The first German data protection authority imposing a fine under GDPR was issued by the State Commissioner for Data Protection and Freedom of Information Baden-Wuerttemberg (LfDI). A fine in the sum of € 20,00 0was made against a social media company (http://Knuddels.de) for its violation of the obligation to ensure data security of processing of personal data pursuant to Art. 32 (1) (a) GDPR (obligation to pseudonymize and encrypt personal data).
As the Company had contacted the LfDI with a data breach notification subsequent to a hacker attack where passwords and email addresses to nearly 330,000 users were stolen and published. It turned out the Company did not encrypt its customers’ passwords, but the data was stored in plain text and thus violated Art. 32 GDPR.
The Company could have faced up to €10 million, or up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher (Art. 83 (4) (a) GDPR). According to LfDI,the very strong cooperation and willingness of the Company to implement the guidelines and recommendations of the LfDI were viewed favorably when calculating the relatively low fine.
It was the third fine imposed in the European Union to be made public. As to the date hereof, fines under GDPR have also been imposed in Austria (€4,800 for illegal video surveillance) and Portugal (€400,000 for an insufficient data access concept).
