Germany: Another Million Euro Fine under the GDPR in Germany - What does it tell us?

In brief

The Hamburg Commissioner for Data Protection and Freedom of Information ("Hamburg DPA") imposed a 35.5 million Euro fine on a global fashion company's subsidiary in Germany for violations of the GDPR. This million Euro fine is the highest fine known in Germany so far.


It follows:

  1. the 14.5 million Euro fine imposed in October 2019 by the Berlin Commissioner for Data Protection and Freedom of Information ("Berlin DPA") against a real estate company for violating data retention requirements (as the company ignored warnings from the Berlin DPA to take corrective measures and implement an appropriate data deletion concept),
  2. the 9.5 million Euro fine imposed in December 2019 by the Federal State Data Protection Commissioner ("Federal DPA") against a telecommunication company for insufficient authentication procedures in the customer call center before disclosing customer data by customer service personnel to callers, as well as
  3. the 1.2 million Euro fine imposed in June 2020 by the State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg ("BadenWürttemberg DPA") against an insurance organisation for using personal data of lottery participants for advertising purposes without their consent.

According to the Hamburg DPA, some of the German fashion company's service center employees have been subject to comprehensive monitoring activities about their private lives for several years. Some supervisors collected and retained very detailed information obtained through conversations with their employees and floor talks about employees' vacation experience, health conditions, health diagnoses, family issues, religious beliefs, including the development of those aspects over a greater period of time. Such information was partly digitally stored and made accessible to up to 50 other supervisors. The information was even used to make employment-related decisions.

As set out in the press release issued by the Hamburg DPA, this practice became known as the records with the respective data were incidentally accessible companywide for several hours in October 2019. The Hamburg DPA learned of this practice through press reports and initiated an investigation. As part of this investigation, the fashion company was ordered to hand over the network drive containing 60 gigabytes of records. The Hamburg DPA stated that the 35.5 million Euro fine took into account the cooperation of the fashion company during the investigation and the various corrective measures taken by the company (such as apologies to the affected employees and financial compensation for such employees, as well as introduction of a comprehensive data protection compliance concept) as mitigating factor.

Despite the concept published by the German data protection authorities in October 2019 for determining a fine under the GDPR by taking the annual turnover into account [see our publication], the Hamburg DPA did not quote the specific legal bases that have been violated and unfortunately did not explain what factors it has taken into account to land at an amount of 35.5 million Euros. Overall, this case seems to be comparable with the case decided by the Berlin DPA in October 2019 that lead to the 14.5 million Euro fine. In both cases the DPAs identified a serious violation of the GDPR, in the Berlin case not implementing an appropriate data retention and deletion concept despite warnings by the Berlin DPA to take actions and in the Hamburg case processing sensitive data of employees relating to their private lives without connection to the employment relationship.

It is not unlikely, though, that the fashion company will challenge the amount of fine in court. The telecommunication company that was fined 9.5 million Euros in 2019 by the Federal DPA has initiated legal proceedings. The court will need to determine whether the authentication procedure of the telecommunication company was in fact insufficient taking into account state of the art security measures, whether a fine can be imposed against a legal entity in light of the German Administrative Offence Act and whether the amount of fine is appropriate in light of the annual worldwide turnover of the telecommunication company.

Copyright © 2023 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.