
GDPR Enforcement Tracker: List of GDPR fines - KanyeBest
http://www.enforcementtracker.com/
======
throwaway13337
Wow. Here's an crazy one:

Someone was fined 2000 euros for using CC instead of BCC in his little mailing
list newsletter of 150 people in Germany.

"The fine was impossed against a private person who sent several e-mails
between July and September 2018, in which he used personal e-mail addresses
visible to all recipients, from which each recipient could read countless
other recipients. The man was accused of ten offences between mid-July and the
end of July 2018. According to the authority's letter, between 131 and 153
personal mail addresses were identifiable in his mailing list."

Poor guy.

This seems to be proof that the GDPR is being weaponized against people and
organizations one doesn't like.

~~~
jdietrich
In the UK, the data regulator fined a small organisation £180,000 ($230,000)
for exactly the same mistake on a list with 781 recipients. The organisation
was a specialist sexual health clinic and the newsletter was for patients with
HIV.

Without knowing the details, I can't say whether a €2000 fine was
disproportionately onerous or a slap on the wrist.

[https://www.businessinsider.com/nhs-trust-fined-for-
leaking-...](https://www.businessinsider.com/nhs-trust-fined-for-
leaking-700-hiv-clinic-patients-data-in-email-error-56-dean-street-to-
bcc-2016-5)

~~~
rambojazz
With such sensitive information they should really avoid CC/BCC and do it
manually, or write a script for sending 1 email at a time. Not because CC/BCC
is bad, but because you want to be 100% sure to dodge this kind of problems.

~~~
remus
That'll be part of why they got the fine. One component of gdpr is taking
reasonable steps to avoid leaking personal data, and as you pointed out
relying on someone remembering to bcc rather than cc is asking for trouble.

~~~
pluma
Not just that. Health data is considered especially sensitive by the GDPR, so
sharing it is a more serious transgression than simply sharing personally
identifiable information in general.

------
mikekchar
250K Euros to LaLiga for their app that tries to find bars illegally
broadcasting their games by sampling user's microphones once a minute. I
remember when it was discovered what it was doing thinking this must be a
massive GDPR issue. I'm a little bit surprised that the fine is this low:

"The national Football League (LaLiga) was fined for offering an app which
once per minute accessed the microphone of users' mobile phones in order to
detect pubs screening football matches without paying a fee. In the opinion of
the AEPD LaLiga did not adequately inform the users of the app about this
practice. Furthermore, the app did not meet the requirements for withdrawal of
consent."

~~~
guywhocodes
Considering some others in there this feels like a slap on the wrist

~~~
cuban-frisbee
If they stopped the conduct then it is not supposed to be anymore than a slap
on the wrist. GDPR is meant to correct behaviour, not to punish.

------
phh
To whoever did this: thanks!

Such a website can have many uses:

    
    
      - Show the average people why privacy is important with concrete examples
      - Find previous rulings for people in a specific situation
      - Stop(reduce.) the "there is no way we're going to be sued for that" by the company's managers
    

My wish for that website is that in the future, the data is more easily
readable and "big-data exploitable" (good luck with that)

Little things I can tell on the top of my head:

    
    
      - the height of the fines is basically random, that makes scrolling cognitively heavy imo. Having (...) to click to expand long descriptions sounds fair I think
      - it's not possible to link to a row (useful for giving examples to people)
      - long descriptions deserve multiple paragraphs, they are hard to read as-is.
    

Also, I think negative rulings would be useful as well, though could send a
different political message, so that's author's choice.

~~~
hobofan
> Stop(reduce.) the "there is no way we're going to be sued for that" by the
> company's managers

I was thinking the opposite. The fines listed are so low, that from a purely
financial perspective complying doesn't seem to make much sense. I would
estimate all GDPR compliance efforts I've been involved in to be more costly
than the largest fine issued in Germany.

~~~
Semaphor
I think the spirit is that first offenses that aren't extremely outrageous get
lower fines.

------
oh_sigh
If you look back at comments as GDPR was first coming into effect, you saw a
lot of comments here along the lines of 'The EU doesn't want to fine anyone.
They want you to become compliant, and will help you do so, and you won't be
fined unless you were intentionally being non-compliant'

But then look at this example from Germany:

> Please note: According to our information this fine has been withdrawn in
> the meantime. Kolibri Image had send a request to the Data Protection
> Authority of Hessen asking how to deal with a service provider who does not
> want to sign a processing agreement. After not answering Kolibri Image in
> more detail, the case was forwarded to the locally responsible Data
> Protection Authority of Hamburg. This Auhtority then fined Kolibri Image as
> controller for not having a processing agreement with the service provider.
> Kolibri Image has stated that they will challenge the decision in front of
> court since they are of the opinion that the service provider does not act
> as a processor.

