Relevant passage: "Discovery of the misdemeanor began with an email from another company to the Hessian Data Protection Commissioner, sent in May of last year, in which advice was requested regarding the failure of Kolibri Image in proving customer data, despite multiple requests being sent. Kolibri Image declined to cooperate, instead laying responsibility at the feet of another contractor."
The article is a bit hard to understand, but it seems that someone asked Kolibri to provide information on how 3rd party information was kept secured. Kolibri declined to answer saying that it was another contractor who was doing it. Reading between the lines, Kolibri seems to have asked for guidance on what to do, but did not receive guidance.
I have to say that I'm even less inclined to be sympathetic. It's a pretty blatant disregard for the GDPR. If you want guidance at that level, hire a lawyer. But in reality, there is no need for a lawyer: it is completely obvious that you can't shield yourself from GDPR simply by saying, "Oh it's this other company's responsibility. And, by the way, they don't agree to do GDPR, so it's out of my hands".
To be a bit more clear, I don't know what the authority could do to help resolve the compliance issue other than to say, "Yes, you have to comply with the law. Sorry that you thought you didn't have to". Is a 5000 euro fine justified -- even without having given guidance. IMHO, yes, however you can see that they thought they were in error and hence are reviewing the fine. The other blurb made it seem as if the compliance issue was only discovered because Kolibri asked what they should do. This article makes it more clear that it's just a normal complaint with a company doing everything in its power to avoid doing anything.
