Dr. Stefan Brink, State Data Protection Officer for the State of Baden-Württemberg, announced in a press release back on April 8, 2019, that “2019 will be the year of inspections.”
Ever since the GDPR was introduced on May 25, 2018, it was always just a matter of time before data protection agencies would begin conducting detailed inspections, and reacting to user complaints, as well as, sanctioning data protection violations. The Welt am Sonntag newspaper reported in May of this year that 75 fines, adding up to 449,000.00 €, had already been issued.
The 195,407.00 € fine issued by the Berlin Data Protection Officer, Maja Smotcyk, in August must have established a new German record.
This fine covered a variety of data protection violations by the Berlin company, Delivery Hero SE, the delivery of “unwanted advertising,” which eight people complained about; ten cases of not following through on the “duty to delete;” and five cases of failing to abide by the “Right of Access of the data subject” rules.
The total number of violations were a “mere” 23, all of which could be classified as either medium, if not light, in their severity.
This shows that the introductory phase of the GDPR is over and that the agencies are stringently enforcing the law and are not afraid to impose large fines.
According to GDPR Article 83, Section 5, fines can be as high as 20,000,000.00 € or, in the case of corporations, up to 4% of a company’s total worldwide revenue from the previous year.
Ms. Smotczyk said the following about the fine:
“The issue of data protection has been dealt with very poorly by many companies for a very long time even though it is a very important fundamental right in the digital age. The GDPR acts to correct that. […] I hope these fines have a chilling effect on other companies. Whosoever deals with personal data must have a functional data protection management system. This will not only avoid fines but will strengthen customer confidence and satisfaction. […]”
Further inspections and subsequent five, and six figure fines are to be expected. Companies are obligated to deal with the issue of “data protection” in a decisive way and implement a proper, and integrated data protection management system in their organizations.
Attorney at law
Data protection officer