In June 2013 the Bavarian Data Protection Authority (BayLDA) imposed a massive fine on an employee of a trade company due to an inadmissible data transmission. The employee transmitted personal data in the form of e-mail addresses to other customers of the company via a public e-mail distributor (CC field in the e-mail program, rather than the BCC field). Since the data subjects had not consented to such transmission, the Bavarian Data Protection Authority prosecuted.
If the duty to appoint a data protection officer is not complied with or if enterprises fail to comply with data protection requirements, there is a risk of both a fine and a loss of image. Fines for data protection violations may sometimes reach the dimensions that threaten the mere existence of an enterprise.
Data Protection Infringement – An Example:
This makes it clear that data infringements are punishable. If an employee commits a data protection offense, a fine may be imposed on the company. The German Association for Data Protection takes preventive measures – such as employee training – to minimize the risk of fines.Our Services
or 2 % of the annual turnover
Designation: No one (or an unqualified person) has been designated as Data Protection Officer, Art. 37(5) GDPR.
Processor Contract: No contract with a processor has been concluded, Art. 28(3) Alt. 1 GDPR.
Records of Processing Activities: The processing activities have not been recorded, Art. 30(1) GDPR.
Data Protection Impact Assessment: The Data Protection Impact Assessment have not been carried out, Art. 35 GDPR.
or 4 % of the annual turnover
Lawfulness of Processing: Personal data was processed without legal basis, Art. 6(1) (a-f) GDPR.
Rights of the Data Subject: The rights of the data subject are not implemented, Art. 15-21 GDPR.
Transfer: The standard contract with a recipient in a third country has not been concluded, as long as no other appropriate safeguards exist, Art. 46(2)(c) GDPR.