Shortly before the General Data Protection Regulation (GDPR) came into force, many companies feared that the GDPR, with its substantial fines, would ruin many businesses. Therefore, companies sought to adapt their internal processes to the GDPR as quickly as possible.
Now, one year after the GDPR, the initial enthusiasm among many companies has waned.
This may be attributed to the fact that, to date, no substantial fines have been widely imposed in Germany. However, this situation is set to change.
Therefore, our first appeal is: Continue to advance the necessary measures for implementing the GDPR and establishing a data protection management system within your company.
Prevent data privacy breaches!
We would like to draw your attention to a data protection issue that is not widely known among many companies.
Pursuant to Art. 33 (1) GDPR, in the event of a personal data breach, your company must notify the competent supervisory authority without undue delay and, where feasible, not later than 72 hours after becoming aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
This means that, as a matter of principle, every data protection violation must be reported to the supervisory authority!
Unless the exception provided in Art. 33 para. 1, second sentence of the GDPR applies.
In the event of a data breach, you should have the applicability of this exception reviewed solely by a sufficiently qualified lawyer or your data protection officer. Should you erroneously assume that the exception applies, the incorrect assessment will be at your expense.
Furthermore, it should be noted that merely failing to report to the supervisory authority can result in fines of up to €10 million, or, for undertakings, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
In addition, there will be the fine for the actual data protection violation.
However, the proper reporting of a data protection breach does not mean that no fine will be imposed on your company for the breach itself. By properly reporting a data protection breach, you can only avoid a fine being imposed on your company for failing to report it.
Therefore, our second appeal is: Immediately contact your data protection advisor if you identify a data protection breach within your company. 72 hours is not a long time!
For any questions regarding this topic or in the event of data protection incidents, we are at your disposal.
GoldbergUllrich Attorneys at Law 2020
Attorney Michael Ullrich, LL.M. (Information Law)
Specialist Lawyer for IT Law
