Small business in Germany hit with €5,000 GDPR fine

A small business in Germany has been issued with a €5,000 fine for inadequate data processing standards, after misplacing one of its contracts, heise online reports.

The problem was identified after a request for personal data was made to the German regulator, in a case that is one of few to result in a fine following the introduction of the General Data Protection Regulation (GDPR) on May 25th 2018.

Germany’s first GDPR fine came at the end of November 2018, when the Baden- Württemberg Data Protection Authority imposed a €20,000 penalty on the social chat service, Knuddels.

On the 17th December 2018, data protection authorities in Hamburg sent a €5,000 penalty notice to a small shipping company named Kolibri Image, citing a violation of article 83 (4) of the GDPR due to the absence of a processing contract.

Discovery of the misdemeanor began with an email from another company to the Hessian Data Protection Commissioner, sent in May of last year, in which advice was requested regarding the failure of Kolibri Image in proving customer data, despite multiple requests being sent. Kolibri Image declined to cooperate, instead laying responsibility at the feet of another contractor.

The actions of Kolibri were deemed in violation of the GDPR, which stipulates that third parties processing data must use an additional data protection contract to detail the security measures taken by the third party, and how they comply with GDPR standards.

Such a contract was not in place between the parties concerned in this instance, leading authorities to conclude that sensitive data had been transmitted to the service provider without the proper legal bases in place.

In aggravation of the circumstances, the practice had been going on for some time and steps had deliberately not been taken to rectify the procedures, despite Kalibri being aware of its duties under the GDPR.

In this instance, neither parties had taken their obligations seriously but had, instead, sought to escape responsibility.

Speaking on behalf of Kolibri Image, Dirk Maass claimed that he had sought the help of a data protection officer in Hesse. Mr Maas underlined his support of proper data privacy procedures and said he would be appealing against the fine.


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/