter is based on the daily rate, i.e. the average turnover divided by 360. This value is (iv) multiplied by a factor reflecting the gravity of the offence and (v) finally adjusted by "perpetrator-related and other circumstances not yet taken into account".
Following the imposition of heavy fines for data breaches in Europe (e.g. EUR 50 million in France and EUR 200 million in the United Kingdom), the German authorities are now following suit. The fines of EUR 14.5 million, now imposed for the first time - although only a first cautious step - mark a real break. For the near future, we expect even higher fines.
The current case illustrates how the authorities (can) apply the new fine calculation model. Even in the case of a slight breach of data protection regulations, the daily rate may be multiplied by a factor of 1 to 4. If a company has an annual turnover of approximately EUR 200 million, the daily rate is EUR 555,555. Even in the case of minor data protection violations, a fine of EUR 555,555 to EUR 2.2 million can be imposed. In the case of serious data protection violations, the fine in this case starts at EUR 7.2 million. The higher the worldwide annual turnover, the higher the fine. In the case of a global corporation with a turnover of EUR 18 billion, for example, the fine can amount to up to EUR 700 million.
The new risk situation also affects the duties of directors and managing directors and their personal situation. Organisational deficiencies in data protection also mean obligations to act and liability risks for board members and managing directors. If necessary, they must ensure that provisions are accrued in good time and inform investors in accordance with the requirements of securities trading law. In the event of violation, their personal liability risk also increases here.
What is to be done now?
In case of doubt, board members and managing directors should now urgently put their data protection organisation to the test with a data protection stress test (Privacy Impairment Check).
If certain areas have not yet been designed to comply with the EU-GDPR (such as deletion and blocking concepts, data protection impact assessments), this should be done as quickly as possible.
Ideally positioned for you
Our team of highly specialised lawyers will advise you comprehensively in the field of data protection and data security.
Our data protection stress test provides you with a comprehensive overview of the relevant regulatory requirements and the maturity level of your data protection organisation compared to the relevant benchmark within a short period of time. Our data protection stress test has a modular structure so that it can be tailored to the specific requirements. With the result report of our data protection stress test, you can be sure how you control the essential data protection risks for your company.
Irrespective of this, we provide comprehensive support in identifying, analysing and evaluating existing legal documentation and internal processes for handling and optimising personal data, advise you on the introduction of information and data management in compliance with data protection requirements and on the development and market launch of products, as well as on the occasion of internal or external investigation procedures, e.g. following a data breach.
In addition, we represent companies in all official or judicial proceedings (legal representation).
As legal advisors, we work together with Deloitte's technology and litigation experts on numerous interdisciplinary projects and therefore have the necessary experience to provide holistic solutions even to complex legal issues.
Have we aroused your interest? Feel free to contact us at any time!
- The state of Berlin for the first time imposes a fine of EUR 14.5 million for data protection violations.
- The amount of the fines will increase. The new German DSK fine concept is based primarily on a company's turnover.
- Preventive measures can be considered to reduce fines.
- Data protection risks can be effectively identified with a data protection stress test.
- Fines can still be effectively reduced with the appropriate preventive measures introduced in good time.