morton douglas markenrecht 3.jpglukas kalkbrenner markenrecht.jpg

First GDPR fine imposed in Germany

The State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg (“LfDI”) imposed the first fine in Germany on the basis of the EU General Data Protection Regulation (GDPR) on November 21, 2018.


At the beginning of September 2018, the chat provider "Knuddels" based in Baden-Württemberg found out that personal data of over 300,000 users had been stolen and published online as a result of a hacker attack in July 2018. This data breach was made possible because the company had stored the user passwords unencrypted in plain text. Thus, "Knuddels" violated the obligation pursuant to Art. 32 para. 1 lit. a GDPR to ensure data security in the processing of personal data.

Both the notification of the data breach to the competent state data protection authority and the information of the affected users in each case took place within the strict statutory period (72 hours or immediately).

Procedure of the LfDI

In view of the framework for fines of up to EUR 10 million or 2% of the worldwide annual turnover of the previous financial year in the case of infringements of Art. 32 GDPR, the fine of EUR 20,000.00 imposed by the LfDI is moderate at first glance. In its press release, the state data protection authority emphasizes that the very good cooperation of the company with the LfDI, the exemplary transparency and the high speed with which measures to improve the IT security architecture were implemented after the data breach became known were decisive factors in this.


Even if the amount of the fine is moderate, it must be emphasized in that regard that the fine was not imposed because of the data breach as such - if it had not been notified within the prescribed period, this would rather have led to the perpetration of an independent, additional offence. On the contrary, the reason for the fine was solely the inadequate internal technical protection of the passwords. The subject of the proceedings was therefore an internal failure of the company, which became known through an unlawful act of a third party. The case also concerned data that could not be classified as sensitive.

In principle, it is to be welcomed that the LfDI does not focus on the deterrent effect of fines when inflicting penalties for insecure data processing procedures, but on their proportionality and thus on data security for the persons concerned. It remains to be seen whether other German state data protection authorities will follow this example. Nevertheless, this first GDPR fine in Germany, which was imposed just six months after the new regulation came into force, makes it clear that the authorities are serious. As a result, companies will not be able to rely on the fact that data protection could lose importance again. On the contrary, it can be assumed that in the case of genuine failures, where the authority comes to the conclusion that the company has so far insufficiently addressed the implementation of the GDPR, significantly higher fines will be imposed.

1:1. This is how we work together. You decide upon a competent partner; he/she will then remain your point of contact. > more