Currently, many, especially startups, when they hear “privacy”, only see the fact “Oh, I still have to surf the generator for privacy declarations”. This topic is an almost negligible problem and certainly yawningly boring in the everyday life of professional privacy lawyers.

Much more relevant is the question of how one can or must implement data protection in one’s own company. This starts with employment contracts, goes beyond the distribution of tasks, access rights and responsibilities of employees and, of course, ends with the topic of IT security.

And the risk of making mistakes is now enormous. Most data protection authorities seem to be slowly ‘warming up’. For example, since the new legal situation, the Berlin Commissioner for Data Protection and Freedom of Information alone has received 27 fines under the GDPR and two fines under the new Berlin
Data Protection Act. “Supplier Hero” has just hit the court with a fine of almost 200,000 euros, because they did not properly observe the rights of the affected parties and sent advertising by e-mail in spite of objections in several cases.

Many EU countries have already imposed significantly higher fines, e.g. around €660,000 in Poland today.

In addition, the Conference of Independent Data Protection Supervisors of the
Federal Government and the Länder are currently developing a concept for the allocation of fines for infringements, although not yet adopted. This should be used in concrete fine procedures to test it for its practicality and accuracy. However, the specific decisions in ongoing fine proceedings are taken on the basis of Article 83 GDPR. The draft is to be harmonised with approaches to the allocation of fines by other EU Member States.

The economic risk of a data breach is manageable if you forget or incorrectly integrate the privacy policy on the website. However, the economic risk can be enormous if a company is negligent in handling user data and disregarding safety aspects or failing to meet certain standards.

Even if pretty much everything seems to be controversial in terms of data protection at the moment and, for example, many data protection lawyers are waiting for the ECJ’s expected Planet49 decision in October, it is clear that most companies also consider data protection as a compliance issue. and should approach it accordingly.