Data protection is compliance – catalogue of fines is coming?

Currently, many, especially startups, when they hear “privacy”, only see the fact “Oh, I still have to surf the generator for privacy declarations”. This topic is an almost negligible problem and certainly yawningly boring in the everyday life of professional privacy lawyers.

Much more relevant is the question of how one can or must implement data protection in one’s own company. This starts with employment contracts, goes beyond the distribution of tasks, access rights and responsibilities of employees and, of course, ends with the topic of IT security.

And the risk of making mistakes is now enormous. Most data protection authorities seem to be slowly ‘warming up’. For example, the Berlin Commissioner for Data Protection and Freedom of Information alone has issued 27 fines under the GDPR and two fines under the new Berlin
Data Protection Act since the new legal situation came into force. “Supplier Hero” has just hit the court with a fine of almost 200,000 euros, because they did not properly observe the rights of the affected parties and sent advertising by e-mail in spite of objections in several cases.

Many EU countries have already imposed significantly higher fines, e.g. around €660,000 in Poland today.

In addition, the Conference of Independent Data Protection Supervisory Authorities of the
federal and state governments has currently developed a concept for the assessment of fines for violations, although it has not yet been adopted. This should be used in concrete fine procedures to test it for its practicality and accuracy. However, the specific decisions in ongoing fine proceedings are taken on the basis of Article 83 GDPR. The draft is to be harmonised with approaches to the allocation of fines by other EU Member States.

The economic risk of a data breach is manageable if you forget or incorrectly integrate the privacy policy on the website. However, the economic risk can be enormous if a company is negligent in handling user data and disregarding safety aspects or failing to meet certain standards.

Even if pretty much everything in data protection seems to be controversial at the moment and many data protection lawyers, for example, are waiting for the ECJ’s Planet49 decision expected in October, it is clear that most companies also see data protection as a compliance issue and should approach it accordingly.

Author: Marian Härtel

Marian Härtel ist Rechtsanwalt und Fachanwalt für IT-Recht mit einer über 25-jährigen Erfahrung als Unternehmer und Berater in den Bereichen Games, E-Sport, Blockchain, SaaS und Künstliche Intelligenz. Seine Beratungsschwerpunkte umfassen neben dem IT-Recht insbesondere das Urheberrecht, Medienrecht sowie Wettbewerbsrecht. Er betreut schwerpunktmäßig Start-ups, Agenturen und Influencer, die er in strategischen Fragen, komplexen Vertragsangelegenheiten sowie bei Investitionsprojekten begleitet. Dabei zeichnet sich seine Beratung durch einen interdisziplinären Ansatz aus, der juristische Expertise und langjährige unternehmerische Erfahrung miteinander verbindet. Ziel seiner Tätigkeit ist stets, Mandanten praxisorientierte Lösungen anzubieten und rechtlich fundierte Unterstützung bei der Umsetzung innovativer Geschäftsmodelle zu gewährleisten.