Penalty for lack of data protection officer
The telecommunications provider Rapidata GmbH has not complied with its legal obligation under Article 37 of the GDPR to appoint the company data protection officer, despite repeated requests to do so.
A fine of 10,000 euros was imposed. It was taken into account that this is a company from the category of micro-enterprises.
In Germany, a data protection officer is mandatory for 20 or more employees who work with personal data.
In other countries, a data protection officer is only necessary if:
- the processing is carried out by a public authority or public body
- the core activity of the controller or processorconsists in carrying out processing operationswhich, by virtue of their nature, their scope and/or their purposes, require extensive regular and systematic monitoring of data subjects
- the core activity of the controller or processorconsists in the extensive processing of special categories of data pursuant to Article 9 or of personal data relating to criminal convictions and criminal offenses pursuant to Article 10.
Entscheidungsdatum:
09.12.2019
Land:
Germany
Art des Verstoßes:
violated duty to inform
Betroffene Datensätze:
0
Waren sensible Daten betroffen?:
No
verhängte Geldstrafe:
€ 10,000,-
Violation of GDPR Paragraph:
37. Designation of the data protection officer
Quelle:
Press release of the German Federal Data Protection Commissioner