[oh_sigh]

If you look back at comments as GDPR was first coming into effect, you saw a lot of comments here along the lines of 'The EU doesn't want to fine anyone. They want you to become compliant, and will help you do so, and you won't be fined unless you were intentionally being non-compliant'

But then look at this example from Germany:

> Please note: According to our information this fine has been withdrawn in the meantime. Kolibri Image had send a request to the Data Protection Authority of Hessen asking how to deal with a service provider who does not want to sign a processing agreement. After not answering Kolibri Image in more detail, the case was forwarded to the locally responsible Data Protection Authority of Hamburg. This Auhtority then fined Kolibri Image as controller for not having a processing agreement with the service provider. Kolibri Image has stated that they will challenge the decision in front of court since they are of the opinion that the service provider does not act as a processor.

The company emailed the authority asking for advice on how to deal with a service provider who didn't want to cooperate with GDPR, then the authority ignored his request, forwarded their information to another authority, which then fined them for the exact thing which they was asking for advice on.

Yes, the fine has apparently been withdrawn, but how much time, money, and mental capacity did Kolibri Image have to spend dealing with this before the authority decided to drop it?

[mikekchar]

I'm not actually that sympathetic. If you have a processor that does not want to sign a processing agreement, you have to stop using them. There is no leeway on this issue in GDPR. You are responsible for ensuring that third party processors you engage agree to handle the data lawfully. There's not a lot of context to go on, but it seems to me that the company in question is just stalling. I literally can't think of a legitimate reason for their opinion that the service provider "does not act as a processor". Either you are sending PII to them or not. If you are, then they are a processor. If not, then it's not related to GDPR in any way.

[oh_sigh]

That's fine, but my point was not that Kolibri Image took the appropriate steps immediately, but whether the commenters here on HN were correct in their estimation that the various data protection authorities would help you resolve compliance issues versus just issuing you fines.

[mikekchar]

Some more context: https://gdpr.report/news/2019/01/23/small-business-in-german...

Relevant passage: "Discovery of the misdemeanor began with an email from another company to the Hessian Data Protection Commissioner, sent in May of last year, in which advice was requested regarding the failure of Kolibri Image in proving customer data, despite multiple requests being sent. Kolibri Image declined to cooperate, instead laying responsibility at the feet of another contractor."

The article is a bit hard to understand, but it seems that someone asked Kolibri to provide information on how 3rd party information was kept secured. Kolibri declined to answer saying that it was another contractor who was doing it. Reading between the lines, Kolibri seems to have asked for guidance on what to do, but did not receive guidance.

I have to say that I'm even less inclined to be sympathetic. It's a pretty blatant disregard for the GDPR. If you want guidance at that level, hire a lawyer. But in reality, there is no need for a lawyer: it is completely obvious that you can't shield yourself from GDPR simply by saying, "Oh it's this other company's responsibility. And, by the way, they don't agree to do GDPR, so it's out of my hands".

To be a bit more clear, I don't know what the authority could do to help resolve the compliance issue other than to say, "Yes, you have to comply with the law. Sorry that you thought you didn't have to". Is a 5000 euro fine justified -- even without having given guidance. IMHO, yes, however you can see that they thought they were in error and hence are reviewing the fine. The other blurb made it seem as if the compliance issue was only discovered because Kolibri asked what they should do. This article makes it more clear that it's just a normal complaint with a company doing everything in its power to avoid doing anything.

[tremon]

you can't shield yourself from GDPR simply by saying, "Oh it's this other company's responsibility. And, by the way, they don't agree to do GDPR, so it's out of my hands".

To be specific, this is mandated explicitly by the GDPR:

> the controller shall [ensure] to be able to demonstrate that processing is performed in accordance with this Regulation. [art.24]

> Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees [art.28]

> Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller [art.28]

[art.24] https://gdpr-info.eu/art-24-gdpr/

[art.28] https://gdpr-info.eu/art-28-gdpr/

[luckylion]

> "Oh it's this other company's responsibility. And, by the way, they don't agree to do GDPR, so it's out of my hands"

In this case, the other company is also in Europe (Spain), so by law must abide by GDPR. It seems they didn't have a contract ready, and Kolibri didn't want to spend money on translating/creating a contract to Spanish.

From what I read from Kolibri themselves (https://kolibri-image.com/causa-datenschutz/), the "processing" was a company that bundles DHL package orders to get batch pricing. You send them the information, they send the order (together with other orders) to DHL, DHL picks up the package and you save on postage. Apparently, Kolibri wasn't sure whether that's actually data processing (but did mention them using the company for this particular reason in their privacy information, according to the Bavarian officials, it isn't). They asked the German branch of the company who said they wouldn't need a contract and subsequently referred them to HQ in Spain. They asked the Hessian official to make the company's German branch comply with GDPR and sign a data processing contract. Instead, the Hessians forwarded it to Hamburg.

Kolibri claims to have stopped using that company after hearing back from the Hessians, but forgotten to remove them from the privacy information on one website. If they are to be believed, they were told "you can't use them without a contract" and stopped using them.

The fine has since been withdrawn and the case was closed.