The company emailed the authority asking for advice on how to deal with a
service provider who didn't want to cooperate with GDPR, then the authority
ignored his request, forwarded their information to another authority, which
then fined them for the exact thing which they was asking for advice on.

Yes, the fine has apparently been withdrawn, but how much time, money, and
mental capacity did Kolibri Image have to spend dealing with this before the
authority decided to drop it?

~~~
mikekchar
I'm not actually that sympathetic. If you have a processor that does not want
to sign a processing agreement, you have to stop using them. There is no
leeway on this issue in GDPR. You are responsible for ensuring that third
party processors _you_ engage agree to handle the data lawfully. There's not a
lot of context to go on, but it seems to me that the company in question is
just stalling. I literally can't think of a legitimate reason for their
opinion that the service provider "does not act as a processor". Either you
are sending PII to them or not. If you are, then they are a processor. If not,
then it's not related to GDPR in any way.

~~~
oh_sigh
That's fine, but my point was not that Kolibri Image took the appropriate
steps immediately, but whether the commenters here on HN were correct in their
estimation that the various data protection authorities would help you resolve
compliance issues versus just issuing you fines.

~~~
mikekchar
Some more context: [https://gdpr.report/news/2019/01/23/small-business-in-
german...](https://gdpr.report/news/2019/01/23/small-business-in-germany-hit-
with-e5000-gdpr-fine/)

Relevant passage: "Discovery of the misdemeanor began with an email from
another company to the Hessian Data Protection Commissioner, sent in May of
last year, in which advice was requested regarding the failure of Kolibri
Image in proving customer data, despite multiple requests being sent. Kolibri
Image declined to cooperate, instead laying responsibility at the feet of
another contractor."

The article is a bit hard to understand, but it seems that someone asked
Kolibri to provide information on how 3rd party information was kept secured.
Kolibri declined to answer saying that it was another contractor who was doing
it. Reading between the lines, Kolibri seems to have asked for guidance on
what to do, but did not receive guidance.

I have to say that I'm even less inclined to be sympathetic. It's a pretty
blatant disregard for the GDPR. If you want guidance at that level, hire a
lawyer. But in reality, there is no need for a lawyer: it is completely
obvious that you can't shield yourself from GDPR simply by saying, "Oh it's
this other company's responsibility. And, by the way, they don't agree to do
GDPR, so it's out of my hands".

To be a bit more clear, I don't know what the authority could do to help
resolve the compliance issue other than to say, "Yes, you have to comply with
the law. Sorry that you thought you didn't have to". Is a 5000 euro fine
justified -- even without having given guidance. IMHO, yes, however you can
see that _they_ thought they were in error and hence are reviewing the fine.
The other blurb made it seem as if the compliance issue was only discovered
because Kolibri asked what they should do. This article makes it more clear
that it's just a normal complaint with a company doing everything in its power
to avoid doing anything.

~~~
tremon
_you can 't shield yourself from GDPR simply by saying, "Oh it's this other
company's responsibility. And, by the way, they don't agree to do GDPR, so
it's out of my hands"._

To be specific, this is mandated explicitly by the GDPR:

> the controller shall [ensure] to be able to demonstrate that processing is
> performed in accordance with this Regulation. [art.24]

> Where processing is to be carried out on behalf of a controller, the
> controller shall use only processors providing sufficient guarantees
> [art.28]

> Processing by a processor shall be governed by a contract or other legal act
> under Union or Member State law, that is binding on the processor with
> regard to the controller [art.28]

[art.24] [https://gdpr-info.eu/art-24-gdpr/](https://gdpr-
info.eu/art-24-gdpr/)

[art.28] [https://gdpr-info.eu/art-28-gdpr/](https://gdpr-
info.eu/art-28-gdpr/)

