Recently, the Berlin Data Protection Authority (Berlin DPA) announced that it would issue a high administrative fine for violations of the General Data Protection Regulation 2016/679 (GDPR). The announcement is available in German on the website of the City of Berlin. The fine will likely be a double-digit million amount of euros. The Berlin DPA further commented that it recently imposed two fines on one organisation in the aggregate amount of €200,000, but did not disclose any further details of the underlying GDPR violations.
The announcement of the Berlin DPA is a clear shift from the previous practice of German Data Protection Authorities of issuing much smaller fines. According to a report in the German newspaper Welt Am Sonntag published on 12 May 2019 (available here), German DPAs imposed 81 fines in the first year post-GDPR. These fines ranged from a few hundred euros to five-digit amounts, and totalled in aggregate €485,490.
The announcement of the Berlin DPA comes in the footsteps of the UK Information Commissioner’s Office’s announcement of its intention to issue separate fines in the amounts of €110 million and €205 million for data security violations (Article 32 GDPR), and the Italian Data Protection Authority imposing a fine of €2 million for telemarketing without consent.
Organisations should continue to close any GDPR compliance gaps and, in particular, be prepared to maintain sufficient documentation to comply with their accountability obligations under Article 5(2) GDPR.