In particular, the General Data Protection Regulation (DSGVO) becomes relevant. The supervisory authorities are granted extensive investigative and remedial powers to enforce data protection regulations. Most site owners fear huge fines of up to 20 million euros or 4% of worldwide sales last year.
But is this fear absolutely justified? The answer is yes and no. Yes, the fines are imposed. No, one will not (only) have to stop his business because of a fine imposed. Until the state today in Germany about 130 publicly communicated fines were imposed with a total of about 700.000,00 €. In mathematical terms, this means that a single penalty is about the value of 5.500,00 €. However, one must say that this is a calculated value, which varies greatly from state to state. Nonetheless, this value should make it clear that a fine imposed can be painful but not life-threatening. Also, penalties in the form of a fine are already a harsh sword of the DPA. Usually, the data protection authorities initially use warnings and instructions (Art. 58 DSGVO). In our experience, it is not a request of the data protection authorities about fines to finance the state treasury.
So, is it best to do nothing and wait for a warning or a fine from the DPA?
Certainly not! In addition to the data protection authority, there are (among others) competitors who can make their lives difficult.