Knuddels Pays a Small Price for Overlooking Data Security

The State Commissioner for Data Protection and Freedom of Information Baden-Wuerttemberg (LfDI) has become the first authority in Germany to impose a penalty under the General Data Protection Regulation (GDPR) by fining Knuddels, a social media company, €20,000 for breaches of its data security obligations.

Knuddels was hacked in July 2018; passwords and email addresses of around 330,000 of its users were stolen and made public. When Knuddels learned of the attack, it notified a data breach to the LfDI, who found that it had violated its obligation to ensure the security of its users’ data under Art.32 of GDPR by continuing to store that data in an unencrypted, plain text format with no safeguards in place.

Under Art.83 of GDPR, the LfDI had the power to impose a fine of up to €10m or up to two percent of Knuddels’ annual global turnover of the previous financial year (if higher). Against this existential amount, a fine of €20,000 was imposed. The key reason that the LfDI did not punish Knuddels more harshly was the effectiveness of its data breach response strategy. In this instance the LfDI was more concerned with improving data security than levying the highest fine possible. It was satisfied that Knuddels had already markedly increased the security of its users’ data and would continue to do so. As such, it did not feel it necessary to punish the company more harshly.

This decision serves as a reminder of the importance of ensuring that your business has a stringent and well-tested data breach response strategy in place, not only to ensure that customer data security can quickly be restored if the worst should happen, but also as a potential safeguard against facing the full force of the GDPR fine regime.