Fines and Controls: Implementation of the GDPR

Do you remember the flood of E-Mails in your inbox in May 2018 that drew your attention to the entry into force of the General Data Protection Regulation? More than half a year has passed since then, and for many the GDPR issue has receded into the background. Not so with the German and European supervisory authorities: although a wave of warnings feared at first had failed to materialise, the first verdicts have been passed and the first fines were imposed.

First fines have been imposed.

In October 2015, the first GDPR fine was imposed in Portugal. It was aimed at a clinic in Portugal that had given non-medical staff access to patient files. This was due to an error in the role and authorisation concept, which did not protect the sensitive data in accordance with the requirements of the General Data Protection Regulation. As a result, a fine of €300,000 was imposed on the hospital operator.

In Germany, the authorities imposed the first fine almost a month later, directed against the operators of the social network “Knuddels”. E-Mail addresses and passwords of over 330,000 users had been stolen by a hacker attack. At €20,000, the amount of the fine was comparatively low because the operators of the portal themselves had informed the data protection authorities after the hacker attack and subsequently cooperated with the authorities in an “exemplary manner” in clarifying the matter and immediately took measures to strengthen the IT security infrastructure, as the data protection officer from Baden-Württemberg reported.

Attention, controls!

In the meantime, systematic controls have also begun. For example, the Bavarian authorities are currently examining the implementation of the General Data Protection Regulation in SMEs. Both occasion-based and non-evident checks are being carried out – i.e. for companies for which complaints have already been received, but also for randomly selected small and medium-sized companies. Affected companies are checked by means of a questionnaire, possibly supplemented by on-site inspections.

We assume that the authorities in other federal states will also carry out similar procedures and random checks.

Not yet clarified: cease and desist letters or not?

The question of whether a wave of cease and desist letters is likely to lead to data protection violations under competition law continues to create uncertainty. The rulings handed down to date by two regional courts and the higher regional court of Hamburg do not give a clear direction: Once it was found that data protection violations are generally admonishable, another district court decided in the opposite direction that they are basically not admonishable. The higher regional court, on the other hand, decided in the second instance that the circumstances of the individual case were important and had to be examined. A flood of warnings is therefore not to be expected at present, but it is worth observing further developments in order to be able to react accordingly if necessary.

In summary, it can be stated so far that the supervisory authorities do not shy away from imposing fines and carrying out inspections – but so far no use has been made of the full fine framework, which provides for fines of up to  10 or 20 million Euros. However, the fines imposed to date also make it clear that prior consultation and safeguarding of IT systems can be not only the legally impeccable but also the more cost-effective way to create legal certainty.

ECOVIS Beijing advises companies in Germany, as in China, on all questions of the General Data Protection Regulation and the effects of the GDPR on their business activities. Contact us to find out more.


Richard Hoffmann

Richard Hoffmann is a partner at ECOVIS Beijing China. Richard obtained an honors degree in law and worked in Germany, the United States, and China for various prestigious law firms prior to joining ECOVIS. In addition to being a member of the board of ECOVIS International, he is Supervisor for the China business of a respected German company and shares his extensive knowledge to students by teaching commercial law in China at SRH Hochschule Heidelberg. He has published more than fifty articles in international magazines, frequently speaks at high profile events in China and abroad and is often invited as a legal expert by international TV stations. Contact:

Ecovis Beijing

Ecovis Beijing is the trusted tax and legal advisor to several embassies and official institutions in China. It specializes in mid-sized international companies and is focused on tax & legal advisory, accounting and auditing. If you’re interested in finding out more about tax and legal, don’t hesitate to sign up for our Newsletter, give us a call +86 10-65616609 or contact us directly via