Even though they pale in comparison to the French DPA’s massive fine on Google, the German data protection authorities have been keeping busy with fines of their own.
Since the GDPR has come into force on 25 ay 2018, Germany has issued 41 GDPR related fines. These were levied for various violations, ranging from inadequate technical and organizational security measures to non-compliance with information duties, to sending unauthorized marketing e-mails.
Most fines were imposed by North Rhine-Westphalia (33), followed by Hamburg (3) and Baden-Württemberg and Berlin (2 each) and Saarland (1). The highest fine was €80,000 for an entity that allowed health-related data to be publicly seen, due to inadequate internal control mechanisms. A €20,000 was issued to chat portal Knuddels for a 2018 data breach exposing the passwords, e-mail addresses and nicknames of 330,000 users because they stored said information in plain text on their servers.
Reportedly not all violations were sanctioned with a fine because some authorities granted a grace period, during which fines of much lower amounts than they could/should have been or not issued at all. Though these grace periods and the hesitation of some DPAs to issue fines are still a common occurrence, companies are advised to not rely on this as it’s unclear how long they will last.