Following in the footsteps of the CNIL and the ICO, the Berlin DPA will impose a multimillion-euro fine for breach of the GDPR.

By Tim Wybitul, Joachim Grittmann, Ulrich Wuermeling, Wolf-Tassilo Böhm, and Isabelle Brams

The Berlin Data Protection Authority (Berlin DPA) recently announced that it will issue a multimillion-euro fine for breach of the EU’s General Data Protection Regulation (GDPR), a significant step change in its GDPR enforcement approach. The Berlin DPA’s most significant penalty to date includes two fines on a company totaling €200,000. In that case, as with the latest announcement, the Berlin DPA has not yet named the affected company. The announcement also continues a trend, started by the French Data Protection Authority (CNIL) and followed by the UK Information Commissioner’s Office (ICO), of data protection authorities beginning to show their teeth in GDPR enforcement.

Germany’s first GDPR fine offers lesson for companies planning a data breach policy.

By Tim Wybitul, Wolf-Tassilo Böhm, and Isabelle Brams

In November 2018, Germany’s first fine under the General Data Protection Regulation (GDPR) was imposed — and it was much lower than many expected. The favourable outcome of the proceedings for the defending company demonstrates that, with a proper defence strategy, GDPR infringements may not necessarily end in a worst-case scenario for companies.

In July 2018, Knuddels GmbH & Co. KG (Knuddels), operator of the chat community Knuddels.de, noted the loss of 1.8 million user data records (including a file with unencrypted user passwords) as the result of a cyberattack. After reporting this incident to the appropriate supervisory authority, Knuddels was investigated for infringement of the GDPR. Because the authority deemed that the company’s IT security was not state-of-the-art, there was a high risk that the supervisory authority would impose a large fine on Knuddels.