Germany: Another Million Euro Fine under the GDPR in Germany – What does it tell us?

It follows:

1. the 14.5 million Euro fine imposed in October 2019 by the Berlin Commissioner for Data Protection and Freedom of Information (“Berlin DPA”) against a real estate company for violating data retention requirements (as the company ignored warnings from the Berlin DPA to take corrective measures and implement an appropriate data deletion concept),
2. the 9.5 million Euro fine imposed in December 2019 by the Federal State Data Protection Commissioner (“Federal DPA”) against a telecommunication company for insufficient authentication procedures in the customer call center before disclosing customer data by customer service personnel to callers, as well as
3. the 1.2 million Euro fine imposed in June 2020 by the State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg (“BadenWürttemberg DPA”) against an insurance organisation for using personal data of lottery participants for advertising purposes without their consent.

According to the Hamburg DPA, some of the German fashion company’s service center employees have been subject to comprehensive monitoring activities about their private lives for several years. Some supervisors collected and retained very detailed information obtained through conversations with their employees and floor talks about employees’ vacation experience, health conditions, health diagnoses, family issues, religious beliefs, including the development of those aspects over a greater period of time. Such information was partly digitally stored and made accessible to up to 50 other supervisors. The information was even used to make employment-related decisions.

As set out in the press release issued by the Hamburg DPA, this practice became known as the records with the respective data were incidentally accessible companywide for several hours in October 2019. The Hamburg DPA learned of this practice through press reports and initiated an investigation. As part of this investigation, the fashion company was ordered to hand over the network drive containing 60 gigabytes of records. The Hamburg DPA stated that the 35.5 million Euro fine took into account the cooperation of the fashion company during the investigation and the various corrective measures taken by the company (such as apologies to the affected employees and financial compensation for such employees, as well as introduction of a comprehensive data protection compliance concept) as mitigating factor.

Despite the concept published by the German data protection authorities in October 2019 for determining a fine under the GDPR by taking the annual turnover into account [see our publication], the Hamburg DPA did not quote the specific legal bases that have been violated and unfortunately did not explain what factors it has taken into account to land at an amount of 35.5 million Euros. Overall, this case seems to be comparable with the case decided by the Berlin DPA in October 2019 that lead to the 14.5 million Euro fine. In both cases the DPAs identified a serious violation of the GDPR, in the Berlin case not implementing an appropriate data retention and deletion concept despite warnings by the Berlin DPA to take actions and in the Hamburg case processing sensitive data of employees relating to their private lives without connection to the employment relationship.

It is not unlikely, though, that the fashion company will challenge the amount of fine in court. The telecommunication company that was fined 9.5 million Euros in 2019 by the Federal DPA has initiated legal proceedings. The court will need to determine whether the authentication procedure of the telecommunication company was in fact insufficient taking into account state of the art security measures, whether a fine can be imposed against a legal entity in light of the German Administrative Offence Act and whether the amount of fine is appropriate in light of the annual worldwide turnover of the telecommunication company.