In May 2018, the General Data Protection Regulation (GDPR) became German law. The GDPR requires companies to handle their customers’ data with care and demands that they report any data breaches within a maximum of 72 hours. Violations can result in fines of up to 20 million euros or 4 percent of annual global sales.
In the first few months, fines were comparatively low; companies affected by data leaks received helpful advice from the data protection authorities rather than draconian punishments. However, in October 2019 the German Data Protection Conference published a standardized calculation key for fines, depending on various economic factors and the severity of the offence.
Escalating Fines
Until late 2018, fines were still in the five-digit range, but now millions of euros can become due: In November, the real estate company Deutsche Wohnen SE was fined 14.5 million Euros. Shortly thereafter, it became known that 1&1 Telecom GmbH is to pay 9.55 million Euros for inadequate protection of its customer data. Both companies intend to appeal.
In other EU countries, companies face even higher penalties: France demanded 50 million euros from Google in January of 2019; the British Information Commissioner’s Office ICO wants 110 million euros from the Marriot hotel chain and 205 million euros from British Airways.
GDPR for Software Vendors
Software vendors are required to ensure that their products collect as little data as possible (privacy by default) and process it as carefully as possible (privacy by design). So far, implementing these principles has been anything but easy: As the German digital association Bitkom notes, the GDPR rules in this area are anything but clear. A future evaluation by the EU Commission may be able to remedy this situation.
ADITUS takes data protection very seriously. All employees have been made aware of the issue in company-wide internal training courses. As our understanding of the GDPR improves, the range of relevant features in our solutions is also growing. For instance, the latest versions of the Exhibitor Service Center (ESC) expressly require exhibitors to comply with the data protection guidelines and code of conduct set by the organizer. This topic will remain relevant in the foreseeable future.