------
tomatotomato37
It's interesting how enforcement changes between countries. For instance, all
the fines in Austria where for CCTV and dashcam use, all of France's fines
were against large corporations, and the single fine Italy imposed was on the
"Movimento 5 Stelle" political party.

~~~
Radle
These aren't all fines. Most of them are published by a select few individuals
or newspapers with a clear focus of interest.

What you are seeing is french newspapers being especially interested in fines
for big corporations, this is without a doubt a direct result of the current
political situation in France.

------
jonasb
The ICO maintains an official list of fines in the UK
[https://ico.org.uk/action-weve-
taken/enforcement/?facet_type...](https://ico.org.uk/action-weve-
taken/enforcement/?facet_type=Monetary+penalties&facet_sector=&facet_date=&date_from=&date_to=)

~~~
M2Ys4U
Notably none of these are (yet) for violations of the GDPR. The ICO has issued
enforcement notices, but they haven't levied any penalties so far.

~~~
jonasb
Ah, my bad. Only checked the date of the decisions and assumed they were
related to GDPR.

------
quelltext
Can anyone explain the N26 case to me?

I've tried to read two articles on it and they don't make sense.

It seems they stored data on users who closed their account to prevent money
laundering, which is apparently fine if the bank actually blocks operation of
those accounts according to one article.

But somehow this was not the case for those old accounts that were closed? How
can you close an account but it's still an operational account? Like, was it
still possible to send money to it etc.?

My guess is that the article is wrong and this was simply about them
preventing legitimate users to close and then reopen a new account.

I have a hard time believing they were not allowed to keep that data for some
time after acccount closing. It seems to be more about how it was used.

~~~
londons_explore
My guess is a user requested his data deleted, but N26 just disabled the
account.

Then the user signed up again, enabling the same account.

The user then saw their old data hadn't in fact been deleted, and complained
to the regulator.

~~~
seqastian
Are banks even allowed to wipe your whole account record? They probably have
to keep most of it for tax collectors.

~~~
pluma
If they only kept the data that was necessary for legal compliance with tax
regulations, they wouldn't have been fined. That's explicitly allowed. That
they were fined suggests they just kept everything, far beyond what they had
to keep.

------
henrikschroder
At the time of the GDPRpocalypse last year, there were a lot of discussions
here, and a lot of FUD being slung around about how if your US website wasn't
100% GDPR-compliant you'd be handcuffed if you set foot in an EU airport bla
bla bla, or that minor infractions would incur the maximum penalty of millions
of euro, bankrupting your awesome adtech startup bla bla bla. Most of it was
fueled by the clash between US and EU jurisprudence, the legal systems are
actually pretty different.

Some of us argued that no, this is not the apocalypse, the law says that fines
will be proportionate, and the various national agencies will work with you to
ensure you are compliant. And unless you willfully do the kind of shady shit
the law is meant to protect against, you're fine.

Seems we were right. This list looks pretty sane to me, with one exception.

250k€ for using the microphones of all users of an app to spy and determine if
they were in a pub that showed football matches without a license. Fuck yeah.

400k€ for a hospital that had effectively unrestricted access to all patient
files for all staff. Yes. What would the HIPAA-equivalent fine be?

1400€ for a police officer abusing systems doing lookups for personal gain.
Yes.

170k€ for a school district allowing public access to personal data of all
minor-aged students. Yes, yes, yes.

The one exception is the fine on Google in France. This is purely a political
bullshit game over control and loss of control.

~~~
moduspol
> Seems we were right.

Arguably, and _so far_.

There are sites that just block requests from the EU, there's a difficult-to-
measure chilling effect on small businesses, and just because nobody's been
hanged over it in year one doesn't mean it won't be abused, oppressive, or
have other negative unintended consequences in the future.

~~~
contras1970
> _There are sites that just block requests from the EU, there 's a difficult-
> to-measure chilling effect on small businesses_

food safety regulations have a chilling effect on businesses that would try
and sell arsenic-laced food.

dumping poisonous byproducts of a manufacturing process in a river will also
net you a stomping by the society, another instance of a chilling effect of
regulations.

