Knuddels GmbH & Co KG, a German social media app, has received the first administrative fine issued by a German supervisory authority under the General Data Protection Regulation (“GDPR”).

The fine of € 20,000 has been levied on Knuddels by the Commissioner for Data Protection and Freedom of Information in Baden-Württemberg (one of 16 regional data protection authorities in Germany) following a hack reported by Knuddels in September which resulted in the personal data of approximately 330,000 users being stolen and subsequently published. Such personal data included users’ emails addresses and passwords.

Considering the high number of data subjects implicated in the breach, the level of the fine appears to be modest (particularly in the context of the increased ceiling for administrative fines introduced by the GDPR). In its press release of November 22 however, the German supervisory authority in question placed particular emphasis on Knuddels’s cooperative behavior during the course of the investigation, which seems to have been taken into account when assessing the appropriate enforcement action.

When Knuddels realized that it had been subject to a hack in early September, it did three things immediately: The company (1) notified the responsible supervisory authority in Baden-Württemberg, (2) provided detailed information to its affected users, without delay, and (3) implemented extensive measures to improve its IT security architecture within a matter of weeks of the breach occurring. Subsequently, Knuddels also committed to implement further IT security features, in line with the recommendations of the supervisory authority and pursuant to the requirements of Article 32 of the GDPR (security of processing).

Knuddels willingly disclosed all details of its data processing practices to the supervisory authority and demonstrated a high level of cooperation throughout the investigation.  The supervisory authority commented that the “transparency of the company was just as exemplary as the readiness to implement the guidelines and recommendations of the State Commissioner for Data Protection and Freedom of Information.”  Knuddels’s willingness to cooperate and take corrective actions clearly had an impact upon the supervisory authority’s approach to the fine.  Having noted that “fines should not only be effective and dissuasive, but also proportionate”, the supervisory authority also explained that the costs associated with Knuddels’s implemented and planned IT-security measures were taken into account when calculating the administrative fine.

Dr. Brink, the Baden-Württemberg Data Protection Commissioner, explained that the Baden-Württemberg supervisory authority “is not interested in entering into a competition for the highest possible fines.  The bottom line is improving privacy and data security for the users.” The Knuddels settlement provides a possible roadmap for the prompt actions that may be taken by a company suffering a data breach that may serve to mitigate penalties under the GDPR.

The full text of the press release can be found here.