Company – €65,000 Fine (Germany, 2020)

€65,000Bundesbeauftragter für den Datenschutz1 January 2020Germany
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

A company in Germany was fined EUR 65,000 because it used an outdated web store application with security flaws. The app was not receiving updates, and the company failed to secure stored passwords properly. This case highlights the importance of keeping software up-to-date to protect customer data.

What happened

A company used an outdated web store application with known security vulnerabilities and insufficient password protection.

Who was affected

Customers whose data was stored in the company's insecure web store application.

What the authority found

The authority found that the company did not take adequate technical measures to protect personal data, violating GDPR's security requirements.

Why this matters

This case emphasizes the need for businesses to regularly update their software and ensure strong data protection measures. It serves as a reminder that outdated systems can lead to significant fines and data breaches.

GDPR Articles Cited

Art. 32 GDPR
Germany enforcementBundesbeauftragter für den Datenschutz actionsAll Company actions
Full Legal Summary
Detailed

The DPA of Lower Saxony has imposed a fine of EUR 65,000 on a company. The reason for the proceedings was a report by the company to the authority regarding a data breach pursuant to Art. 33 GDPR. As a result, the DPA conducted an audit of the company's web presence. In the process, the DPA discovered that an outdated web store application was used on the site, which was no longer provided with security updates. The developer had explicitly warned against further use of this version, as it contained significant security vulnerabilities. The investigations of the DPA further revealed that the passwords stored in the database were not sufficiently secured. The DPA concluded that the technical measures taken by the responsible party were not adequate for the protection requirements of the GDPR, resulting in a violation of Art. 32 GDPR.

Related Enforcement Actions (20)

Other enforcement actions involving Company in DE

Fine
Jan 2020· Bundesbeauftragter für den Datenschutz

The DPA from Hamburg has issued a fine against a company that operates an online marketplace, especially for worn underwear. The company advertises th...

Fine
Jan 2020· Bundesbeauftragter für den Datenschutz

The DPA from Hamburg as imposed a fine of EUR 13,000 on a company. An individual had booked and attended a course with a company, but had not paid the...

€13K
Current
Jan 2020

Fine

€65K

Fine
Jan 2021· Bundesbeauftragter für den Datenschutz

The DPA of Hamburg has imposed a fine in the six-digit range on a Hamburg-based company operating in the healthcare sector. The company had failed to ...

€500K
Fine
Jan 2021· Bundesbeauftragter für den Datenschutz

The DPA of Brandenburg has imposed a fine on a company. An individual had filed a complaint with the DPA based on the fact that the company produced a...

€5K
Fine
Jan 2022· Bundesbeauftragter für den Datenschutz

The DPA of Niedersachsen imposed a fine of EUR 8,900 on a company. The company had a customer database on the Internet with thousands of entries. Duri...

€9K
Fine
Jan 2022· Bundesbeauftragter für den Datenschutz

The DPA from Baden-Württemberg has imposed a fine of EUR 20,000 on a company. The company had developed a new office plan that took into account the v...

€20K
Fine
Jan 2022· Bundesbeauftragter für den Datenschutz

The DPA of Bremen has imposed a five-digit fine on a company. The company had sent an unredacted social plan to all affected employees in the context ...

€50K
Fine
Sept 2022· Bundesbeauftragter für den Datenschutz

The DPA of Berlin has imposed a fine of EUR 525,000 on the subsidiary of a Berlin-based e-commerce group. The company had appointed a data protection ...

€525K
Fine
Jan 2023· Bundesbeauftragter für den Datenschutz

The DPA of Niedersachsen has imposed a fine of EUR 16,600 on a company in the real estate industry for failing to conclude a joint controllership agre...

€17K
Fine
Jan 2023· Bundesbeauftragter für den Datenschutz

The DPA of Hamburg imposed a fine of EUR 75,000 on a company. An employee had lodged a complaint with the DPA due to the fact that they had to report ...

€75K
Fine
Jan 2023· Bundesbeauftragter für den Datenschutz

The DPA of Hessen has fined a company EUR 25,000. A person had filed a complaint for receiving advertising messages, although they had objected to rec...

€25K
Fine
Jan 2024· Bundesbeauftragter für den Datenschutz

The DPA of Hessen has imposed a fine of EUR 10,000 on a company. The controller used data for marketing purposes without a legal basis. The company ob...

€10K
Fine
Jan 2024· Bundesbeauftragter für den Datenschutz

The DPA of Berlin imposed a fine of EUR 60,000 on a healthcare company. The company offers practice management software that includes a patient commun...

€60K
Fine
Jan 2024· Bundesbeauftragter für den Datenschutz

The DPA of Hamburg imposed a fine of EUR 11,500 on a company operating in the advertising industry for failing to comply with its deletion obligations...

€12K
Fine
Jan 2024· Bundesbeauftragter für den Datenschutz

The DPA from Saxony has fined a company EUR 22,080 for failing to sufficiently cooperate with the DPA during an investigation.

€22K
Fine
Jan 2024· Bundesbeauftragter für den Datenschutz

The DPA from Saxony has fined a company EUR 120,000 for failing to provide information requested by the DPA during an investigation.

€120K
Fine
Jan 2024· Bundesbeauftragter für den Datenschutz

The DPA of Hamburg has imposed a fine of EUR 32,000 on a logistics company for incorrectly disposing of delivery lists.

€32K
Fine
Jan 2024· Bundesbeauftragter für den Datenschutz

The DPA of Hessen has imposed a fine of EUR 496,000 on a company. The DPA identified several GDPR violations, including transmitting customer data to ...

€496K
Fine
Sept 2025· Bundesbeauftragter für den Datenschutz

The DPA of Hamburg has imposed a fine of EUR 195,000 on a company. The controller was active in direct marketing via post and failed to adequately res...

€195K
Fine
Sept 2025· Bundesbeauftragter für den Datenschutz

The DPA of Hamburg has imposed a fine of EUR 492,000 on a company in the finance sector. The controller used automated systems to decide whether to ap...

€492K

Details

Fine Date

1 January 2020

Authority

Bundesbeauftragter für den Datenschutz

Fine Amount

€65,000

Enforcement Tracker ID

ETid-791

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. Company - Germany (2020). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: