On November 21, the Data Protection Authority of Baden-Württemberg issued the first fine under the GDPR in Germany against a social media provider for violating data security requirements (source document in German). The company had notified the authority of a data breach after becoming aware that the personal data of 330,000 users, including email addresses and passwords, had been stolen during a hack. The authority determined that the company violated data security obligations under Article 32 of the GDPR, for example by storing the passwords in clear text. The authority imposed a modest fine of €20,000 and took into account mitigating factors such as the company's willingness to cooperate with the authority.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.