Germany’s first GDPR fine offers lesson for companies planning a data breach policy.

By Tim Wybitul, Wolf-Tassilo Böhm, and Isabelle Brams

In November 2018, Germany’s first fine under the General Data Protection Regulation (GDPR) was imposed — and it was much lower than many expected. The favourable outcome of the proceedings for the defending company demonstrates that, with a proper defence strategy, GDPR infringements may not necessarily end in a worst-case scenario for companies.

In July 2018, Knuddels GmbH & Co. KG (Knuddels), operator of the chat community, noted the loss of 1.8 million user data records (including a file with unencrypted user passwords) as the result of a cyberattack. After reporting this incident to the appropriate supervisory authority, Knuddels was investigated for infringement of the GDPR. Because the authority deemed that the company’s IT security was not state-of-the-art, there was a high risk that the supervisory authority would impose a large fine on Knuddels.

The GDPR generally provides for maximum fines of up to €20 million or 4% of the total worldwide annual turnover of the preceding financial year, whichever amount is higher. However, the data protection supervisory authority of the German federal state of Baden-Württemberg, LfDI, imposed a relatively low fine on Knuddels of €20,000.00. In doing so, the LfDI took into account several key factors developed by Latham & Watkins as part of its defence strategy: Knuddels undertook comprehensive measures to achieve full transparency as quickly as possible after becoming aware of the attack, cooperating with the LfDI and investing in improvements to the company’s IT and data security systems and policies. The penalty notice issued by the LfDI states that Knuddels contributed to clarifying the details of the case and to achieving substantial progress in data security. The fact that Knuddels did not derive or intend to derive any economic advantage from the data breach was also regarded as a mitigating factor. The LfDI also considered in favour of Knuddels that the company’s data processing activities had not given rise to any objections in the past.

The LfDI’s decision is a first shot across the bow for the industry. Taking the Knuddels proceedings as a case study, it is clear that companies planning and implementing a data breach policy should consider strategies for dealing with IT and data security incidents and defending against fines in addition to making the usual investments in IT security.