Privacy Watchdogs Target Mid-Sized Firms

9 min read

More than 4.5 billion euros in GDPR fines since 2018 – and the 2026 trend clearly points away from the known tech conglomerates to medium-sized enterprises. Berlin and Hamburg regulatory authorities have targeted companies with annual sales under 500 million euros for the first time in the last 24 months. The 72-hour reporting obligation for data breaches is the most frequent trigger – because many SMEs are unaware that the deadline starts with the discovery of the incident, not with internal escalation.

Key Takeaways

4.5+ billion EUR in fines, trend shifts to SMEs. Since 2018, European regulatory authorities have imposed over 4.5 billion euros in GDPR fines. By 2025/2026, the focus will shift: data protection authorities will report significantly more proceedings against companies with fewer than 1,000 employees.
72-hour deadline starts earlier than expected. Article 33 of the GDPR: Reporting to the supervisory authority must occur as soon as a data protection officer becomes aware of a breach. Delaying reporting until after internal escalation risks missing the deadline.
Deutsche Wohnen SE as a DACH benchmark. The Berlin-based company received a 14.5 million euro fine for systematic data storage without a deletion concept – not a tech conglomerate, but a real estate company. This pattern will repeat in other sectors by 2026.
Three immediate actions for security teams. Implement an incident response plan with a 48-hour internal lead time, an automated reporting system for Article 33/34, and a quarterly data flow audit to structurally reduce the risk of fines.

What is the GDPR reporting obligation under Article 33? Article 33 of the General Data Protection Regulation requires data controllers to report a data breach to the relevant supervisory authority within 72 hours of becoming aware of it. The deadline starts when sufficient knowledge of the breach’s occurrence and nature is established, not when the internal investigation is completed. If reporting cannot be made within 72 hours, a reason for the delay must be provided.

Why 2026 Will Be a Pivotal Year for Small and Medium-Sized Enterprises

The initial years of DSGVO enforcement focused on high-profile targets: Google, Meta, Amazon, WhatsApp. The multi-million-euro fines against tech giants have shaped public perception and led many SMEs to believe that their size naturally protects them.

However, data protection authorities in Germany and Austria have systematically corrected this perception over the past 24 months. The Hessian Data Protection Commissioner reported a doubling of procedures against companies with fewer than 250 employees in 2025. Berlin Data Protection Officer Meike Kamp emphasized in multiple public statements that the authority will conduct sector-wide audits instead of handling individual cases.

The legal foundation remains unchanged: DSGVO Article 83 allows fines up to €20 million or 4% of global annual revenue. For a company with €50 million in revenue, this translates to a €2 million fine. While not an existential threat in absolute terms, such penalties represent a significant operational damage – including investigation costs, internal distractions, and reputational impact on customers and business partners.

€4.5+ billion

DSGVO fines accumulated since 2018

72 hours

Notification deadline after data breach discovery

€14.5 million

Fine for Deutsche Wohnen SE (DACH reference case)

The 72-Hour Trap: Where SMEs Consistently Fail

The most frequent trigger for SME fines is not a major data breach but rather the delayed or omitted reporting of a relatively minor violation. The scenario is identical in many organizations: an employee notices that a file has been accidentally sent to external recipients. The incident is internally reported. IT and legal departments debate whether a reporting obligation exists. Three days later, the 72-hour deadline expires without any report to the authorities.

Article 33 of the DSGVO is clear: the deadline starts as soon as the responsible party has sufficient knowledge. This is not equivalent to completing a root cause analysis. An early report with the notation “Investigation underway, further details to follow” is explicitly permitted and will be evaluated more favorably by data protection authorities than a delayed comprehensive report.

CISOs report that the biggest internal challenge is not the lack of compliance will but the absence of processes. In the chaos of a security incident, trying to simultaneously contain the cause, limit damage, and draft a regulatory report leads to parallel overload. This is a structural issue, not a competence problem.

Three Measures to Structurally Reduce the Risk of Fines

48-Hour Internal Escalation as a Mandatory Requirement

The internal incident response plan must establish a clear threshold: Upon detection of a potential data breach, an automatic 48-hour internal escalation process is initiated. The security officer simultaneously informs legal and data protection officers (DPO), rather than sequentially. This creates a 24-hour buffer for assessing whether an Article 33 reporting obligation exists and prevents deadline overruns due to internal communication delays.

