A top court has ordered the European Union’s top executive authority to pay €400 (around $410) in damages to a German citizen for breaching its own data protection laws.

In a statement, the EU General Court said the European Commission violated the citizen’s rights by transferring some of his personal data to the United States without proper safeguards.

The court said the German citizen registered for a conference, managed by the European Commission, using the “Sign in with Facebook” option on the conference’s website. But the citizen said information about his IP address, browser and device were transferred to companies in the United States — namely Amazon, which hosts the conference’s website, and Meta, which owns Facebook — which the citizen said violated his rights under the bloc’s data privacy rules.

The European Commission committed a “sufficiently serious breach” of the rules that cover the 27 European nations, the EU General Court ruled on Wednesday. Reuters, which first reported the news, said the fine is a first for the European Commission.

The EU’s data protection rules, known as GDPR, are some of the strictest data privacy rules in the world, and can fine organizations up to 4% of their annual turnover for breaching the rules.