The magnitude of new legal and business process requirements under the GDPR caused a tremendous change in the legal data privacy landscape for many companies doing business in Europe. Many of these companies sprinted (or at least made significant progress on the uphill struggle) to finalize their GDPR compliance programs by 25 May 2018, the day the GDPR took effect, with a careful eye toward how the DPAs would interpret and enforce some of the less clear requirements of the GDPR. We now have more information about DPA activities in Germany, and the trend is toward increasing enforcement.
Some facts and figures about DPA activities in Germany
In Germany, a recently published report (in German) provides some useful insights and figures on the enforcement activities by the German DPAs to penalize GDPR infringements, which echo our experiences with various DPAs in the German Federal States.
The report indicates that by the end of 2018, the German DPAs already had concluded a considerable number of pending cases. In these cases, they applied a variety of different sanctions—such as conducting investigations and on-site audits, or issuing warnings or reprimands—and issued more than 40 fines altogether.
The available figures show that the German state DPAs in Hamburg, Bavaria, Berlin, North Rhine-Westphalia, Hesse, and Baden-Württemberg have been considerably active. By contrast, the authorities in the other German states seem to be less active, or at least acting less visibly. According to statistics provided by the Baden Württemberg DPA, the number of data subject complaints increased 30 percent from 2017 to 2018. The number of DPA consultations by organisations in 2018 also more than doubled, and the number of reported data breaches increased more than tenfold.
Which types of infringements have been subject to sanctions?
The scope of data processing activities covered by German DPA investigations affected a broad range of commercial operations that are relevant for key industries in the German market. The following types of behaviours/incidents gave rise to the imposed fines:
- Lack of a data processing agreement with an intermediary for postal services that was processing customer data.
- Unsolicited marketing emails.
- Unauthorized video surveillance of customers and employees.
- Publication of health data on the Internet due to inadequate security control measures.
- Disclosure of health data to the wrong patient by a hospital.
- Recording of all outgoing and incoming phone calls in a fire department.
- Disclosure of bank account statements to unauthorized persons during online banking.
- Unauthorized access to customer data during a hacking attack on a web shop.
- Unauthorized use of dashcams.
- Open email distribution lists.
- Unauthorized disclosure of personal data due to unencrypted storage of user passwords.
- Inadequate technical and organizational measures taken by a hotel which could not rule out the possibility that credit card or other customer data from its booking system might have been disclosed in a ransomware attack.
What is the commercial impact?
While cases in which dissuasive fines have been imposed on leading technology companies in some EU countries seem to dominate the public interest, the value of fines imposed in Germany has not yet achieved a record high. For instance, the maximum fine issued by the Baden-Württemberg DPA amounts to €80,000. However, the DPAs in Germany have brought a considerable number of enforcement cases for seemingly minor offences (e.g., open email distribution lists) that create a number of new rules that have a considerable negative impact on companies that must subsequently (and frequently) revise their data processing operations to comply with the new precedent.
What is to be expected in the near future?
The first statistics on the imposed fines show that there has indeed been a number of GDPR enforcement actions brought by the German DPAs to date, and based on these enforcement patterns we expect that further increasing fines will be imposed in the relatively near future. For instance, according to press reports, the Bavarian DPA is currently dealing with 85 pending fine proceedings, and these pending proceedings will continue to yield an increasing number of fines and other sanctions.
Overall, the report indicated that German DPAs experienced that companies significantly increased their data protection awareness and understanding of their responsibilities with respect to the processing of personal data. However, several of the German DPAs are conducting audits at companies and public bodies, and we expect these audits to reveal additional deficiencies in GDPR compliance programs. For example, the DPA of Lower Saxony is currently conducting audits of 50 companies seated in Lower Saxony to detect shortcomings in their data protection compliance. Similar audits are conducted by other German DPAs, such as the Bavarian DPA which is specifically investigating data protection law violations by service providers (sub-processors) and cybersecurity issues and compliance with tracking tool requirements (online shops, social media platforms, streaming platforms, email service providers.
With a view to the future, it is likely that the German case-law on data protection infringements will significantly increase. It is also possible that the German DPAs will develop “catalogues” of fines for certain clear-cut and similar cases of data protection infringements. In addition to the enforcement activities in Germany, we have seen DPAs at a European level coordinate with each other to attempt to undertake a uniform and effective enforcement of the GDPR.
Given all this, while there may have been a temporary respite after the 2018 sprint to GDPR compliance, companies subject to GDPR enforcement in Germany should expect a continued increase of enforcement into 2019, and should continue to assess and remediate any gaps in their GDPR compliance programs.
By Dr. Christian Tinnefeld and Dr. Henrik Hanßen