Wird diese Nachricht nicht richtig dargestellt, klicken Sie bitte hier.

Heuking Kühn Lüer Wojtek

Update Data Protection
IP, Media & Technology

No. 53 | 2019-02-01


First fines issued by supervisory authorities for infringements against the GDPR
Regina Glaser, LL.M., Torsten Groß, LL.M.


The General Data Protection Regulation (GDPR) provides for a significant increase of the maximum possible fine for legal infringements compared to previous data protection legislation. Fines of up to 20 million euros or 4 % of the worldwide annual turnover, whichever is higher, can be imposed (Art. 83 para. 5 GDPR). Yet, the first few months after the introduction of the GDPR in May 2018 were uneventful in this regard. That is now changing, however.

50 million euro fine for Google LLC

Supervisory authorities have now started imposing more fines. Especially noteworthy among these is the fine of 50 million euros imposed by the French supervisory authority, CNIL (Commission Nationale de l’Informatique et des Libertés), against Google LLC on 21 January 2019. CNIL identified several infringements by Google against data protection legislation. In the announcement on its website, CNIL justifies its decision by asserting that Google is not complying with its obligation to provide information to users, and its processing operations are not sufficiently transparent. In addition, user consent to process data for personalized advertising had not been validly obtained. Users were not provided with sufficient information prior to giving consent. Furthermore, the consent collected does not distinguish sufficiently between the individual processing operations.

CNIL explained that the amount of the fine was primarily based on the fact that the infringement was a continuous one that was still ongoing (at least until the CNIL ruling). As an aggravating circumstance, the infringement concerned a tremendous quantity of data relating to a variety of services with almost unlimited possible combinations. The widespread use of the Android operating system, owned by Google, means that many people have been affected by this data protection infringement. The fine imposed against Google illustrates the radical sanctions available to the supervisory authorities under the new legislation, as well as which criteria are considered when issuing fines.

EUR 20,000 fine for “Knuddels.de”

In the meantime, increased fines have also been imposed in Germany. The State Data Protection and Freedom of Information Officer (LfDI) for Baden-Württemberg imposed a fine of EUR 20,000 against the “Knuddels.de” chat portal as early as November 2018. The company was the victim of a hacker attack in summer 2018 during which hackers captured personal data. One reason they were able to do this was that customers’ passwords were saved in plain text on the company server. In addition to this, Knuddels had neglected to install the new version of the operating system in good time.

However, in comparison with the current proceedings in France against Google, the amount of the fine remained low. According to the LfDI, this was because the company had cooperated well with the supervisory authority and had made the effort to quickly provide full and comprehensive information. In addition, the company suffered significant economic damage because of the data breach. A similar argument could have been applied in the fine proceedings against Google, although it would have been to the disadvantage of Google. The more data Google collects and stores (unlawfully, in this case), the greater the economic benefit for the company. CNIL explains that Google’s business model was at least partly based on personalized advertising and compliance with data protection legislation should therefore be their number one priority.

Proceedings in Germany

In total, the German supervisory authorities had issued 41 fines by mid-January 2019, according to a survey by 'Handelsblatt'. However, a number of other proceedings are already ongoing. The highest fine in Germany so far has been EUR 80,000. In this case, health-related data, which is sensitive personal data that requires special safeguards, was able to be viewed publicly.

Fine proceedings are often initiated by the authorities following complaints from data subjects, in particular dissatisfied employees or customers. In addition, a data breach must be reported by the controller or processor to the responsible supervisory authority within 72 hours pursuant to Art. 33 GDPR. This can also give rise to fine proceedings. Competitors also watch their rivals and report them to the authorities. And last but not least, the investigative powers of the supervisory authorities are not to be forgotten. The authorities have a number of tools available to be able to actively monitor controllers and processors. This includes access to premises, including data processing systems and equipment (Art. 58 para. 1 f) GDPR).

Some state data supervisory authorities are still hesitant to issue fines. However, companies should not rely on this. Rather, they should see the now publicized fines as a motivation to check their current data protection policy at regular intervals and adjust it where necessary. In the event of a data breach, it should be borne in mind that the supervisory authorities reward cooperative behavior and the desire to clarify the situation.


Authors
Heuking Kühn Lüer Wojtek

Regina Glaser, LL.M. is a partner and a lawyer at Heuking Kühn Lüer Wojtek and member of the Taskforce Data Protection.

Heuking Kühn Lüer Wojtek

Torsten Groß, LL.M. is a lawyer at Heuking Kühn Lüer Wojtek and member of the Taskforce Data Protection.

Contact

T +49 211 600 55-168
F +49 211 600 55-160
E datenschutz@heuking.de

Visit our Website with focus on Data Protection Law:
Microsite Data Protection

Task Force Data Protection
Heuking Kühn Lüer Wojtek
Dr. Christian Appelbaum
Heuking Kühn Lüer Wojtek
Dr. Ubbo Aßmus
Heuking Kühn Lüer Wojtek
Felix Drefs
Heuking Kühn Lüer Wojtek
Alexa Finke
Heuking Kühn Lüer Wojtek
Regina Glaser, LL.M.
Heuking Kühn Lüer Wojtek
Torsten Groß, LL.M.
Heuking Kühn Lüer Wojtek
Anne Heisig
Heuking Kühn Lüer Wojtek
Maike Katharina Hinz
Heuking Kühn Lüer Wojtek
Britta Hinzpeter, LL.M.
Heuking Kühn Lüer Wojtek
Dr. Thomas Jansen
Heuking Kühn Lüer Wojtek
Dr. Philip Kempermann, LL.M.
Heuking Kühn Lüer Wojtek
Dr. Lutz Martin Keppeler
Heuking Kühn Lüer Wojtek
Dr. Markus Klinger
Heuking Kühn Lüer Wojtek
Michael Kuska, LL.M., LL.M.
Heuking Kühn Lüer Wojtek
Astrid Luedtke
Heuking Kühn Lüer Wojtek
Marcel Maybaum
Heuking Kühn Lüer Wojtek
Antje Münch, LL.M.
Heuking Kühn Lüer Wojtek
Dr. Søren Pietzcker, LL.M.
Heuking Kühn Lüer Wojtek
Dr. Wolfgang G. Renner, LL.M.
Heuking Kühn Lüer Wojtek
Dr. Dirk Stolz
Heuking Kühn Lüer Wojtek
Dr. Frederik Wiemer
Heuking Kühn Lüer Wojtek
Dr. Florian Winzer
Heuking Kühn Lüer Wojtek
Dr. Hans Markus Wulf




I want to
unsubscribe

subscribe









Heuking Kühn Lüer Wojtek
© 2019 Heuking Kühn Lüer Wojtek

PartGmbB von Rechtsanwälten und Steuerberatern*
Georg-Glock-Str. 4, 40474 Düsseldorf

* Data protection information / register details / list of partners: www.heuking.de

Information on how Heuking Kühn Lüer Wojtek handles your personal data,
the purposes for processing your data, the legal basis for processing,
and on your rights can be found at www.heuking.de.

datenschutz@heuking.de