i'm happy with these chilling effects, they relieve me of the need for
constant vigilance. they enable our society to function. we do not need to
fear for our mental of physical health and (private) lives all the time, we
can focus on higher-order things instead.

~~~
moduspol
I feel differently about it, but I think that's totally fair. Just pointing
out that it's not quite the case that opponents' predictions turned out to be
wrong.

Some did, at least for the first year. But some haven't.

------
frereubu
Something I often see in discussions about GDPR on HN is that the law is
vague. A hugely valuable comment on a previous GDPR discussion (which
unfortunately I've been unable to track down) pointed out a marked difference
in style between US and EU law. In the US, laws are usually very detailed and
explicit about what will happen in all cases. If that's what someone is
expecting, EU law is indeed very vague - because the underlying idea is that
judges are trusted to interpret law in the context of constitutions, precedent
and so on. EU citizens are much more used to this kind of language, so many of
the discussions on here are people shouting past each other because there's a
more fundamental issue about the way laws are phrased. If you're in the US and
want to quibble with the language, please bear in mind the broader context of
EU law. And if you're in the EU please bear in mind that people in the US are
used to much more explicit legal language. If we all did that some of the
discussions on HN about GDPR might be more meaningful.

The other thing that seems to happen a lot is that people are looking for a
stick - any stick - to beat GDPR with. The current top-voted comment -
[https://news.ycombinator.com/item?id=20279249](https://news.ycombinator.com/item?id=20279249)
\- is a prime example. These lists of fines often don't give context (which,
to be clear, is a failing of the list too) and often when you dig into these
things you'll find that the ruling is entirely sensible. People need to give a
bit more credit to legal systems than to think "Someone was fined 2000 euros
for using CC instead of BCC in his little mailing list newsletter of 150
people in Germany" could possible be true. If a fine seems ridiculous, do a
bit of digging before you take a short summary at face value, and you won't be
left with egg on your face when people point out what actually happened.

------
g_sch
Perhaps this shouldn't be surprising, but what this site makes clear to me is
that GDPR enforcement is more lax on major companies than many people
expected, and more severe on private individuals.

For all the breathless reporting of how GDPR would ruin companies financially
by levying fines on worldwide revenue, there is exactly one fine listed that
exceeds 400k EUR. Granted, it's 50MM EUR to Google, but that's still a drop in
the bucket compared to Google's worldwide revenue.

On the other hand, commenters below have pointed out that some private
individuals have received fines in the hundreds to thousands of EUR for
actions such as "using Cc instead of Bcc in emails" and "using a dashcam". I
agree that these are privacy lapses but it's pretty unfortunate to see the
power of the state used for these purposes rather than bringing serial data
privacy abusers in line.

~~~
idlewords
This could be a case of enforcement against large companies taking longer to
conduct, given the complex nature of the cases and the resources of the legal
teams involved. My understanding is that a lot of stuff is pending before the
Irish data protection agency.

~~~
detaro
That certainly plays a role, especially as soon as courts get involved (or
will get involved), see e.g. the pre-GDPR cases against Facebook still
bouncing around the Irish court system. Smaller cases can be handled without
international coordination, the facts are often easy to determine, ..., which
makes them faster to process.

And the rules about international coordination mean other countries have to
wait for Ireland in many cases.

------
easytiger
Interesting one from Spain, accessing user's microphones to crowdsource
publicbroadcast violations:

> _The national Football League (LaLiga) was fined for offering an app which
> once per minute accessed the microphone of users ' mobile phones in order to
> detect pubs screening football matches without paying a fee. In the opinion
> of the AEPD LaLiga did not adequately inform the users of the app about this
> practice. Furthermore, the app did not meet the requirements for withdrawal
> of consent._

------
hdfbdtbcdg
Glad to see some enforcement. Reputable companies have used resources ensuring
compliance. Good to see it hasn't been wasted.

------
crisnoble
Does anyone know of a similar list for ADA violations?

------
j2kun
Many people are complaining about some fines, but here are some others I see
that are evidence of this working extremely well:

\- A police officer was fined for using his department's tools to get
someone's private phone number for his personal use

\- A rental agency was fined for leaving renter's private data (ids, etc) open
to the public for six months after being notified of the vulnerability

\- A company was fined because they were continuously filming their employees
at work without explanation

\- A political candidate misusing private citizen data for campaign purposes.

\- Rental car companies tracking drivers by GPS without notifying them

\- Hospital staff having fake doctor profiles to view unrestricted patient
data

This is convincing me that GDPR is a great success.

~~~
Matticus_Rex
All but maybe one of those looks like it was illegal prior to GDPR, so I'm not
sure GDPR is what you're praising.

~~~
stordoff
Which one, out of interest? I can imagine all of them being illegal in some
member state.

