First GDPR fine in Germany: Knuddels has to pay 20.000 Euro
In the last few days comments have often pointed out that the sword of the GDPR may not be as sharp as it appeared a few weeks ago. After all, the GDPR provides for fines of up to four percent of the turnover of the previous financial year or 20 million euros.
The authority justified the level of the penalty, which many observers classified as "relatively low", with the good cooperation and also took into account that the company itself had suffered considerable disadvantages as a result of the hacker attack. In addition, Knuddels, after becoming aware of the hacker attack, had endeavoured to achieve transparency and thus contributed to quickly and completely clarifying the circumstances of the attack. In addition, the company had not benefited from any economic advantages and there had never been any reasons in the past to object to data security.
But let's take a closer look at the situation first:
In July of this year, Knuddel was the victim of a hacker attack. The hackers had been able to capture the data because the company had stored the passwords of its customers in plain text, i.e. unencrypted and not alienated (cryptographically hashed) on its company server (see the LfDI press release for details).
After this hacker attack, the company notified the LfDI in accordance with Art. 33 GDPR.
According to unconfirmed media reports, more than 1 million nicknames and more than 300,000 email addresses and passwords landed on a file-sharing website in early September 2018.
By storing the personal data in plain text, the company violated its obligation to ensure data security in the processing of personal data pursuant to Art. 32 para. 1 a GDPR.
The question now is: Is the fine imposed in this specific case actually as low as it is presented or is it effective, proportionate and dissuasive and complies with the requirements of Art. 83 GDPR?
According to the LfDI, the company cooperated fully with the Authority. Knuddels "revealed in an exemplary manner both data processing and company structures as well as his own omissions". "The company's transparency was just as exemplary as its willingness to implement the specifications and recommendations of the State Commissioner for Data Protection and Freedom of Information, Dr. Stefan Brink.
These quotations show that the company responsible has initiated an incident process (immediate reporting) and also complied with it (transparency, processing, cooperation, etc.) in the special case in accordance with the regulations, which must of course be taken into account when calculating the fine in the sense of Art. 83 Para. 2 f GDPR. In addition, the announcement of the LfDI states that the company spent a six-figure total amount in the course of the measures to improve IT security undertaken in coordination with the LfDI.
So let's summarize: After the incident (non-compliance with a safety standard), the company acted in accordance with the regulations, it implemented the suggestions of the LfDI and invested a six-figure amount for it, no damage occurred to the users, but considerable disadvantages did occur to the company itself and nevertheless the company receives a fine of 20,000 euros.
On the expenditure side, the company's external legal costs also have to be added.
Against this background, the imposed fine no longer seems as small as suggested in some headlines ("Knuddels get off well").
What can we learn from this case?
1. Every company should work in compliance with data protection regulations, in particular take seriously the guarantee of data security in the processing of personal data pursuant to Art. 32 para. 1 a GDPR and work at least in accordance with the current state of the art.
2. Each company should establish an incident process, which should be followed without undue delay and in full cooperation with the supervisory authority, with the assistance of external lawyers where appropriate.
3. Every company should under all circumstances avoid pursuing a "petty cash strategy" or a "strategy of successive cooperation", as this will be applied by the authority in the course of determining the amount of the fine in an aggravating manner in accordance with Article 83 GDPR. In addition, the amount of the fine is determined by the company's turnover.
Cooperation with data protection authorities following a data protection incident such as the one that some car manufacturers have shown to the competent authorities in the emission scandal would certainly lead to a higher level of possible fines.