Cordery

Legal.Compliance.

Client Alert: German Court reduces 1&1 GDPR Fine

Introduction

In December 2019 we reported on what was Germany’s second highest GDPR fine against 1&1 GmbH of €9.55m. You can read that alert here https://www.corderycompliance.com/german-telecom-provider-1and1-fined-9-55m-for-gdpr-breach/

We said in our alert that 1&1 would appeal and that appeal has just been heard by the District Court in Bonn. The fine was reduced to €900,000. 1&1 has said that it is examining the judgment and reserves the right to take further legal action.

What did the court say?

The court lowered the penalty because “the fault of the telecommunications service provider is minor”. There are more details of the case in our original alert. The court said in its judgment that there was no knowledge of further problems in the authentication practices in the company.

What did the data protection authority say?

The Federal Commissioner for Data Protection and Freedom of Information ( BfDI ), Professor Ulrich Kelber, said that the court had confirmed 1&1’s liability and said that the fine “shows that data protection violations are not without consequences…I am convinced that this decision will be taken into account in the boardrooms of companies. .. No company can afford to neglect data protection any longer.”

What does this case tell us?

The case reminds us that, as we said before, data protection authorities are likely to face challenges to high fines in the courts. In some respects, the fine mechanism in GDPR is based on the system in use in competition law cases where the success rate in appeals has been high. When dealing with a data breach we use a 4-step process:

  • Investigate
  • Assess
  • Remediate
  • Mitigate

There is more on that 4-step process here https://www.corderycompliance.com/dealing-with-a-breach/. Any organisation faced with a penalty from a DPA should consider carefully the representations it makes when served with a Notice of Intent and should also consider the prospects of a successful appeal. 1&1’s fine reduction to less than 10% of the original fine underlines that strategy.

There is more information about this and other data protection topics in Cordery’s GDPR Navigator subscription service. GDPR Navigator includes short films, straightforward guidance, checklists and regular conference calls to help you comply.  More details are at www.bit.ly/gdprnav.

For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.

Jonathan Armstrong
Cordery
Lexis House
30 Farringdon Street
London EC4A 4HHOffice: +44 (0)20 7075 1784
jonathan.armstrong@corderycompliance.com		 Andre Bywater
Cordery
Lexis House
30 Farringdon Street
London EC4A 4HHOffice: +44 (0)20 7075 1785
andre.bywater@corderycompliance.com

 

 

Contact a Cordery Specialist +44(0)207 118 2700 | Contact Us

Cordery is a trading name of Cordery Compliance Limited. Authorised and regulated by the Solicitors Regulation Authority.
SRA number 608187. Company number 07931532 registered in England and Wales. VAT number: 730859520
Registered office: Lexis House, 30 Farringdon Street, London, EC4A 4HH, United Kingdom

Cordery Compliance Limited trading as Cordery provides some products and services which are not regulated by the Solicitors Regulation Authority; we will clearly state this to you if this is the case.

We use the word “partner” to refer to a shareowner or director of the company, or an employee or consultant who is a lawyer with equivalent standing and qualifications.

Cordery is a registered trademark of RELX (UK) Limited, used under license. The Knowledge Burst logo is a registered trademark of Reed Elsevier Properties Inc., used under license.

Copyright © 2021 Cordery. All rights reserved.