~~~
Matticus_Rex
Depending on the circumstances (I didn't actually look into it) the rental car
tracking could have been done in ways that were at least arguably legal under
EU law (though at least several member states had legislation that would have
covered that).

------
ProxCoques
Weird there's no fines in UK.

~~~
Aengeuad
As somebody else pointed out, they're being tracked by the ICO [0]. I think
they previously had a blog where they documented enforcement while the UK was
still under the older Data Protection legislation but I can't seem to find it.

[0] [https://ico.org.uk/action-weve-
taken/enforcement/](https://ico.org.uk/action-weve-taken/enforcement/)

~~~
ascorbic
From what I can see, noe of the fines use the GDRP. They're all for pre-May
2018 breaches, so use the old DPA.

------
ferongr
The fact that someone was fined for using a dashcam is beyond absurd.

~~~
donretag
"a man illegally used a dashcam, he was fined 300 euros. It was a camera
recording the use of a car from the driver's point of view, which is illegal."

Insane.

~~~
droithomme
The same link mentions issuing a GDPR reprimand against a person for using a
security camera _inside their own home_.

~~~
M2Ys4U
Recording in one's own home is exempted under the GDPR[0].

I suspect something broader was involved here.

[0] Article 2(2): "This Regulation does not apply to the processing of
personal data [...] by a natural person in the course of a purely personal or
household activity"

~~~
PeterisP
A prime example where GDPR would apply to a security camera in your own house
would be if that camera was used to record renters (including short term
rentals e.g. AirBnB) without their knowledge.

For example, I recall reading about cases of renters finding out that the
landlord has installed hidden cameras in the bedrooms and showers.

------
css
No HTTPS?

~~~
vecplane
Yeah, I tried adding it manually and it didn't work. Very strange!

~~~
smartbit
Indeed, very strange. A privacy website that transmits unencrypted?

Domain is owned by [https://cronon.net/](https://cronon.net/)

------
kradroy
Why are there so many violators marked as "unknown"? Is that from the sanction
being redacted or the aggregator's lack of information? The header paragraph
states that not all violations are made public, but the ones that are made
public can also be redacted?

------
tjaad
How come The Netherlands does not appear in the list?

------
KingMachiavelli
A was curious about the dashcam fine so I looked it up and it seems some vary
ordinary usages of cameras are violating GDPR:

> It was a camera recording the use of a car from the driver's point of view,
> which is illegal. Two people were reprimanded for using surveillance cameras
> for their own home without permission.

I assume "driver's point of view" means looking out of the front windshield?
Is this not how dash cams are meant to be used? (On second though perhaps this
is a translation issue... the article was in German). And then I assume the
surveillance cameras were mounted outside and recorded people in public?

Both of the possible scenarios here seem pretty benign and ordinary by US
standards.

------
kjerzyk
Maybe I’m just looking at a wrong place but can you tell me what currency is
used in fines? I’m assuming it’s EUR but wanted to double check.

------
qseraserasera
looks like there may be a data entry error for Czech Data Protection Auhtority
(UOOU) summaries. they may have mis-spelled authority.

------
swebs
There sure are a lot of political parties, and not many big tech companies in
that list.

------
kitchenkarma
What do you do if e.g. Instagram ignores your GDPR requests? I have sent them
multiple emails about misuse of my personal data and they only replied with a
template that didn't address my emails?

~~~
Nimelrian
You inform your national data protection authority:

[https://edpb.europa.eu/about-
edpb/board/members_en](https://edpb.europa.eu/about-edpb/board/members_en)

------
closeparen
Two of these are much more intense than I would have guessed:

>The fine concerned the proceedings related to the activity of a company which
processed the data subjects’ data obtained from publicly available sources,
inter alia from the Central Electronic Register and Information on Economic
Activity, and processed the data for commercial purposes. The authority
verified incompliance with the information obligation in relation to natural
persons conducting business activity – entrepreneurs who are currently
conducting such activity or have suspended it, as well as entrepreneurs who
conducted such activity in the past. The controller fulfilled the information
obligation by providing the information required under Art. 14 (1) – (3) of
the GDPR only in relation to the persons whose e-mail addresses it had at its
disposal. In case of the remaining persons the controller failed to comply
with the information obligation – as it explained in the course of the
proceedings – due to high operational costs. Therefore, it presented the
information clause only on its website. According to the UODO this is not
sufficient.

So, basically, only use open source datasets that come with contact
information for every subject.

and

>The fine was imposed in relation to a data subject's request for data
correction and erasure. NAIH levied a fine against an unnamed financial
institution for unlawfully rejecting a customer’s request to have his phone
number erased after arguing that it was in the company's legitimate interest
to process this data in order to enforce a debt claim against the customer. In
its decision, the NAIH emphasised that the customer’s phone number is not
necessary for the purpose of debt collection because the creditor can also
communicate with the debtor by post. Consequently, keeping the phone number of
the debtor was against the principles of data minimisation and purpose
limitation. As per the law, the assessed fine was based on 0.025% of the
company's annual net revenue.

You can't just retain the database rows pertaining to accounts with current or
likely litigation, but must choose the specific fields relevant to the nature
of the dispute. Even the companies that successfully implemented propagation
of deletion across their systems are probably going to get spanked for this
one when some column in some backwater warehouse backup isn't _strictly_
necessary for the precise claims in that account's lawsuit. Wow.

I hope this puts to bed suggestions that others were "overreacting" to GDPR,
that there would be anything other than the meanest, most aggressive, most
literal application to every case. Maybe this is a good thing! Maybe everyone
needs the fear of God put into them. But I hope GDPR boosters who went around
minimizing the threat to good-faith actors admit that they were wrong.

