Fines according to DSGVO in Germany
The various provisions of the General Data Protection Regulation set out fines for data protection violations. The fines can range from up to 20 million euros or, for companies, up to four percent of global annual turnover (whichever is higher in the end).
The competent supervisory authorities are responsible for assessing, prosecuting and punishing data protection violations. In particular, the Federal Data Protection Commissioner and the data protection commissioners of the German states are responsible for imposing fines.
Fines 2021 – August 2023 from EUR 50,000
(Reference: Website of the respective supervisory authority)
| Date of the decision: 2.8.2023
Addressee: Humboldt Forum Service GmbH Amount of the fine: 215,000 EUR Authority: Berlin Commissioner for Data Protection and Freedom of Information Provisions DSGVO: Art. 9 para. 1, Art. 6 Facts: list with personal data on employees in probationary period (3 further fines totaling EUR 40,000 for lack of involvement of the data protection officer) |
| Date of the decision: 15.6.2023
Addressee: Mail order company Amount of the fine: 50,000 EUR Authority: State Commissioner for Data Protection of Lower Saxony Provisions DSGVO: Art. 21, Art. 15 Facts of the case: e-mail newsletter without unsubscribe option, failure to provide a data subject with requested information |
| Date of the notice: 31.5.2023
Addressee: Unknown Berlin bank Amount of the fine: EUR 300,000 Authority: Berlin Commissioner for Data Protection and Freedom of Information Provisions DSGVO: Art. 9 para. 1, Art. 25 para. 2, Art. 7 para. 3, Art. 13 para. 1 lit. c Subject matter: Lack of transparency in automated decision making |
| Date of the decision: 18.10.2022
Addressee: Corona Teststation Amount of the fine: 52,500 EUR Authority: Berlin Commissioner for Data Protection and Freedom of Information Provisions DSGVO: Art. 22 para. 3, Art. 5 para. 1 lit. a, Art. 15 para. 1 Facts: Mandatory information on nationality, Lack of data protection notice |
| Date of the decision: 21.9.2022
Addressee: Unknown construction company Amount of the fine: 50.000 EUR Authority: State Commissioner for Data Protection and Freedom of Information Baden-Württemberg Provisions DSGVO: Art. 6 para. 1, Art. 14 Subject matter: Submission of purchase offers without information and disclosure of the origin of the data, in particular regarding the owner’s position |
| Date of the decision: 20.9.2022
Addressee: Subsidiary of an e-commerce group Amount of the fine: EUR 525,000 Authority: Berlin Commissioner for Data Protection and Freedom of Information Provisions DSGVO: Art. 38 para. 6 p. 2 Facts: Conflict of interest of the company data protection officer. Data Protection Officer |
| Date of decision: 28.7.2022
Addressee: Hannoversche Volksbank Amount of the fine: EUR 900,000 Authority: State Commissioner for Data Protection of Lower Saxony Provisions DSGVO: Art. 6 para. 1 lit. f Subject matter: Evaluation of data of current and former customers for profiling for advertising purposes |
| Date of the decision: 26.7.2022
Addressee: Volkswagen AG Amount of the fine: EUR 1.1 million Authority: State Commissioner for Data Protection of Lower Saxony Provisions DSGVO: Art. 13, Art. 28, Art. 35, Art. 30 Subject matter: Records in the context of research drives for driving assistance systems |
| Date of the decision: 10.3.2022
Addressee: VfB Stuttgart Amount of the fine: 300,000 EUR Authority: State Commissioner for Data Protection and Freedom of Information Baden-Württemberg Provisions DSGVO: Art. 5 para. 2 Facts: Violation of accountability under data protection law by transferring personal data to a service provider without naming the purpose and legal basis |
| Date of the decision: 3.3.2022
Addressee: Brebau GmbH Amount of the fine: EUR 1.9 million Authority: State Commissioner for Data Protection and Freedom of Information of the Free Hanseatic City of Bremen. Provisions DSGVO: Art. 6 (1), Art. 5 (1), Art. 9 (1), Art. 12 (1), Art. 15 Facts: Processing of data on prospective tenants without legal basis |
| Date of the decision: 3.1.2022
Addressee: Unknown company Amount of the fine: 75,000 EUR Authority: Saarland Independent Data Protection Center Provisions DSGVO: Art. 5 para. 1 lit. a, Art. 6 para. 1 Facts: Inadmissible sending of advertising by e-mail and inadmissible tracking |
| Date of the decision: 24.9.2021
Addressee: Vattenfall Europe Sales GmbH Amount of the fine: EUR 901,389 Authority: Hamburg Commissioner for Data Protection and Freedom of Information Provisions DSGVO: Art. 12, 13 Facts: Matching and evaluation of contract inquiries without proper information about the evaluation, violation of transparency obligations |
| Date of the decision: 6.5.2021Addressee: Healthcare company
Amount of the fine: 105,000 EUR Authority: Hamburg Commissioner for Data Protection and Freedom of Information Provisions DSGVO: Art. 32 para. 1 Facts: Incorrect sending of doctor’s letters (data breach) |
| Date of decision: 4.1.2021
Addressee: Callcenter it! GmbH & Co. KG Amount of fine: 145,000 EUR Authority: Federal Network Agency Provisions: Section 7 (2) no. 2 and no. 3 of the German Unfair Competition Act (UWG) Facts: Unauthorized telephone advertising |
| Date of decision: 8.1.2021 (publication)
Addressee: notebooksbilliger.de AG Amount of fine: EUR 10.4 million Authority: State Commissioner for Data Protection of Lower Saxony Provisions DSGVO: Art. 6 para. 1 Facts: Unauthorized video surveillance of employees |
| Date of the decision: 17.2.2021
Addressee: mivolta GmbH Amount of fine: EUR 250,000 Authority: Federal Network Agency Provisions: Section 7 (2) no. 2 and no. 3 of the German Unfair Competition Act (UWG) Facts: Call center made advertising calls without effective consent |
| Date of decision: 17.2.2022
Addressee: KiKxxl GmbH Amount of the fine: 260,000 EUR Authority: Federal Network Agency Provisions: Section 7 (2) no. 2 and no. 3 of the German Unfair Competition Act (UWG) Facts: Energy supplier allowed advertising calls to be made without effective consent |