Fining practice
Trend: Have the national data protection authorities in Germany focused on certain types of non-compliance with data protection law so far or have the authorities announced that they will investigate certain types of non-compliance more closely in the future (e.g. incorrect use of cookie banners, monitoring of employees - possibly also due to - Covid related home office, etc.)? Do you see a focus on certain industries/sectors? If so, which ones?
It cannot be clearly stated whether German data protection authorities deliberately focus on certain types of violations. However, it can be observed that the majority of all German fines have been issued either due to insufficient legal bases for data processing (Art. 5, 6 GDPR) or due to deficiencies in information security (Art. 32 GDPR).
The fines imposed in Germany so far cover a fairly balanced range of sectors, in particular the real estate sector, the finance, insurance and consulting sectors and the processing of employee data. Looking solely at the amounts of the fines, it can be observed that two of the three largest German fines (H&M and notebooksbilliger.de, see below) have been imposed in connection with the processing of employee data.
Overall, what was the most significant fine in Germany to date (please specify recipient, amount, type of violation, sector, brief summary)? Has the fine been challenged in court? If yes: With success or what is the status of the proceedings?
The highest GDPR fine in Germany to date has been imposed on H&M Hennes & Mauritz Online Shop A.B. & Co. KG on 1 October 2020 in the amount of EUR 35,26m due to insufficient legal basis for data processing (ETid-405). It was revealed that H&M - a fashion company based in Hamburg - operated a service centre in Nuremberg, where private information on employees, including special categories of personal data (e.g. symptoms of illness and diagnoses – inter alia obtained from "welcome back!"-conversations) had been comprehensively recorded and stored on a network storage since at least 2014. In addition, according to the Hamburg data protection authority, some supervisors also obtained knowledge about employees, for example about family problems and religious beliefs from casual workplace conversations. The information stored on the network storage was accessible to up to 50 managers at the company and was used, among other things, to evaluate work performance and make decisions regarding promotions. The second highest fine (ETid-519) was also related to the processing of employee data.
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our privacy policy.