Germany: LG Bonn, 1&1 case (900,000 EUR fine) final

(in German) AG Bonn, 11.11.2020, 29 OWi 430 Js-OWi 366/20-1/20 LG:

900,000 EUR for weak authentication/process in a call center, which allowed the ex-wife of a customer to get the new mobile number of her ex-husband.

1. To calculate the fine, the court used the global turnover of the group of enterprises (not just the German affiliate).
2. The court did not stick to the GDPR fine catalog of the German DPAs, but rather went much lower..

A nice quote at the end. (via Google translate, with manual fixes)

It should also be taken into account that the publicly effective issue of the fine notice resulted in a damage to K’s reputation. Due to the amount of the fine initially imposed, the public got the impression that it was a matter of a serious data protection breach – also and especially with regard to fault. However, this is not the case.

After carefully weighing all the circumstances relevant to the assessment, the Chamber has determined a much lower fine than the originally proposed on, despite the high range of possible fines ,

900,000 euros

as being appropriate to the act and guilt. This is effective, proportionate and, given the many mitigating aspects, also sufficiently deterrent.

So 900,000 EUR for a non-serious breach.