Thirty years ago, this November, East and West Germans began crossing the Berlin Wall after the German Democratic Republic (GDR) announced that East German citizens could freely visit West Germany and West Berlin. Within a short amount of time, both Easterners and Westerners started tearing down parts of the Wall, symbolizing the subsequent wearing down of the GDR.
With the 30th anniversary of the fall of the Berlin Wall coming up in a few weeks, it seems fitting to view the recent rise of European General Data Protection Regulation (GDPR) sanctions issued by the Berlin Commissioner for Data Protection and Freedom of Information (Berlin DPA).
Germany, unlike other EU member countries, regulates GDPR compliance through its state data protection authorities rather than its federal data protection authority, the Federal Commissioner for Data Protection and Freedom of Information. The Länder (or states) each have their own data protection offices and their own data protection laws to govern the public and private sectors’ data protection obligations. Additionally, the Länder DPAs can issue sanctions for noncompliance with the GDPR.
Since the GDPR has become effective, the Länder DPAs have issued approximately 41 sanctions, with the highest amounts being well under the million-euro fines allowed under the GDPR. The Berlin DPA has issued only a handful of fines against companies for violation of the GDPR, but Berlin appears to be at the precipice of another new trend. In the last two months, the Berlin DPA has issued some of the largest GDPR sanctions in Germany.
In August, the Berlin DPA issued fines against Delivery Hero Germany GmbH for nearly 200,000 euros for “non-compliance with data subject rights, such as the right to information on the processing of personal data, the right to erasure of data and the right to object”. The Berlin DPA stated that the fines were a result of the high number of repeated violations and numerous indications from the supervisory authority that problems existed but solutions were not implemented.
This sanction comes just a few months after the Berlin DPA’s other largest fine in March of this year. That fine was against the online bank N26 for 50,000 euros. The bank kept a list of names of former customers “for money-laundering prevention purposes, regardless of whether they were actually suspected of money laundering”. This increase from March to August is only the beginning of the building-up of GDPR-related fines in Berlin.
The Berlin DPA also recently issued a statement that it “intends to impose a fine of millions in the foreseeable future for violations of the [GDPR]”. The company, the amount of the fines and other information were not disclosed as the matter is still under review. According to the spokeswoman for the Berlin DPA, the fine could “reach tens of millions”. When issued, this fine will be the largest GDPR sanction in Germany and one of the largest fines in Europe since the GDPR became effective. So far only France’s CNIL and the United Kingdom’s Information Commissioner have issued fines close to this amount, with the United Kingdom’s fine yet to be finalized.
After the August sanction against Delivery Hero Germany, the Berlin Data Protection Commissioner, Maja Smoltczyk stated, “I hope these fines will have a warning effect on other companies as well. Anyone working with personal data needs a functioning data protection management system. This not only helps to avoid fines but also strengthens the trust and satisfaction of the clientele.”
The Berlin DPA’s recent GDPR sanctions are just another building block of data protection security in Europe. Thirty years ago, Berlin was vital in tearing down the GDR and reunifying Germany. Today, Berlin is becoming key in building up the power of the GDPR in Germany.
 “Berlin will Datenschutz-Bußgeld in Millionenhöhe verhängen”, Official Capital Portal.
 “Lieferdienst und Online-Bank – Berliner Datenschutzbeauftragte verhängt empfindliche Bußgelder”, Press Release September 19, 2019, Berlin Commissioner for Data Protection and Freedom of Information.
 GDPR Enforcement Tracker.
Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.