Germany

The Baden-Württemberg State DPA (LfDI BW) fined statutory health insurer AOK Baden-Württemberg €1.24 million for unlawfully passing the personal data of 500,000 policyholders — including names, addresses, and insurance numbers — to partner lottery operators for direct marketing without member consent. Members were not informed their data would be shared with third-party lottery companies, and the LfDI found no adequate legal basis for the transfer under GDPR Art. 6. AOK had organised branded prize draws with lottery partners and provided member data to enable the lottery operators' own follow-on marketing campaigns.

The Hamburg DPA (HmbBfDI) imposed Germany's largest-ever GDPR fine against H&M for systematically recording hundreds of employees' private life details at its Nuremberg service centre — including family matters, religious beliefs, health conditions, and personal life notes gathered during 'welcome back talks' and routine conversations — storing them in a networked file server accessible to up to 50 managers and using them to make HR decisions. The data collection had continued for years and came to light only when a configuration error temporarily made the records accessible to all company staff in October 2019. H&M acknowledged the violations and introduced remedial measures.

The Lower Saxony DPA (LfD Niedersachsen) fined notebooksbilliger.de AG €10.4 million for operating a pervasive undisclosed video surveillance system that filmed employees at six locations — including workplaces, rest areas, and social rooms — continuously for over two years without adequate legal basis, without informing employees, and far beyond any demonstrable security purpose. The 60 cameras operated without defined retention periods and the footage was never systematically deleted. The LfD found the surveillance violated GDPR Arts. 5, 6, and 13 as well as the data minimisation principle.

The Federal Data Protection Commissioner (BfDI) fined 1&1 Telecom GmbH €9.55 million for maintaining a grossly inadequate customer service authentication procedure that allowed any caller to access another person's complete account information — including contact details, contract terms, and phone numbers — simply by providing the target's name and date of birth, information obtainable from publicly available sources. The BfDI found this two-element authentication was categorically insufficient given the sensitivity of the account data disclosed and constituted a systemic GDPR Art. 32 failure. The fine was reduced on appeal.

The Berlin Commissioner for Data Protection (BlnBDI) fined real estate company Deutsche Wohnen SE €14.5 million for using an archiving system for tenant personal data — including proof of income, employment history, tax documents, health insurance details, and bank account information — that had no provision for deleting documents no longer required, violating GDPR Arts. 5(1)(e) and 25. The case generated significant EU legal debate: the Berlin Court of Appeal partially annulled the fine in 2021 on grounds that individual organisational fault must be proven, and the Bundesgerichtshof subsequently referred questions on corporate GDPR liability to the ECJ.

The Baden-Württemberg State DPA (LfDI BW) imposed Germany's first-ever GDPR fine — a deliberately modest €20,000 — against the German social networking platform Knuddels for storing approximately 330,000 user passwords in plaintext, leading to a July 2018 breach exposing nearly 2 million user records including emails and cleartext passwords. The LfDI explicitly set the fine low to reward Knuddels' exemplary breach response: the company proactively notified the authority, publicly disclosed the breach in detail, implemented proper password hashing immediately, and co-operated fully with the investigation.