Fine for Violation of Data Protection Regulations

If the duty to appoint a data protection officer is not complied with or if enterprises fail to comply with data protection requirements, there is a risk of both a fine and a loss of image. Fines for data protection violations may sometimes reach the dimensions that threaten the mere existence of an enterprise.


In June 2013 the Bavarian Data Protection Authority (BayLDA) imposed a massive fine on an employee of a trade company due to an inadmissible data transmission. The employee transmitted personal data in the form of e-mail addresses to other customers of the company via a public e-mail distributor (CC field in the e-mail program, rather than the BCC field). Since the data subjects had not consented to such transmission, the Bavarian Data Protection Authority prosecuted.

This makes it clear that data infringements are punishable. If an employee commits a data protection offense, a fine may be imposed on the company. The German Association for Data Protection takes preventive measures – such as employee training – to minimize the risk of fines.


10.000.000,00 €

or 2 % of the annual turnover For Example:

Designation: No one (or an unqualified person) has been designated as Data Protection Officer, Art. 37(5) GDPR.

Processor Contract: No contract with a processor has been concluded, Art. 28(3) Alt. 1 GDPR.

Records of Processing Activities: The processing activities have not been recorded, Art. 30(1) GDPR.

Data Protection Impact Assessment: The Data Protection Impact Assessment have not been carried out, Art. 35 GDPR.

20.000.000,00 €

or 4 % of the annual turnover For Example:

Lawfulness of Processing: Personal data was processed without legal basis, Art. 6(1) (a-f) GDPR.

Rights of the Data Subject: The rights of the data subject are not implemented, Art. 15-21 GDPR.

Transfer: The standard contract with a recipient in a third country has not been concluded, as long as no other appropriate safeguards exist, Art. 46(2)(c) GDPR.