cybersecurityTechnology · 2018

Knuddels GmbH & Co. KG

The Baden-Württemberg State DPA (LfDI BW) imposed Germany's first-ever GDPR fine — a deliberately modest €20,000 — against the German social networking platform Knuddels for storing approximately 330,000 user passwords in plaintext, leading to a July 2018 breach exposing nearly 2 million user records including emails and cleartext passwords. The LfDI explicitly set the fine low to reward Knuddels' exemplary breach response: the company proactively notified the authority, publicly disclosed the breach in detail, implemented proper password hashing immediately, and co-operated fully with the investigation.

Fine Imposed€20,000.0

Authority

BW-DPA-DE

Regulation

Bundesdatenschutzgesetz (Federal Data Protection Act 2018)

Max fineGDPR maxima apply (€20M / 4% global turnover); BDSG §43 adds up to €300,000 for certain specific violations

Statusactive

Key Takeaways

Germany's first GDPR fine was deliberately lenient to incentivise good breach response — the LfDI BW demonstrated that full co-operation, rapid remediation, and proactive transparency materially reduce fine amounts even when the underlying technical failure (plaintext passwords) was serious.