TwitterDeutsche Version
Fines
Data Breaches
GDPR

Review of GDPR fines and data breaches 2020

Review of GDPR fines and data breaches 2020
Datum10. February 2021

The past year ended with another fine running into the millions. The electronic goods retailer notebooksbilliger.de AG was issued a penalty notice for €10.4 million in December 2020. The company was accused of video-monitoring employees. 

Lower Saxony’s State Commissioner for Data Protection (LfD) announced the measure in a press release – a rare occurrence in Germany. The GDPR Portal therefore requested information from the authorities about what fines were imposed last year and how many data breaches in accordance with Article 33 GDPR were reported to the authorities.

283 fines with a total amount of €48.1 million were imposed by the authorities, an increase of about 50 percent over the figure for the previous year (187). The supervisory authority in North Rhine-Westphalia leads the way with 93, followed by NorthThuringia (39) and Saxony (30).

Highest fine in Hamburg

The highest fine was that issued by Hamburg’s data protection supervisory authority to H&M. The German arm of the Swedish clothing retailer spied on hundreds of employees at its Nuremberg service center and was penalized €35.3 million. It is also the highest fine imposed in Germany to date for data protection violations. The fine on notebooksbillger.de ranks second, followed by the €1.24 million penalty for a violation of the GDPR by the AOK Baden-Württemberg. The health insurer had collected data from hundreds of participants in sweepstakes and misused it for advertising purposes.

However, these record fines should not disguise the fact that the overwhelming number of fines are in the three- to four-digit euro range. They do not relate to large international companies, but small and medium-sized enterprises and natural persons.

One striking aspect revealed by the survey is that the German Federal Commissioner for Data Protection and Freedom of Information (BfDI) did not issue a single penalty notice in 2020. It may be that the authority wants to await the court’s ruling in the proceedings against 1&1 Telekom. The concept of the German Conference of Data Protection Supervisory Authorities (DSK) was applied in setting the level of that fine. Even before the proceedings, some legal experts criticized the fact that the model used to calculate fines was mainly based on a company’s turnover. On November 11, 2020, the court confirmed that there had been a data protection breach on the merits of the case, but sharply reduced the fine from the original €9.55 million to just €900 thousand. The supervisory authorities in Bavaria, Bremen and Schleswig-Holstein (ULD) also did not issue any fines last year. The ULD was once regarded as the most stringent supervisory authority, but seems to have changed its course: It also did not issue a penalty notice in 2019.

The causes of the breaches of the GDPR come as little surprise: They mainly involve violations of the obligations to provide access to and information on personal data (Articles 12 to 15 GDPR), unlawful processing of personal data (Articles 5 and 6 GDPR), such as video surveillance, impermissible database inquiries, and transfer of data to third parties. A lack of or inadequate protective measures to ensure security in data processing (Article 32 GDPR) are some of the violations that were punished and were not infrequently committed in connection with sending documents. As regards the latter, one ruling is a reminder that data protection must also be ensured outside the digital world: A tax consultant was punished for storing files in a multi-story car park. Even clubs had to pay smallish fines because they published lists of their members in social media without obtaining valid consent for that.

Another striking aspect is the greater prevalence of cases in which natural persons were punished for using data processed as part of their professional activities for other purposes (not seldom private ones). Several fines were imposed, on police officers for example, due to unauthorized database inquiries or the use of data to contact people privately. 

Another interesting fact in light of the Covid-19 pandemic is that several fines were imposed on catering establishments in connection with contact tracing. In that sense, the debate about data privacy that had accompanied implementation of the measures to curb the coronavirus throughout the whole year had real-life impacts – both for the data subjects and the establishments, pubs and restaurants, who now find themselves having to step into what is for some the new role of a data processor and come to terms with that.

