Smaller companies should draw GDPR fines, Frankfurt's state watchdog says

Smaller businesses such as fitness studios, translation services and car-rental services operating in the central German state of Hesse should face modest fines for failing to comply with EU privacy rules, a senior official from the state's privacy regulator told MLex.

"Small and medium-sized companies know about the GDPR, but they don't comply with it. They are not working intensively on compliance," said Michael Kaiser, who heads the authority's largest department, responsible for banks and credit-information agencies. The financial center of Frankfurt falls under the regional enforcer's jurisdiction.

"I think we will issue fines. We need to discuss internally whether fines are a solution for this, but I think this is the only working solution," Kaiser said in an interview with MLex on the sidelines of a conference* in Paris.

The Hesse data-protection authority hasn't yet levied any fines since the GDPR took effect in May 2018. The law allows for penalties of up to 20 million euros ($22 million), or 4 percent of a company's annual global turnover.

"It's like the traffic," Kaiser explained. "You cannot go after any [speeding] driver and tell them: 'You need to stick to 50 miles per hour.' They get a fine. I think we will come to this kind of process within the GDPR as well, otherwise it won't work."

The official said such enforcement action would be based on complaints, and that fines would be small and proportionate to the size of the business. "What we need is a lot of cases at the bottom, with smaller fines between 100 euros and 1,000 euros," he said, suggesting a different approach to other German privacy regulators that have already imposed a small number of large fines.

Smaller fines are appropriate for smaller businesses that have few resources to put toward complying with the GDPR and that are too busy worrying about making money, Kaiser said.

Fitness studios are among businesses facing the highest number of complaints from individuals for failing to answer their questions under Article 15 of the GDPR, he said. Those provisions require companies to tell people, upon request, whether they hold any personal data on them, and if so to give them a copy of that information. Among other obligations, companies must also state why they are processing the data, whether they use automated decision-making, and if the data are sent to third parties outside the EU.

Unlike smaller companies, banks and other financial institutions based in Hesse are unlikely to face enforcement action because they comply with the GDPR, Kaiser said.

Credit-reporting agencies

Currently, the Hesse regulator has no formal investigations open into possible breaches of the GDPR, Kaiser said. The enforcer strives to resolve complaints informally by seeking answers from the company and by imposing "strong recommendations," he said. Companies want to avoid publicity, and the use of recommendations is an "effective and quick" method for the regulator, too.

Most complaints that land at the regulator's door are against consumer credit-reporting agencies. In the case of one, Schufa Holding, Kaiser said: "We are in contact between five and 20 times a month because of the complaints. We do not need a formal investigation."

Complaints tend to center on how the agencies handle people who fail to get loans, and those on whom the agencies don't have any historical data or those they have branded as showing "bad payment behavior." In those cases, individuals' profiles "typically reflect the truth," Kaiser said, and the regulators' hands are tied. Many complainants decide to take their cases to court, he added.

* International Association of Privacy Professionals Data Protection Intensive: France 2020, Paris, Feb. 12-13, 2020