Prepared Reporting Template for Article 33/34

A pre-prepared reporting template for the supervisory authority reduces the time required for formulating the report to under 30 minutes. The template includes the mandatory fields specified in Article 33, paragraph 3: nature of the breach, categories of personal data affected, number of individuals concerned, and the likely consequences. Incomplete entries with a note “Supplementary information to follow” are accepted by the authorities and are preferable to silence.

Quarterly Data Flow Audit with Deletion Evidence

The Deutsche Wohnen case demonstrates that supervisory authorities view the absence of a deletion concept as a standalone violation, independent of a specific data breach. A quarterly data flow audit documenting where and when data is stored and deleted is the most cost-effective way to mitigate this violation. For companies without an in-house DPO team, external service providers can conduct a half-yearly audit.

Reactive vs. Proactive Compliance: What Supervisory Authorities Actually Reward

Data protection authorities operate with a tiered sanctions system. Fines are the ultimate penalty, not the first. During an inspection or after a report, demonstrating the existence of a functioning data protection management system typically results in a warning with a corrective action period as the initial response. The Hamburg Commissioner for Data Protection and Freedom of Information explicitly communicated this in its 2024 annual report.

Proactive Approach

Documented data protection management system acts as a fine buffer
Early reporting under Article 33 demonstrably reduces the severity of fines
Authorities prioritize companies without management systems for in-depth investigations
Deletion concepts prevent standalone fine violations

Reactive Approach

Violation of Article 33 deadlines significantly increases fine amounts
Missing documentation is evaluated as an aggravating factor
Postponed compliance investments cost 3-5 times more than preventive measures
Reputational damage through public fine registers (multiple EU countries)

What Security Teams Can Do

The good news for SMEs: DSGVO compliance doesn’t require a dedicated data protection team. It requires a documented structure. Supervisory authorities primarily check whether a responsible individual is aware of and demonstrably fulfilling their duties. Three key elements are essential: a named data protection officer (required for organizations with 20 or more employees and regular data processing), a register of processing activities as per Article 30, and a documented risk assessment for critical processes.

The relationship between investment and risk reduction is clear. An external data protection officer costs SMEs between 3,000 and 8,000 Euros per year. A DSGVO fine for a company with 50 million Euros in revenue can reach up to 2 million Euros. Security teams that can’t explain this to their CFO have chosen the wrong approach.

Frequently Asked Questions

What is the difference between Article 33 and Article 34 of the DSGVO?

Article 33 regulates the reporting obligation to the supervisory authority (within 72 hours of awareness). Article 34 regulates the notification obligation to the affected individuals and applies only if the breach is likely to result in a high risk to the rights and freedoms of natural persons. Not every incident triggers Article 34, but nearly every incident that does trigger Article 34 also triggers Article 33.

When is a data breach reportable?

A reporting obligation under Article 33 exists if the breach is likely to result in a risk to the rights and freedoms of natural persons. An accidentally sent internal document without personal data is typically not reportable. A leak of customer data, health data, or financial data is almost always reportable. When in doubt, it’s better to report and be deemed not reportable by the authority than not to report and be considered in violation of the deadline.

What is the typical DSGVO fine for SMEs in Germany?

For companies with fewer than 500 employees, most German fines range between 5,000 and 100,000 Euros, provided a functioning data protection management system is in place and the breach is reported. Without a management system and with missed deadlines, fines can also reach the six-figure range for smaller companies.

Which sectors will be particularly in focus for supervisory authorities in 2026?

Sectors such as healthcare, real estate, financial services, and personal services will be subject to increased scrutiny by German data protection authorities – as they regularly process particularly sensitive data categories and submit relatively high numbers of data breach notifications. Sector-wide investigations are more efficient than individual case investigations and provide the authorities with more insights per investigator.

What is the fastest way to achieve Article 30 DSGVO compliance?

A register of processing activities under Article 30 must document the purpose, legal basis, data categories, recipients, and storage period for each processing process. For a company with up to 100 employees, typically 15 to 25 entries (HR, accounting, CRM, marketing, IT support) are sufficient. Templates provided by German data protection authorities are free to use and provide a structurally compliant foundation within a week.