~~~
TeMPOraL
RE first example, read the linked official report[0]. Some choice quotes:

"the company did not meet the information obligation in relation to over 6
million people. Out of about 90,000 people who were informed about the
processing by the company, more than 12,000 objected to the processing of
their data."

"In the relevant case, the entity had postal addresses and telephone numbers
and could therefore comply with the obligation to provide information to the
persons whose data are being processed. Therefore, this case should be
distinguished from another case decided by the Polish DPA a few years ago,
when another company did not have such addresses at its disposal."

"The President of the Personal Data Protection Office found that the
infringement of the controller was intentional, because - as it was
established during the proceedings - the company was aware of the obligation
to provide relevant information, as well as the need to directly inform
persons."

"While imposing the fine, the authority also took into account the fact that
the controller did not take any action to put an end to the infringement, nor
did it declare its intention to do so."

This is _precisely_ the kind of crap GDPR was meant to address, and I very
much like the decision made here.

EDIT: If I'm Googling correctly and found the correct company, then here's an
extra irony: they actually offered services and advice to companies in
preparing for GDPR coming into force. It's safe to say they were fully aware
of the obligations under law when they performed data mining on government
databases of entrepreneurs.

\--

[0] - [https://uodo.gov.pl/en/553/1009](https://uodo.gov.pl/en/553/1009)

------
nishantvyas
Does enforcement changes behavior? I guess the time will tell. But I do expect
some insurance companies start selling GDPR coverage policies soon.

~~~
downandout
My guess is that nobody is going to sell coverage for fines that could range
up to €20 million that can be assessed under a set of regulations as vague,
difficult to follow, and up to interpretation as GDPR.

~~~
izacus
There's nothing difficult to follow in GDPR... unless you're specifically
trying to continue collecting too much personal data while trying to skirt the
law.

------
ddffre
Oh wow

------
hvhsb
Germany and this ridiculous requirement:

[http://www.enforcementtracker.com/?imprint](http://www.enforcementtracker.com/?imprint)

If you put a website online you've got to put all your personal information in
it.

~~~
petschge
Not any website. If it is purely private and non-commercial you don't have to.

Also, it doesn't have to be "all your personal information". Your Name is
required and an address where you could be served with court papers. A P.O.
box is not required, but the address where your company is located is fine. It
doesn't have to be your private home address. An email address is required,
but that again doesn't have to be your private one. It just has to work. A few
other things are required, e.g. where your LLC is registered if it is an LLC.

~~~
johndough
> If it is purely private and non-commercial you don't have to.

Unfortunately, this does not include a lot of websites that most people would
classify as private. For example, a blog still needs an Impressum.

In addition, you will even be classified as commercial, and therefore require
an Impressum, if you don't make any money, for example if you use ads to (try
to) pay the hosting cost.

> A P.O. box is not required

In fact, you'll have to pay a fine of usually 5000€ if you use a P.O. box
without a summonable address.

~~~
petschge
A blog is not automatically non-private and commercial.

If you have ads you make money. Just possibly less then you spent on hosting.

And yes that should have read "A P.O. is not sufficent.". Sorry for that
mistake.

