The Hamburg Commissioner for Data Protection and Freedom of Information imposed a fine of €51,000 on Facebook Germany GmbH in December 2019. The fine was not appealed and the corresponding payment has been made.
In March 2019, the HmbBfDI became aware through a complaint that Facebook Germany GmbH had not notified a data protection officer. In 2017, the Supervisory Authority had been informed that the then Data Protection Officer did not continue to run the Office. However, the notification of a new Supervisor had not been made. This is, however, mandatory under Art. 37 (7) GDPR. Violations of this requirement are subject to a fine in accordance with Art. 83 Para. 4 lit. a) GDPR.
The fine may sound low at first sight. However, adressee is not Facebook with its multi billion euro global turnover, but the German subsidiary on account of a failure to notify their DPO in Germany. Facebook Germany GmbH is a company with an annual turnover of around 35 million, whose business - in contrast to the parent company - is not the processing of personal data of users. Given the negligence of the breach and the fact that Facebook only failed to notify an already appointed data protection officer, the sanction is to be considered sufficiently dissuasive. It is due to Facebook's professional handling of the infringement that the fine was not significantly higher.
For further information, please contact firstname.lastname@example.org