Hamburg regulator issues EUR 35 million GDPR fine for data privacy breach
09 October 2020
Background: GDPR Enforcement
The General Data Protection Regulation (GDPR) came into force in May 2018 with an overarching objective of protecting individuals' personal data and harmonising best practices for privacy and data security across the EU. Under Art. 83 GDPR, regulators can, among other measures, impose administrative fines that are significantly higher than under pre-GDPR laws. Individuals can also claim damages under Art 82 GDPR for the violation of their privacy.
Fines shall be effective, proportionate and dissuasive and, when determined, take into account several factors, such as the nature, gravity and duration of the breach, the degree of responsibility and the degree of cooperation with the regulator.
German data protection authorities have published a standard concept for determining GDPR fines:
First, establish the basic economic value –companies are categorised into groups based on the company's average annual turnover.
Second, multiply the basic economic value by a factor reflecting the magnitude of the breach – the factor varies from 1 to 14.4.
Third, adjust the amount based on other circumstances for and against the company – factors such as previous breaches (surcharge on the sum of 50-300% depending on breach repetition), nature of the breached provision (schematic consideration by reduction of up to 25% and surcharge by 50% of the calculated sum), procedural duration, degree of cooperation, impending insolvency as well as measures taken for damage mitigation.
As demonstrated in the Hamburg case, the company's actions after a breach can also significantly influence the amount of a GDPR fine. The Hamburg regulator considered the company's GDPR breach to be "a particularly intensive encroachment on employees' civil rights": According to press releases, managers collected and used detailed information about employees' private lives, including information on family issues or detailed health data/diagnosis, for employment-related decisions.
However, the regulator recognised the company's cooperation, its significant efforts to implement more robust privacy processes and that it also agreed to provide monetary compensation to the employees. Fact is that theoretically, the maximum possible fine under the GDPR could have been 4% of H&M's net worldwide turnover of EUR 22.3 billion (i.e. ~EUR 892 million).
Despite the regulator's classification of a EUR 35 million fine as low, it demonstrates a significant increase for German regulatory fines, which had a reputation of being low pre-GDPR. This is in line with a recent trend in Germany: GDPR fines are going up.
Whilst in 2018, a EUR 20,000 fine for a pre-GDPR data breach was still perceived as high, fines in the millions of Euros might have to be considered the "new normal":
A large internet provider and a large health insurance provider were fined EUR 9.55 million and EUR 1.24 million, respectively, for insufficient technical and organisational measures to ensure data security; and
A residential property company was fined EUR 14.5 million for improper data retention of tenants' personal data.
At the same time, rising GDPR fines are not a German phenomenon. This is also a trend internationally:
Austria: The Austrian Post was fined EUR 18 million in 2020 for allegedly selling personal data, including customer home addresses and possible political affinities, to third parties for marketing purposes.
France: Google LLC was fined EUR 50 million in 2019 for allegedly failing to meet their transparency obligations.
Italy: Fines were issued to TIM (2020: EUR 27.8 million) and Wind Tre S.p.A. (2019: EUR 16.7 million) inter alia for allegedly unlawfully processing personal customer data for direct marketing.
UK: In 2019, an airline and a hotel company were tentatively fined GBP 183.4 million and GBP 99.2 million, respectively, following cyber-incidents that allegedly resulted in customer details being harvested by attackers.
These fines suggest that data protection regulators across the EU are becoming increasingly willing to levy significant fines to ensure compliance with GDPR.
Key lessons to learn from recent GDPR enforcement actions
GDPR enforcement is a sharp sword, which regulators are starting to make full use of. What is important for your company in light of these enforcement trends?
Awareness – All individuals in an organisation have to be aware of their role and responsibilities. Potential fines do not only damage a company's business, but can also significantly damage its reputation and customer trust.
Compliance – GDPR compliance programs are continuous and ongoing processes. Data privacy and security measures should be kept up to date to avoid breaches and reduce sanctions by demonstrating a robust data governance structure to the regulator.
Take action – If a data breach occurred, swift action to gather the facts as well as implementing the right remedies and cooperating with regulators can reduce the amount of a fine significantly.
Whether you have indications for a potential data breach in the past or whether you seek an assessment of your company's current data protection efforts – please get in touch with us, we will be happy to assist.