GDPR: The cost of gaps in data protection
In der Vergangenheit wurde der Datenschutz oft stiefmütterlich behandelt. Doch noch heute, zwei Jahre nach finalem Inkrafttreten der Datenschutz-Grundverordnung (DSGVO), gibt es einiges nachzuholen. Davon zeugen nicht zuletzt verhängte Bußgelder in Millionenhöhe.
Although the coming into effect of the General Data Protection Regulation on 24 May 2016 may have triggered a number of things in the world of business, enthusiasm was not necessarily one of them. Even though a transitional period of two years had at least been granted, it soon became clear that this would not be enough to achieve law-compliant data protection. On the contrary, while the number of fines due to data protection violations totalled 40 in the final months of 2018, this figure had increased fivefold the following year to 187.
Fines in millions due to data protection violations
Figures like these also suggest that the data protection authorities in the federal states have now taken regulation more firmly into their own hands and can therefore implement it more effectively. And the German record fine of EUR 14.5 million for a Berlin-based real‑estate company is a good example: The GDPR’S catalogue of fines is being consistently applied. For particularly serious violations – listed in Art. 83(4) – it sets forth fines of up to EUR 20 million or even four percent of the global turnover of the preceding fiscal year, whichever is higher. If, for instance, this four percent of turnover corresponds to a value of EUR 19 million, the data protection offender would still have to pay EUR 20 million.
Deleting data is also data protection
In the case of the real‑estate group, the violation apparently did not quite reach the maximum fine. The problem here was the ‘dormant customer files’, i.e. personal data that the company no longer needed, located in the archive system. It was simply not possible to delete these files in the system. This is especially a violation of Art. 5 GDPR, which, among other things, sets forth a storage limitation.
Specifically, it reads:
A company from Lower Saxony also violated this principle. They had kept personnel files for an unnecessarily long period of time, and had also collected health data during the personnel selection process. This is also prohibited under Art. 9 GDPR, which deals with the "Processing of special categories of personal data”. The fine in this case totalled EUR 294,000.
For a Berlin-based online platform, the matter of data collection and deletion proved to be a little more complex: In their case, inquiries from data subjects were ignored. Anyone who processes data is not only required to obtain the consent of the data subjects (Art. 6), pursuant to Art. 7 GDPR, the controller must also be able to demonstrate that the data subject has consented to processing and must grant the data subject the right to withdraw consent. The company in Berlin had ignored requests by its users regarding deletion and revocation. The company was also not willing to grant the "right of access by data subjects" as described in Art. 15. In the end, this stubbornness cost the company close to EUR 200,000.
Secure data is an absolute must
Anyone who lawfully collects personal data and stores it in the system is undoubtedly on the right track in terms of the GDPR. But this soon leads to a dead end if this sensitive resource is not adequately protected. A large German ISP, for example, failed to ensure the “appropriate technical and organisational measures” set forth in Art. 32 GDPR to ensure a “level of security appropriate to the risk“. Due to a security breach, customer data from the call center was leaked to third parties, resulting in a fine of EUR 9.55 million. However, this is nowhere near the amount that a British airline had to pay in 2019. Because their booking system was not secure, criminals were able to get their hands on customer data – and the supervisory authority on more EUR 200 million – the highest fine up to now in Europe.
One ICT company got off much more lightly. Although they did not leak any data, they did fail to take one very central organizational measure laid down in Art. 37: Designation of the data protection officers. The fine imposed here totalled EUR 10,000.
Poor technical resources and organization as the main reasons for data protection violations
Failure to appoint a data protection officer has at best only a minor role to play in the EU-wide fine statistics on enforcementtracker.com. Since 2018, for instance, only three fines with a total value of EUR 111,000 have been imposed. Top of the ranking are violations due to insufficient technical and organizational measures. The total amount of fines imposed in this case is close to EUR 333 million in ‘only’ 63 cases. The 103 offences in which the legal basis for data processing was insufficient is much further down the list. As of May 2020, they led to fines of almost EUR 111 million. The offence of "failure to comply with the general provisions on data processing” accounted for 40 fines, amounting to just over EUR 16 million. Around 90 percent of this sum is down to the fine imposed on the real‑estate company in Berlin which had an archive system that did not permit data to be deleted.
In a comparison of ten countries, Germany ranks fourth with fines of more than EUR 25 million. This figure is made up of 25 individual fines – the second highest in the EU. Spanish authorities imposed the highest number of fines. However, the 80 fines total merely EUR 2.5 million. The undisputed leader in terms of total amount in fines is the United Kingdom, a country that has already left the European Union. GDPR violations here cost over EUR 315 million. What’s remarkable here is that a grand total of just three cases account for this amount. The airline’s record fine certainly left its mark.
The highest data protection fines in Germany
|Real estate||Failure to comply with the general provisions on data processing||EUR 14.5m|
|ICT||Insufficient technical and organizational measures||EUR 9.55m|
|Unknown||Failure to comply with the general provisions on data processing||EUR 294,000|
|eCommerce||Insufficient compliance with the data subject’s rights||EUR 195,407|
|Hospitals||Insufficient technical and organizational measures||EUR 105,000|
Secure data, a growing business?
It is currently quite likely that Germany will continue to climb in the GDPR fine statistics. Ulrich Kelber, the Federal Commissioner for Data Protection and Freedom of Information (BfDI), already announced that he will take tougher action against violations of the GDPR and that he will hold larger companies in particular to account. Large companies usually also pay higher fines.
The new fine concept of the Conference of Independent German Federal and State Data Protection Supervisory Authorities (DSK) confirms this also. This concept also provides for fines to be consistently aligned with turnover. According to a Bitkom survey from September 2019, the business world has already understood the signals. According to the survey, 67 percent of German companies have implemented the GDPR to a large extent. And in the end, this will not only protect them against fines, Ulrich Kelber from BfDI also believes that responsible handling of customer and employee data will provide added value for competitiveness.