General

The primary responsibility for ensuring compliance with data protection laws (GDPR/BDSG) lies with the company itself, represented by the management or board. They are obligated to implement appropriate organizational and technical measures and to monitor their compliance. In cases of intentional disregard or non-compliance with data protection requirements (gross negligence), the management may also be personally liable with their private assets.

Fines under the GDPR can amount to up to €20 million or 4% of global annual revenue (whichever is higher) for serious violations.
For less severe violations: up to €10 million or 2% of revenue.
The exact amount depends on the severity, duration, intent/negligence, damage mitigation, cooperation, and other factors.
Additionally, compensation claims from data subjects as well as criminal sanctions in severe cases are possible.
GDPR data protection penalties are generally imposed by the data protection authority.

As of the end of December 2025, approximately 2,700 penalties with a total value of around €6.8 million have been imposed due to data protection violations. These penalties can be viewed at https://www.enforcementtracker.com/.

Penalties can generally be avoided by complying with all relevant data protection requirements. It is important to note that no one expects 100% perfection — which is also not possible. What matters is being able to demonstrate that all requirements are met to the best of one’s knowledge and belief. Using tools like Metasoul shows a commitment to data protection, reduces the risk of negligence, and thereby lowers the likelihood of penalties. This means that by starting to address data protection obligations and implementing them step by step, even if not perfectly, there is no need to fear data protection issues. The use of data protection tools like Metasoul further supports this effort.

Other authorities can also impose fines if data protection violations are accompanied by other legal violations. In cases of criminally relevant data protection violations (e.g., intentional data disclosure), public prosecutors may initiate investigations and impose penalties.

Experience shows that data protection topics often do not have the highest priority, especially when starting a business or due to the day-to-day operations of the company. Data protection obligations are often difficult to understand, the necessary expertise is lacking, time is limited, and the purchase of external help is too expensive, which would already blow the budget. And most importantly: at the beginning of a company’s formation, survival is the priority.

However, ignoring data protection topics is not an option, and it is not recommended. Prioritization is key here. From our work with SMEs, startups, and young entrepreneurs, we have learned that the following strategy has proven effective:

1. Address visible topics first: Obligations that are publicly visible should be tackled first. This primarily concerns the information obligation, i.e., the privacy notice. The privacy notice on the website or app quickly shows whether data protection is taken seriously, and it also makes the company vulnerable if the privacy notice is not correct. Important: Privacy notices from AI or a competitor offering something similar are almost always unusable, as they lack the company context. It is even worse if links from the copied privacy notice are forgotten and still point to the competitor. A clean privacy notice also signals to customers that the company is professional.

2. Address topics related to B2B customers: If a company provides services to other businesses (B2B), two data protection obligations are in focus: the Data Processing Agreement (DPA) and technical and organizational measures (TOM). If a company can already offer a clean DPA to its client (even though it would typically be the client’s responsibility to arrange for a DPA), it demonstrates professionalism. Often, a DPA is actively requested by the client. Along with the DPA, the client usually also requests a list of the technical and organizational measures that have been implemented to protect personal data. Again, if the quality of the DPA and TOM are appropriate, it appears professional, enhances customer satisfaction, and, from an economic perspective, most importantly: the time to contract signing is reduced.

3. Appoint a Data Protection Officer and notify the authority: This step can also make sense as an initial action and should be carried out even if there is no obligation to appoint a Data Protection Officer. This helps avoid overlooking this step when it becomes relevant, such as when the company has grown. More importantly, it ensures that someone is designated to focus on data protection issues and is responsible for the long-term implementation of data protection obligations. This guarantees long-term positive development and the building of expertise. When appointing a Data Protection Officer, it is essential to notify the relevant data protection authority.

4. Implement all other data protection topics as needed or according to a schedule:

Sooner or later, all other data protection topics will need to be addressed. Ideally, individual topics should be planned and implemented as part of the ongoing operations. The Data Protection Officer can be the driving force behind this. For example, if unexpected new topics arise, such as the first data subject request from a customer, these issues need to be dealt with, and a sustainable, repeatable solution should be developed. In such cases, consulting an expert or using specialized tools or resources may be necessary. Over the years, this approach increases the implementation level and quality of data protection management.

In summary: Once personal data of data subjects is processed, the GDPR must be complied with. The company’s situation requires a risk- and opportunity-based approach as described earlier, with this being a decision of the management, who are also responsible for it. The use of specialized tools like Metasoul makes it easier and faster to comply with data protection requirements.