Numerous individual violations of data protection law are now showing their effects: The Berlin Commissioner for Data Protection and Freedom of Information has imposed fines in excess of €195,407, including fees, on Delivery Hero Deutschland GmbH. According to Netzpolitik.org, this is the highest GDPR fine ever imposed in Germany.
Until 1 April, 2019, the company owned the brands Lieferheld, Pizza.de and foodora, which were then taken over by the Dutch Takeway.com group.
In particular, the non-observance of the rights of data subjects had been the reason for the data protection commissioners to impose the fines. These include, for example, the right to information on the processing of their own data, the right to deletion and the right to object. Also, the data of former customers had not been deleted for years, even though they were no longer active on the delivery service platform. Former customers had also complained that they had received unsolicited advertising e-mails. According to the press release of the Berlin Data Protection Commissioner, a individual had received 15 more such e-mails despite an explicit objection. Also with regard to the requirement of self-regulation, the company didn't react, only reacted in part, if at all; or only when the data security commissioner had intervened.
It is emphasized that every company that processes personal data must be technically and organisationally in a position to fulfil such requests from data subjects without delay. Delivery Hero Deutschland GmbH had explained that some of the violations were due to technical errors or employee oversights. However, due to the high number of violations, the data protectors assume fundamental organizational problems.
The supervisory authority had often pointed out deficits, but sufficient measures had not been implemented over a long period of time. Some of the infringements were committed before the GDPR came into force, which is why the fine was split,but they all happened before Takeway.com took over.
New Owner Promises Data Protection Review
In each individual case, a number of criteria were used to determine the amount in fines. Thus, in addition to the nature, gravity and duration of the infringement, account was also taken of the measures taken by the company to avert or mitigate the consequences. The new trade mark proprietor gave an assurance that it would take the fines as an opportunity to re-examine the case. Great importance is attached to compliance with data protection law.
In total, the Berlin Commissioner for Data Protection and Freedom of Information has imposed 27 fines under the GDPR since it came into force, and two under the new Berlin Data Protection Act. It recommends that Berlin founders attend the twice monthly start-up consultation hour so that questions can be clarified at an early stage.