SITTIG LAW

+49 40 808 125 550
SITTIG LAW Law Firm Blog

What happens when data protection violations occur?

Data protection violations can affect anyone and have far-reaching consequences for companies. In addition to high fines under the GDPR, there is a strict 72-hour reporting obligation to supervisory authorities, and in serious cases, even criminal investigations. Those who ignore the requirements risk significant financial damages, loss of reputation, and personal liability. Get informed now to avoid existential consequences.
Read more
Read more
Contact us now
Table of Contents

The most important facts at a glance

  • Data protection violations can be expensive: High fines under the GDPR – whichever amount is higher.
  • Mandatory reporting within 72 hours: Companies are legally obligated to report data breaches to the responsible supervisory authority immediately – and in many cases, to the affected individuals as well.
  • Data protection violations can have criminal consequences: In addition to administrative sanctions, investigations and prosecutions are also threatened in serious cases.

Why data breaches can affect anyone

Data protection violations are no longer rare. Every day, companies of all sizes are confronted with the issue – whether through a hacker attack, an accidentally misaddressed email attachment, or an employee's unsecured laptop while working from home.

What happens when data protection regulations are violated? This question is asked by company executives, data protection officers, and affected individuals alike. The answer is complex – and the consequences range from hefty fines and civil damages claims to criminal investigations.

Authorities have significantly sharper tools at their disposal, and corporate accountability has become a central principle of data protection law. Those who ignore the requirements of the GDPR and the Federal Data Protection Act (BDSG) risk not only financial damages but also considerable reputational losses and personal liability.

Legal Basis: GDPR, BDSG, and StGB

The GDPR as a European Framework

The General Data Protection Regulation forms the central framework of European data protection law. It applies directly in all EU member states and creates a uniform standard for the processing of personal data.

Key responsibilities for those in charge particularly arise from:

  • Art. 5 GDPR – Principles of Data Processing
  • Article 25 GDPR Data protection through technical design and data protection-friendly default settings
  • Art. 32 GDPR – Security of processing: Controllers and processors must implement appropriate technical and organizational measures (TOMs)
  • Article 33 GDPR Notification obligation for infringements of the protection of personal data to the supervisory authority
  • Article 34 GDPR Notification obligation towards data subjects
  • Article 83 GDPR – Fines and Fine Frameworks

The BDSG as a National Supplement

The Federal Data Protection Act (BDSG) supplements and specifies the GDPR at the national level. Among other things, it contains regulations on data processing by public bodies, video surveillance, and – particularly relevant – criminal liability in the data protection context.

§ 42 of the BDSG (Federal Data Protection Act) stipulates independent criminal offenses in data protection law. Anyone who unlawfully processes personal data that is not publicly accessible and does so for remuneration or with the intention of enriching themselves or another person, or harming another person, commits a criminal offense. The penalty can be up to three years imprisonment or a fine.

§ 43 of the BDSG regulates administrative offenses that can be punished with fines.

Criminal Relevance: The German Criminal Code (StGB) in the Context of Data Protection Violations

Data breaches can also touch upon criminal offenses in the Criminal Code (StGB) – especially when they involve targeted attacks on data systems:

  • § 202a StGB – Data espionage: Unauthorized access to particularly protected data is punishable.
  • § 202b StGB – Intercepting Data: The unauthorized interception of non-public transmissions of data.
  • § 202c BGB – Preparation for espionage: The preparation of such acts, for example through appropriate software or passwords, is already punishable.
  • § 303a StGB Data alteration: The unauthorized deletion, suppression, incapacitation, or modification of data.
  • § 303b German Criminal Code – Computer sabotage: Significant disruptions of data processing.

The interface between data protection law and criminal law is complex and often underestimated in practice. Companies that fall victim to a cyber attack are simultaneously victims and potential defendants – for example, if they fail to comply with reporting obligations or if insufficient security measures are proven.

Civil law consequences

Companies also increasingly face civil law consequences. Affected individuals can sue for damages directly in civil courts under Art. 82 GDPR – for both material damages (e.g., financial losses due to identity theft) and non-material damages such as stress, loss of control, or damage to reputation.

Administrative consequences

In addition to fines, data protection supervisory authorities have other administrative instruments at their disposal, which are often underestimated in practice. According to Art. 58 GDPR, the authorities can, among other things:

  • Instructions and warnings to be disciplined, which does not result in a fine but is officially documented and has an aggravating effect in case of later violations
  • Temporarily or permanently prohibit processing activities – an intervention that has more serious operational consequences for many companies than a fine
  • The suspension of data transfers arrange in third countries
  • Evidence and documentation demand and order reviews and audits

Administrative measures can be taken with or without a simultaneous fine. Especially the prohibition of certain processing activities can be existentially threatening for data-driven business models. Companies should therefore not take official requests and investigation procedures lightly – and seek legal support early on.

What happens after a data breach? The most important consequences

1. Fines from data protection authorities

The most well-known consequence of a data breach is the fine, including for violations of:

  • Responsibilities of the Controller and Processor
  • Reporting obligations to the supervisory authority
  • Notification obligations to data subjects
  • Principles of Data Processing
  • Consent conditions
  • Data Subject Rights
  • Transfer of personal data to third countries

2. The 72-hour reporting requirement

Once a data breach is identified, the clock starts ticking. According to Art. 33 GDPR, the controller must notify the competent supervisory authority of a personal data breach without undue delay and, where feasible, not later than 72 hours after having become aware of it – unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.

