Maiwald blog articles

All articles

Fines for Data Protection Violations in Germany

In 2020, the German data protection authorities set total fines in the high double-digit millions. This shows that the first grace period after the entry into force of the GDPR in 2018 is finally over. Companies (and private individuals) must assume that the number of reports of data protection violations will increase, that the authorities will pursue them more and more consistently and that the risk of (high) fines will therefore also increase.

The sanctioned behaviors range from the sending of e-mails with an open mailing list or the insufficient protection of applicant data in a job portal, the groundless storage of personal data of former contractual partners or the unsecured disposal of personal data in simple paper waste to the collection of the most intimate information about employees for years (which was punished by the responsible Hamburg Commissioner for Data Protection and Freedom of Information with a fine of EUR 35,258,708).

While the last-mentioned and most heavily fined case is evidence of detailed monitoring of the staff in order to take measures and decisions in the employment relationship on the basis of this profile of the employees, i.e. the data protection breach was at least intentional, other actions in breach of the GDPR were often based on mere organizational negligence: obligations under the GDPR were not known or compliance with them was not ensured by work instructions and internal company processes. Intentional violations are often based on a dubious corporate culture and can only be eliminated through a cultural change. In contrast, organizational misconduct can be prevented by introducing appropriate measures and training employees, and thus with manageable effort.

In view of the impending risk of fines of up to €10 million or up to 2% of global annual turnover or, in serious cases, even up to €20 million or up to 4% of global annual turnover, all companies should urgently check whether they have implemented the requirements of the GDPR, taken the necessary measures and sufficiently trained their employees.

Our blog contributions shall provide an overview with regard to legal topics, legislation and case law and are supposed to provide some general information rather than constituting any specific advice. Please do not hesitate to contact Maiwald and in particular the authors of the particular contributions if have any questions on the addressed topics or on other legal issues.

Contact us


Elke Wurster



Maîtrise en droit international

Certified Compliance Officer (Univ.)