On 21 November 2018, the data protection authority of Baden-Württemberg, Germany (the “authority”) imposed a fine of EUR 20,000 against a German social media provider (the “company”) for failing to encrypt user passwords. The authority’s decision marks the first time that a fine was imposed on a company for violating the European General Data Protection Regulation (GDPR) in Germany (here: Art. 32(1)(a)).

Email addresses and passwords of about 330,000 users of the company’s social media website were hacked and published on the Internet. The company notified the authority of the personal data breach and provided extensive information concerning its data processing activities. The company also informed its users of the breach in accordance with the applicable GDPR provisions.

From the information provided by the company, the authority learned that user passwords were stored unencrypted. Pursuant to Art. 32 of the GDPR, companies shall implement appropriate technical and organizational measures to secure personal data so that the rights and freedoms of the concerned natural persons are protected. To determine the appropriate measures, companies must take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing the personal data. Based on those considerations—and the fact that encryption of personal data is listed as an appropriate measure in Art. 32(1)(a) of the GDPR—the authority determined that the company should have encrypted user passwords, rather than processing them in plain text, to grant a level of protection appropriate to the risks. Consequently, the authority concluded that the company had violated Art 32(1)(a) of the GDPR and applied a fine pursuant to Art. 83(4).

The fine could have been as high as EUR 10 million or 2 percent of the company’s worldwide turnover of the previous year, whichever is higher. However, when determining the amount of the fine, the authority considered the efforts taken by the company to implement the measures ordered and suggested by the authority and the company’s willingness to cooperate, in a very positive collaboration, with the authority.


This article was originally published on AllAboutIP – Mayer Brown’s  blog on relevant developments in the fields of intellectual property and unfair competition law. For intellectual property-themed videos, Mayer Brown has launched a dedicated YouTube channel