The notification must include, among other things:

  • Type of injury, affected categories, and approximate number of people and records
  • Data Protection Officer Name and Contact Information
  • Description of the probable consequences
  • Measures taken or planned

3. Notification of Affected Individuals

In case of a high risk to the rights and freedoms of natural persons, the data subject must also be notified without undue delay, according to Article 34 of the GDPR. The notification must be in clear and simple language and include essential information about the incident as well as recommendations for mitigating its effects.

4. Claims for Damages by Affected Persons

Art. 82 GDPR grants data subjects a right to compensation. Anyone who has suffered material or non-material damage due to a data protection breach can claim compensation. Controllers and processors are liable – unless they can prove that they are not responsible for the damage.

Are you facing a data breach or have you received a request from the data protection authority? We advise companies and private individuals nationwide on all matters of data protection law and its criminal law interfaces. Get in touch.

Practical tips for affected individuals and businesses

If you are a company and have discovered a data breach:

  1. Act immediately: Secure evidence, contain the incident as much as possible, and inform the internal data protection team or data protection officer.
  2. Conduct a risk assessment Is this a notifiable event? What data is affected? What is the risk to those affected?
  3. Keep the 72-hour deadline in mind: Start the reporting process to the responsible supervisory authority – even if not all information is yet available.
  4. Ensure documentation: According to Art. 33 GDPR, all breaches must be documented, even if there is no obligation to report.
  5. Engage legal counsel Legal support is recommended early on, especially in more complex incidents, to ensure that reporting, communication, and internal investigations are legally sound.

If you are affected by a data breach as a private individual:

  1. File a complaint with the supervisory authority: Every data subject has the right to lodge a complaint with a supervisory authority pursuant to Art. 77 GDPR.
  2. Review damages: In case of demonstrable damage – including non-material damage – you can assert claims under Article 82 GDPR.
  3. Request information According to Art. 15 GDPR, you have the right to request information about which of your data is being processed and for what purpose.
  4. Request deletion and correction: Articles 17 and 16 of the GDPR grant you the right to erasure and correction of inaccurate data.

Checklist: What to do in case of a data breach?

Immediate measures (0–24 hours)

  • Report and document incident internally
  • Determine the extent and nature of the violation
  • Identify affected data and individuals
  • Stop incident / Close security vulnerability

Short-term measures (24–72 hours)

  • Perform risk assessment: Is there a reporting obligation under Art. 33 GDPR?
  • Possibly report to the competent data protection supervisory authority
  • Examination: Is notification of data subjects required under Article 34 GDPR?
  • Activate internal incident response plan
  • Seek legal counsel

Medium-term measures (after the incident)

  • Complete internal documentation of the incident in accordance with Article 33 GDPR
  • Root Cause Analysis: How could the violation have occurred?
  • Adapt technical and organizational measures
  • Training for affected employees
  • Ensure communication with authorities and affected parties.

Take data protection violations seriously – and be prepared

What happens when data protection is violated? The answer is clear: the consequences are diverse, severe, and in some cases, life-threatening. Fines, claims for damages from affected individuals, and – in the worst-case scenario – criminal investigations show that data protection is not a bureaucratic issue, but a real legal obligation with harsh penalties.

At the same time, it is true that those who are well-prepared react faster and better. Companies that have clear processes, a competent data protection officer, and a functioning incident response system can significantly limit damage in an emergency.

For anyone facing a concrete data breach – as a company, data controller, or data subject – early legal support is recommended. We are here to assist you with our many years of experience at the intersection of IT law, data protection law, and criminal law – nationwide and, if desired, also via video conference or telephone.

Frequently asked questions
A data breach occurs when personal data is unlawfully destroyed, lost, altered, unlawfully disclosed, or unlawfully accessed. Unlawful processing of data without a legal basis also constitutes a breach.
In Germany, the company is generally liable as the responsible party. However, employees can be held personally liable if they acted intentionally – particularly under Section 42 of the BDSG in the case of data protection violations punishable by law.
Even victims of an attack can receive fines if they have not implemented sufficient security measures according to Art. 32 GDPR. At the same time, a criminal complaint against the attackers should be considered.
In Germany, the statute of limitations for claims for damages under Article 82 GDPR is governed by the general civil law provisions (§§ 195, 199 of the German Civil Code - BGB) and generally amounts to three years from the end of the year in which the damage and the person responsible became known or ought to have become known.
You can complain to the relevant data protection supervisory authority, claim damages, and assert rights such as the right to access, erasure, or rectification.
Yes. The GDPR generally applies to anyone who processes personal data, regardless of company size or industry.
Yes, and in many cases, that's even recommended. An external data protection officer brings independent expertise and can pragmatically guide companies through the GDPR requirements – from creating the record of processing activities to crisis response.
The fine procedure of data protection authorities is administrative in nature and is primarily directed against the company. Criminal investigations, on the other hand, are directed against natural persons and can lead to imprisonment. Both procedures can run in parallel.

Further contributions

SITTIG LAW
Hamburg location
Head office
Martinistrasse 11
20251 Hamburg
Phone: +49 (0) 40 808 125 550
Fax: +49 (0) 40 808 125 559
Kassel location
Branch office
Motzstrasse 1
34117 Kassel
Phone: +49 (0) 561 510 053 80
Fax: +49 (0) 561 510 053 99
Frankfurt location
Branch office
Oeder Weg 11
60318 Frankfurt am Main
Phone: +49 (0) 69 710 471 070
Fax: +49 (0) 69 710 471 079
Law firm
Criminal defense
Further skills
SITTIG LAW
Lawyer.
Specialist lawyer for criminal law.
Specialist lawyer for IT law.

[email protected]
Hamburg location
Head office
Martinistr. 11
20251 Hamburg
Tel: +49 (0) 40 808 125 550
Fax: +49 (0) 40 808 125 559

Contact form