Germany

Company

65,000 €

GDPR enforcement action by Data Protection Authority of Niedersachsen on 2020.

Rank · Sector

#93

of 597 in Industry and Commerce

Rank · Germany

#37

of 116

Rank · All fines

#614

of 3,050

Case details

Authority: Data Protection Authority of Niedersachsen
Date: 2020
Controller / Processor: Company
Sector: Industry and Commerce
Quoted Articles: Art. 32 GDPR
Type of violation: Insufficient technical and organisational measures to ensure information security

Summary

The DPA of Lower Saxony has imposed a fine of EUR 65,000 on a company. The reason for the proceedings was a report by the company to the authority regarding a data breach pursuant to Art. 33 GDPR. As a result, the DPA conducted an audit of the company's web presence. In the process, the DPA discovered that an outdated web store application was used on the site, which was no longer provided with security updates. The developer had explicitly warned against further use of this version, as it contained significant security vulnerabilities. The investigations of the DPA further revealed that the passwords stored in the database were not sufficiently secured. The DPA concluded that the technical measures taken by the responsible party were not adequate for the protection requirements of the GDPR, resulting in a violation of Art. 32 GDPR.

Open original source Links to the regulator's original publication or another source.