Germany: Another Million Euro Fine under the GDPR in Germany - What does it tell us?

In brief

The Hamburg Commissioner for Data Protection and Freedom of Information ("Hamburg DPA") imposed a 35.5 million Euro fine on a global fashion company's subsidiary in Germany for violations of the GDPR. This million Euro fine is the highest fine known in Germany so far.


It follows:

  1. the 14.5 million Euro fine imposed in October 2019 by the Berlin Commissioner for Data Protection and Freedom of Information ("Berlin DPA") against a real estate company for violating data retention requirements (as the company ignored warnings from the Berlin DPA to take corrective measures and implement an appropriate data deletion concept),
  2. the 9.5 million Euro fine imposed in December 2019 by the Federal State Data Protection Commissioner ("Federal DPA") against a telecommunication company for insufficient authentication procedures in the customer call center before disclosing customer data by customer service personnel to callers, as well as
  3. the 1.2 million Euro fine imposed in June 2020 by the State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg ("BadenWürttemberg DPA") against an insurance organisation for using personal data of lottery participants for advertising purposes without their consent.

According to the Hamburg DPA, some of the German fashion company's service center employees have been subject to comprehensive monitoring activities about their private lives for several years. Some supervisors collected and retained very detailed information obtained through conversations with their employees and floor talks about employees' vacation experience, health conditions, health diagnoses, family issues, religious beliefs, including the development of those aspects over a greater period of time. Such information was partly digitally stored and made accessible to up to 50 other supervisors. The information was even used to make employment-related decisions.

As set out in the press release issued by the Hamburg DPA, this practice became known as the records with the respective data were incidentally accessible companywide for several hours in October 2019. The Hamburg DPA learned of this practice through press reports and initiated an investigation. As part of this investigation, the fashion company was ordered to hand over the network drive containing 60 gigabytes of records. The Hamburg DPA stated that the 35.5 million Euro fine took into account the cooperation of the fashion company during the investigation and the various corrective measures taken by the company (such as apologies to the affected employees and financial compensation for such employees, as well as introduction of a comprehensive data protection compliance concept) as mitigating factor.

Despite the concept published by the German data protection authorities in October 2019 for determining a fine under the GDPR by taking the annual turnover into account [see our publication], the Hamburg DPA did not quote the specific legal bases that have been violated and unfortunately did not explain what factors it has taken into account to land at an amount of 35.5 million Euros. Overall, this case seems to be comparable with the case decided by the Berlin DPA in October 2019 that lead to the 14.5 million Euro fine. In both cases the DPAs identified a serious violation of the GDPR, in the Berlin case not implementing an appropriate data retention and deletion concept despite warnings by the Berlin DPA to take actions and in the Hamburg case processing sensitive data of employees relating to their private lives without connection to the employment relationship.

It is not unlikely, though, that the fashion company will challenge the amount of fine in court. The telecommunication company that was fined 9.5 million Euros in 2019 by the Federal DPA has initiated legal proceedings. The court will need to determine whether the authentication procedure of the telecommunication company was in fact insufficient taking into account state of the art security measures, whether a fine can be imposed against a legal entity in light of the German Administrative Offence Act and whether the amount of fine is appropriate in light of the annual worldwide turnover of the telecommunication company.

© 2021 Baker & McKenzie. Ownership: This site (Site) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms, including Baker & McKenzie LLP). Use of this site does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All information on this Site is of general comment and for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulation and practice are subject to change. The information on this Site is not offered as legal or any other advice on any particular matter, whether it be legal, procedural or otherwise. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any information provided in this Site. Baker McKenzie, the editors and the contributing authors do not guarantee the accuracy of the contents and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the contents of this Site. Attorney Advertising: This Site may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Site may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. All rights reserved. The content of the this Site is protected under international copyright conventions. Reproduction of the content of this Site without express written authorization is strictly prohibited.