Relevant passage: "Discovery of the misdemeanor began with an email from another company to the Hessian Data Protection Commissioner, sent in May of last year, in which advice was requested regarding the failure of Kolibri Image in proving customer data, despite multiple requests being sent. Kolibri Image declined to cooperate, instead laying responsibility at the feet of another contractor."
The article is a bit hard to understand, but it seems that someone asked Kolibri to provide information on how 3rd party information was kept secured. Kolibri declined to answer saying that it was another contractor who was doing it. Reading between the lines, Kolibri seems to have asked for guidance on what to do, but did not receive guidance.
I have to say that I'm even less inclined to be sympathetic. It's a pretty blatant disregard for the GDPR. If you want guidance at that level, hire a lawyer. But in reality, there is no need for a lawyer: it is completely obvious that you can't shield yourself from GDPR simply by saying, "Oh it's this other company's responsibility. And, by the way, they don't agree to do GDPR, so it's out of my hands".
To be a bit more clear, I don't know what the authority could do to help resolve the compliance issue other than to say, "Yes, you have to comply with the law. Sorry that you thought you didn't have to". Is a 5000 euro fine justified -- even without having given guidance. IMHO, yes, however you can see that they thought they were in error and hence are reviewing the fine. The other blurb made it seem as if the compliance issue was only discovered because Kolibri asked what they should do. This article makes it more clear that it's just a normal complaint with a company doing everything in its power to avoid doing anything.
you can't shield yourself from GDPR simply by saying, "Oh it's this other company's responsibility. And, by the way, they don't agree to do GDPR, so it's out of my hands".
To be specific, this is mandated explicitly by the GDPR:
> the controller shall [ensure] to be able to demonstrate that processing is performed in accordance with this Regulation.
[art.24]
> Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees
[art.28]
> Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller
[art.28]
> "Oh it's this other company's responsibility. And, by the way, they don't agree to do GDPR, so it's out of my hands"
In this case, the other company is also in Europe (Spain), so by law must abide by GDPR. It seems they didn't have a contract ready, and Kolibri didn't want to spend money on translating/creating a contract to Spanish.
From what I read from Kolibri themselves (https://kolibri-image.com/causa-datenschutz/), the "processing" was a company that bundles DHL package orders to get batch pricing. You send them the information, they send the order (together with other orders) to DHL, DHL picks up the package and you save on postage. Apparently, Kolibri wasn't sure whether that's actually data processing (but did mention them using the company for this particular reason in their privacy information, according to the Bavarian officials, it isn't). They asked the German branch of the company who said they wouldn't need a contract and subsequently referred them to HQ in Spain. They asked the Hessian official to make the company's German branch comply with GDPR and sign a data processing contract. Instead, the Hessians forwarded it to Hamburg.
Kolibri claims to have stopped using that company after hearing back from the Hessians, but forgotten to remove them from the privacy information on one website. If they are to be believed, they were told "you can't use them without a contract" and stopped using them.
The fine has since been withdrawn and the case was closed.
Relevant passage: "Discovery of the misdemeanor began with an email from another company to the Hessian Data Protection Commissioner, sent in May of last year, in which advice was requested regarding the failure of Kolibri Image in proving customer data, despite multiple requests being sent. Kolibri Image declined to cooperate, instead laying responsibility at the feet of another contractor."
The article is a bit hard to understand, but it seems that someone asked Kolibri to provide information on how 3rd party information was kept secured. Kolibri declined to answer saying that it was another contractor who was doing it. Reading between the lines, Kolibri seems to have asked for guidance on what to do, but did not receive guidance.
I have to say that I'm even less inclined to be sympathetic. It's a pretty blatant disregard for the GDPR. If you want guidance at that level, hire a lawyer. But in reality, there is no need for a lawyer: it is completely obvious that you can't shield yourself from GDPR simply by saying, "Oh it's this other company's responsibility. And, by the way, they don't agree to do GDPR, so it's out of my hands".
To be a bit more clear, I don't know what the authority could do to help resolve the compliance issue other than to say, "Yes, you have to comply with the law. Sorry that you thought you didn't have to". Is a 5000 euro fine justified -- even without having given guidance. IMHO, yes, however you can see that they thought they were in error and hence are reviewing the fine. The other blurb made it seem as if the compliance issue was only discovered because Kolibri asked what they should do. This article makes it more clear that it's just a normal complaint with a company doing everything in its power to avoid doing anything.