[the_duke]

Someone should send a friendly email to each of those offenders, linking the ruling.

It's also fair to say that the next few years will be a busy time for the government agencies tasked with GDRP enforcement.

(Assuming they do it properly, which falls within the responsibility of the relevant country)

[tyingq]

They should, though assuming a bloated org structure and process, fixing it now is probably more expensive than the €20000 fine.

[lorenzhs]

Note that the actual cost to Knuddels is much higher, because you also have to include the cost of implementing proper security measures. The Data Protection Officer's statement (https://www.baden-wuerttemberg.datenschutz.de/lfdi-baden-wue..., in German) states that the total cost to Knuddels is a six figure sum.

[the_duke]

For a larger company, should be considerably higher.

Also, the ruling mentioned a reduced fine for cooperation and quick remediation. This probably wouldn't play out so well with a bloated structure and process, as you mentioned.

[jtbayly]

But the fine would have been more if they had refused to fix it. So the calculus isn’t straightforward.