4% of the annual turnover, or €20 Million euros, whichever is highest. That is the maximum fines according to GDPR.

What this means is becoming more and more obvious, starting with Marriots §123 Million fine this summer and connecting to the fine of €200 000 towards German delivery firm Takeaway.com

Marriott’s fine derived from errors in Starwood hotel´s guest reservation database. Starwood was acquired by Marriot back in 2016, but the responsibility for GDPR-compliance falls on Marriot, and fines are neither calculated on Starwood’s turnover, nor the acquisition transaction sum.

Acquiring a company therefor also means you acquire all privacy risks, but after the transaction, they become calculated on the annual turnover on group level.

This is also the case for Takeaway.com. The errors have been committed by the company Delivery Hero who has sent unsolicited marketing emails and failed to respond to data subject requests.

Takeaway.com acquired Delivery Hero as late as April 2019, and the conclusion must be that they failed in performing their privacy due diligence.