German Court Dramatically Reduces GDPR Fine by 90%

Dramatic reduction in a GDPR fine shows companies the value of questioning the legality of fines imposed.


Bywire - Claim your free account nowBywire - Claim your free account now

LONDON (Within The Law) - German prosecutors have dramatically reduced the scale of a GDPR fine raising questions about how severe data protection restrictions will prove to be. 

Since the introduction of the new European data protection regulations, one of the biggest questions has been whether authorities would flex their muscles and impose the full level of fines permitted under the rules. 

So far, Germany has been one of the most enthusiastic enforcers of the rules and have issued a number of landmark penalties. However, one of them has now been revised by the Regional Court of Bonn with a staggering 90% reduction. 

Ever since the introduction of GDPR data protection authorities across the continent have been debating the finer points of enforcement. At stake was a firm structure about how the rules would be enforced and fines imposed.

The big fear with GDPR centred around the potential scale of a fine (up to €20 million or 4% of turnover) for the most serious offenders. It wasn’t long before many people were predicting a host of bankruptcies due to fines. 

The pressure was on, then, to come up with a documented structure of how fines will be imposed which is proportionate and strikes the right balance between penalising non-compliance and avoiding draconian, business killer fines. 

In Germany, the answer was to introduce a five-step structure which begins with a company’s size and average turnover before taking the scale of the fine into consideration. It was using this structure that authorities imposed a number of major fines including a €9.55 million fine for a 1&1 call centres after an agent released a mobile number to a caller who falsely claimed to be the wife of one of their customers. 

This person later used the phone number to stalk the customer in question. The call centre had failed to go through sufficient authentication factors other than to ask the name and birthdate of the customer.

However, the Regional Court chose to reduce the fine to just €0.9 million. Although it agreed the processing of personal data had been unlawful it considered that the breach related to just a single event, which did not involve sensitive data or a high volume of information.  

The full details of the case have not been revealed and 1&1 still have the option of appealing. However, the biggest lesson for companies is that it’s well worth appealing fines imposed by DPA’s as they may be legally questionable. 

(Written by Tom Cropper Edited by Klaudia Fior)

Bywire will email you from time to time with news digests, stories & opportunities to get involved. Privacy

Bywire - Claim your free account nowBywire - Claim your free account now