Hamburg Data Protection Commissioner's €51,000 fine against Facebook Germany GmbH

1 December 2019

The Hamburg Commissioner for Data Protection and Freedom of Information imposed a fine of €51,000 on Facebook Germany GmbH in December 2019. The fine was not appealed and the corresponding payment has been made.

In March 2019, the HmbBfDI became aware through a complaint that Facebook Germany GmbH had not notified a data protection officer. In 2017, the Supervisory Authority had been informed that the then Data Protection Officer did not continue to run the Office. However, the notification of a new Supervisor had not been made. This is, however, mandatory under Art. 37 (7) GDPR. Violations of this requirement are subject to a fine in accordance with Art. 83 Para. 4 lit. a) GDPR.

The fine may sound low at first sight. However, adressee is not Facebook with its multi billion euro global turnover, but the German subsidiary on account of a failure to notify their DPO in Germany. Facebook Germany GmbH is a company with an annual turnover of around 35 million, whose business - in contrast to the parent company - is not the processing of personal data of users. Given the negligence of the breach and the fact that Facebook only failed  to notify an already appointed data protection officer, the sanction is to be considered sufficiently dissuasive. It is due to Facebook's professional handling of the infringement that the fine was not significantly higher.

For further information, please contact

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.