According to recent press reports, since the EU General Data protection Regulation (GDPR) came into force in May 2018, German data protection authorities have issued 41 GDPR-related fines. The highest fine in a single case is reported to have been EUR 80,000, and the majority of fines (33) originated from the state of North-Rhine Westphalia.
Fines were levied for a variety of GDPR violations, such as inadequate technical and organizational security measures, non-compliance with information duties and sending unauthorized marketing e-mails.
Reportedly, only some GDPR violations were sanctioned with a fine because some authorities granted a “grace period,” during which fines were set at lower amounts than they could/should have been or not issued at all.
However, grace periods should not be relied on because it’s unclear how long they will last. And it’s good to keep in mind that fines can be substantial: the maximum fine under the GDPR may reach EUR 20 million or 4% of the total worldwide annual turnover of the preceding financial year (whichever is higher), depending on the type and extent of the GDPR violation.