Search for:

In brief

The Hamburg Commissioner for Data Protection and Freedom of Information (“Hamburg DPA”) imposed a 35.5 million Euro fine on a global fashion company’s subsidiary in Germany for violations of the GDPR. This million Euro fine is the highest fine known in Germany so far.


It follows:

  1. the 14.5 million Euro fine imposed in October 2019 by the Berlin Commissioner for Data Protection and Freedom of Information (“Berlin DPA”) against a real estate company for violating data retention requirements (as the company ignored warnings from the Berlin DPA to take corrective measures and implement an appropriate data deletion concept),
  2. the 9.5 million Euro fine imposed in December 2019 by the Federal State Data Protection Commissioner (“Federal DPA”) against a telecommunication company for insufficient authentication procedures in the customer call center before disclosing customer data by customer service personnel to callers, as well as
  3. the 1.2 million Euro fine imposed in June 2020 by the State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg (“BadenWürttemberg DPA”) against an insurance organisation for using personal data of lottery participants for advertising purposes without their consent.

According to the Hamburg DPA, some of the German fashion company’s service center employees have been subject to comprehensive monitoring activities about their private lives for several years. Some supervisors collected and retained very detailed information obtained through conversations with their employees and floor talks about employees’ vacation experience, health conditions, health diagnoses, family issues, religious beliefs, including the development of those aspects over a greater period of time. Such information was partly digitally stored and made accessible to up to 50 other supervisors. The information was even used to make employment-related decisions.

As set out in the press release issued by the Hamburg DPA, this practice became known as the records with the respective data were incidentally accessible companywide for several hours in October 2019. The Hamburg DPA learned of this practice through press reports and initiated an investigation. As part of this investigation, the fashion company was ordered to hand over the network drive containing 60 gigabytes of records. The Hamburg DPA stated that the 35.5 million Euro fine took into account the cooperation of the fashion company during the investigation and the various corrective measures taken by the company (such as apologies to the affected employees and financial compensation for such employees, as well as introduction of a comprehensive data protection compliance concept) as mitigating factor.

Despite the concept published by the German data protection authorities in October 2019 for determining a fine under the GDPR by taking the annual turnover into account [see our publication], the Hamburg DPA did not quote the specific legal bases that have been violated and unfortunately did not explain what factors it has taken into account to land at an amount of 35.5 million Euros. Overall, this case seems to be comparable with the case decided by the Berlin DPA in October 2019 that lead to the 14.5 million Euro fine. In both cases the DPAs identified a serious violation of the GDPR, in the Berlin case not implementing an appropriate data retention and deletion concept despite warnings by the Berlin DPA to take actions and in the Hamburg case processing sensitive data of employees relating to their private lives without connection to the employment relationship.

It is not unlikely, though, that the fashion company will challenge the amount of fine in court. The telecommunication company that was fined 9.5 million Euros in 2019 by the Federal DPA has initiated legal proceedings. The court will need to determine whether the authentication procedure of the telecommunication company was in fact insufficient taking into account state of the art security measures, whether a fine can be imposed against a legal entity in light of the German Administrative Offence Act and whether the amount of fine is appropriate in light of the annual worldwide turnover of the telecommunication company.

Author

Julia Kaufmann is a partner in the Munich office of Baker McKenzie. She has been admitted in Germany since 2006 and in New York, USA, since 2009. In addition to her studies in Germany, Julia obtained her Master of Laws degree at the University of Texas at Austin, USA.

Author

Dr. Michaela Nebel is a partner in the Frankfurt office of Baker McKenzie since June 2011 and was admitted as an attorney to the German bar shortly after. Prior to joining Baker McKenzie she studied law at the University of Passau. She obtained her Doctor of Law degree on a topic related to privacy in the Web 2.0. From July until December 2014 she practiced at the San Francisco office of Baker McKenzie. She is a member of the International Association of Privacy Professionals (IAPP) and since May 2015 a Certified Information Privacy Professional/Europe (CIPP/E) and since May 2017 a Certified Information Privacy Professional/United States (CIPP/US). She is also the author of numerous articles on information technology law, in particular on data protection law and e-commerce law, and the co-author of an English language commentary on the EU General Data Protection Regulation. In 2017/2018, Michaela received several recommendations for data protection law in kanzleimonitor.de.

Author

Author

Prof. Dr. Michael Schmidl is an honorary professor at the University of Augsburg and specialist lawyer for information technology law (Fachanwalt für IT-Recht). He is a partner at Baker McKenzie´s Munich office and advises in all areas of contentious and non-contentious information technology law, including internet, computer/software, data privacy and media law. Mr. Schmidl also has a general commercial law background and has profound experience in the drafting and negotiation of outsourcing contracts and in carrying out compliance projects.

Author

Florian Tannen is a partner in the Munich office of Baker McKenzie with more than 10 years of experience. He advises on all areas of contentious and non-contentious information technology law, including internet, computer/software and in particular data privacy law. Before joining the Firm, Florian worked for two major law firms and a large US-based technology company.