your data is not a frag grenade
Disclaimer: just a personal opinion, no legal advice, not a lawyer, still in training, just processing what I know/learned/think on my way to becoming an officially licensed data protection officer. Also I struggle with explaining legal concepts in English when I learn them exclusively in German đŠ I write to challenge myself and get better!
When I meet people and talk about data protection law with them, there are misconceptions especially around some aspects of the GDPR. I even get the impression that people that should know better, like CEOs and politicians, share some of them. One misconception is how supposedly dangerous and explosive the GDPR can be for smaller companies; think anything below Meta, Apple, Google and the like. There are of course different viewpoints and opinions about this even in the literature, but I want to write a bit generally about it.
I think the misconception comes from the fact that people hear about the hefty fines some violations incur for the big guys without knowing the context. In their mind, anyone that violates anything about data protection is indiscriminately hit with millions in fines. That would obviously bankrupt many of the smaller and medium-sized companies. In their mind, I could do something like this to ruin a company:
- I send them my name and the fact that I have Crohnâs disease in a contact form on their website.
- They receive it and by receiving it and storing it on their servers and reading it, theyâre processing it. And itâs personally identifiable information (PII) and sensitive ones too, because it features health data.
- But do they fulfill the criteria for processing this sensitive data? Maybe? No?
- Immediately the overseeing body finds out (or I sue!) and theyâre hit with a 20 million Euro fine. The company canât possibly pay that, so poof - theyâre gone.
Well fortunately, I canât throw my data into a company like a frag grenade and neither can you.
First off, data you havenât asked for and just receive randomly is imposed data. Seems like that is more commonly talked about in German data protection material because I canât find much about it in English, but we know this as âaufgedrängte Datenâ. This can happen if people send you more data than you asked for or need, or if youâre the wrong recipient - think youâre IT support and someone sends you a screenshot of their IT issue but the screenshot also accidentally entails confidential PII (personally identifiable information); or someone uses your contact form entering that data; or someoneâs typo in an email address has your company receiving their private correspondence with PII accidentally.
Itâs generally agreed upon that you arenât violating anything by receiving them; obviously, itâs not your fault. You just have a duty to delete them. Youâre not on the hook for this.
Next up, would the overseeing body really come down on you even if it was a violation?
Theyâd have to find out about it first. If youâre a dutiful company, youâll follow Art. 33 GDPR and report any violations that occurred to the necessary authorities. Without that, itâs harder to find out. From what Iâve learned in my study materials, seminars and talking to our DPO at work, if you donât report anything, that makes you extremely suspicious because most are reporting things consistently. Violations happen all the time. They are usually no big deal.
It makes sense: Punishing each infraction heavily would not be beneficial for the overseeing body because who would report themselves for draconian fines? They prefer going easier on companies (within their given leeway) because itâs preferable to find out about violations at all than for them to be kept secret in fear of fines. This is actually a bigger topic in German data protection material because our laws also have an understanding of preventing self-incrimination (âSelbstbezichtigungâ) and it can partially conflict with the GDPRâs duty to demonstrate compliance (âRechenschaftspflichtâ) in Art. 5 II GDPR.
So what usually happens is advice, warnings, ordering a hold on processing this data or forbidding it altogether. Those are many steps before anything big happens. But what if it does? What about the fines? What if someone sues?
Itâs easy to read Art. 83 IV, V GDPR and get the impression that anything between 10-20 million is the norm. That leaves out that it actually says âup toâ, and it ignores that this is about violating any aspect of the GDPR, not just the aspect of mishandling or illegally using PII. That means it could also be a violation like not having a data protection officer, not taking enough technological and organizational measures to protect the data, without anything yet having occurred.
The authority needs to make sure the fines are âeffective, proportionate and dissuasiveâ, emphasis on proportionate. Itâs decided based on kind and severity of the infraction and more, see Art. 83 II a) - k). Of course, size of the operation and turnover are, in practice, somewhat considered. Even if you violate one of the more severe things, you can actually bring the fines down significantly if you are upfront, cooperative, transparent, show implemented measures to prevent this in the future and didnât have a financial gain as well as no intent or negligence behind it, just to name a few things that are actively included in that article in writing. This again also shows why imposed data would be hard to fine; you were neither negligent nor intentional.
Plus, if you have multiple infractions, each of their fines donât add up into a total. It says the total amount of the fine âshall not exceed the amount specified for the gravest infringementâ. That effectively means you only pay the fine for the worst offense.
Just a sidenote, the 2% and 4% of annual turnover mentioned are for the big guys, because they exist for when the 10-20 million arenât enough. It would be peanuts for Meta, after all. They choose whatever is higher and if 2% of your annual turnover is higher than the 10 mil, they might take that. But itâs nothing that is actively threatening smaller companies or lowering it for them either.
To see it in practice, there is this useful website tracking enforcement of GDPR fines. Youâll see, among other information, what was quoted as the violation and the amount of the fine. It varies greatly. The lowest fine recorded on that list is zero. If we consider that a mistake, typo, lie or whatever, the lowest before that is 28 Euro. Even Google Ireland Ltd. paid a 28 Euro fine in 2020 for violating Art. 12 and 15 GDPR.
So no, companies arenât generally handling some sort of powder keg when getting your personal data. And if theyâre afraid it is so, there is one good solution - having a proper data protection officer (which can also be hired externally) and getting legal advice from lawyers. Itâs not impossible to comply and you arenât immediately wiped from existence for a mistake.
Ironically, the CDU and SPD mentioned in their coalition paper that they want to reduce the amount of officers, delegates, reps⌠however you might translate âBeauftragteâ⌠that are legally required for small and medium sized companies, and itâs not clear if data protection officers are affected too. Great! In times of ever increasing tech and AI, letâs free the 250 employee companies from the flimsy shackles of a mere advisor/consultant so they can save some money! ⌠that they then might lose to lawyers and legal proceedings and fines. Just my kind of humor! Just like seeing how the SPD (not the FDP!) is campaigning for less jobs.
Reply via email
Published 17 Apr, 2025