The first fine according GDPR in Germany was imposed. Now, as Security Insider reports, the LfDI (Landesbeauftragter für Datenschutz und Informationsfreiheit) Baden-Württemberg has acted. By decision of Nov. 21st, 2018, a fine of 20,000 Euro had been imposed on a social media provider in Baden-Wuerttemberg.

But the report also contains other interesting details. After the data protection authorities had been certified in the months since the GDPR came into force above all to be overburdened, the data protectors now appear to be actually taking action. Security Insider reports:

  • The data protection supervisory authorities are also carrying out very specific audits.
  • The audits do not only focus on compliance with key points, but also on compliance with very specific requirements.

Among other things, the tests are to be carried out:

  • the GDPR compliance of Facebook fanpages
  • the organisation, processing in compliance with data protection laws, dealing with data subjects’ rights and data protection violations
  • the organisation, data processing in compliance with data protection laws, dealing with data subjects’ rights and data protection violations
  • the organisation, data protection and data protection violations
  • the secure operation of online shops
  • the protection against encryptionstrojans in medical practices
  • the fulfillment of accountability for large corporations and medium-sized companies
  • the implementation of information obligations in application procedures
  • the deletion of data in ERP systems (SAP)
  • Infringements of data protection by (sub)processors
  • the Patch Management WordPress
  • the patch management for eCommerce systems / online shops (Magento)
  • Duty to provide information in application procedures
  • Ransomware in medical practices

The starting point for the first DSGVO fine was a hacker attack.

The handling of personal data is not a pleasant topic for many companies because of the DSGVO

The handling of personal data is not a pleasant topic for many companies because of the GDPR

What can you now learn from the first DSGVO-related fine?

  • The LfDI became aware that the company had stored the passwords of its users in plain text, i.e. unencrypted and unalienated.
  • The company had reported itself to the authority, which had then checked.
  • The company knowingly breached its obligation to ensure data security in the processing of personal data by not storing such data in an encrypted form.
  • The fine was 20.000 EUR according to Security Insider.
  • Within the framework of the fine, the very good cooperation with the LfDI had spoken particularly in favour of the company.
  • Therefore, the fine of EUR 20,000 was proportionate, authorities state.

Municipalities are also tested for compliance with the GDPR

Not only companies, but also authorities are checked for compliance with GDPR guidelines.

150 municipalities in German Lower Saxony have received mail from the responsible state data protection officer. The supervisory authority checks how well the towns and municipalities have adapted their work to the new requirements and where they still have to make improvements.

GDPR fines: Sectors that are in focus include social media, personnel, health

Companies in the areas of social media, healthcare, personnel placement / temporary employment and health are particularly in the focus of the data protection authorities – as our background discussions on the subject with lawyers have shown. These companies should therefore always keep a close eye on their GDPR compliance at all times.