Comparison with other EU Member States

How did practices in the area of fines differ between Germany and other large EU countries? 152 penalty notices were issued in Spain last year, almost 50 percent more than the year before. If the figure of 152 is looked at relative to the populations of Germany and Spain (Spain has around 36 million fewer inhabitants than the Federal Republic), then the authorities in Spain imposed far more fines per capita. Although most of them were small, there were also two recent fines running into the millions on the two banks CAIXABANK (€6 million) and BANCO BILBAO VIZCAYA ARGENTARIA (€5 million). In addition, all penalty notices are punished in Spain, unlike most decisions by German data protection authorities. 

For its part, Italy not only issued 45 notices and imposed multi-million euro fines on TIM SpA (€27.8 million), Wind Tre SpA (€16.7 million) and Vodafone Italia SpA (€12.2 million), but also stood out by fining government authorities – such as the Italian Ministry of the Interior (€50 thousand) and Rome Municipality (€500 thousand). France imposed just ten fines due to breaches of the GDPR, although some were the highest in the whole of the EU and were on large tech companies: Google LLC (€60 million), Google Ireland Limited (€40 million) and Amazon Europe Core (€35 million). 

In view of that, the picture painted by business associations, who claim that Germany suffers disadvantages as a place to do business as a result of the GDPR, might perhaps hold water in a comparison with the requirements on companies outside Europe. Yet even in the United States, where the issue of data privacy has been pretty much neglected to date, there are regulatory developments toward according people more privacy and legal leverage to protect it. As a forerunner in this field, Europe could benefit from this global trend.

New record for reported data breaches

Around 21,000 data breaches in accordance with Article 33 GDPR were reported to the German supervisory authorities from May 25, 2018, the deadline for implementing the GDPR, to the end of 2019. That figure was 26,057 last year. The leader is the BfDI with 9,985 recorded data breaches, followed by Bavaria (3,794) and Baden-Württemberg (2,320). The incidents most frequently reported related to sending of documents, cyberattacks and technical defects.

Data protection is being taken more and more seriously thanks to the GDPR

The decisions generally appear to corroborate a welcome trend: More and more citizens are becoming aware of their data rights and are using the possibilities the GDPR offers them to demand them. That is also particularly clear from the fines on medium-sized and small players (and even individuals). It seems that companies for their part – in light of the fines they face and are imposed in many cases – are somewhat more serious about their obligations when it comes to handling personal data and are increasingly reporting data breaches.

Outlook

The messenger service WhatsApp is expected to be fined this year. Industry experts anticipate that Ireland's Data Protection Commission will impose a penalty of up to €50 million. Likewise, the Norwegian Data Protection Authority has already announced its intention to issue a fine of €10 million to Grindr LLC – a decision on that will probably be made in February. Initial fines due to unlawful data transfer to the United States and other third countries are also expected. Member States like France and Spain will probably blaze the way in that. The court case relating to the fine on “Deutsche Wohnen SE” is also eagerly anticipated. Berlin’s data protection authority imposed a fine of €14.5 million on the real estate company on November 5, 2019, due to violations of retention periods. Deutsche Wohnen SE filed legal action to contest that. 

The version of the DSK’s fine concept is expected to be revised in the coming months. That move was originally announced for November 2020 by representatives of the authority. The new version will doubtless incorporate the lessons learned from the ruling against 1&1 and possibly that from the upcoming case against Deutsche Wohnen.

Overview and breakdown by supervisory authority

Supervisory Authority Fines Total in € Data Breaches
Baden-Württemberg 19 1,670,050 2,320
Bavaria (non-public sector) 4 n.a. 3,794
Bavaria (public sector) 0 0 1,500
Berlin 21 77,250 925
BfDI 0 0 9,985
Brandenburg 16 331,200 409
Bremen 0 0 94
Hamburg 22 35,295118 686
Hesse 2 18,380 1,433
Mecklenburg-Vorpommern n.a. n.a. n.a.
Lower Saxony 6 10,560,000 989
North Rhine-Westphalia 93 48,950 1,775
Rhineland-Palatinate 11 84,070 587
Saarland 6 16,144 308
Saxony 30 12,870 635
Saxony-Anhalt 14 19,150 211
Schleswig-Holstein 0 0 406
Thuringia 39 17,530 n.a.
Total 283 48,150,712 26,057