More to Answer For, Less to Get Fined?: Specifications on GDPR Administrative Fines by German Court With Preliminary Ruling Procedure From ECJ – Case Law

18.03.2024

GDPR is making great strides and changing the way for every organization which collects and processes personal data. Compliance with data protection laws of the EU is becoming more challenging and comprehensive, at the same time demanded from users. Moreover, failing to comply with the requirements of the General Data Protection Regulation ("GDPR") leads to reputational damage and financial burdens - for example, in the form of administrative fines – exceptional high fines up to 1 bn. Euro [1] - and claims for damages.

The complexity of the GDPR brings a great deal of room for interpretation [2], where organizations become more vulnerable to facing fines from relevant data protection authorities in many cases. European Court of Justice (ECJ) brings this darkness to light in many cases as well as in theory and to the practice of authorities. In many cases, as in the theory and practice of public authorities, the European Court of Justice (ECJ), as the only authority on GDPR, sheds light on this darkness, also in other countries, such as Türkiye, where GDPR is strongly influencing the legislators, the decisions of the Turkish Data Protection Authority (DPA) and the legal practice.

Recently, on 5 December 2023, the ECJ delivered a judgment [3] on the preliminary questions raised by The German Kammergericht Berlin 3. Senat für Bußgeldsachen (3rd Senate for Administrative Fines, Berlin, Germany).


I. Case Fact


A real estate company (Deutsche Wohnen SE) (the "Controller") was investigated by the Berliner Beauftragte für Datenschutz und Informationsfreiheit (Berlin Commissioner for Data Protection) (DPA) for storing tenant data in an electronic archive system. In the press release of the DPA, it has been stated that personal data of tenants was stored without checking whether storage was permitted or if it is still serving the purpose without any deletion measurements. This involved data of personal and financial circumstances of the tenants, e.g. salary certificates, employment and training contracts, tax, social and health insurance data as well as bank statements. [4]

 

The DPA requested the controller to delete all documents by 2017, but the controller refused, stating that deletion was impossible for different reasons. In 2020, the DPA found no substantial change in the data storage and the controller informed the DPA that the archiving system had been decommissioned. The DPA issue an administrative fine for intentional breach of the GDPR and imposed a fine of €14,385,000, “for the intentional infringement of Article 25(1) GDPR and Article 5(1)(a), (c), and (e) GDPR, the authority imposed a pecuniary penalty, as well as 15 further pecuniary penalties each ranging from €3,000 to €17,000 for infringements of Article 6(1)GDPR[5]. The Berlin Regional Court discontinued the proceedings, stating that only a natural person can be a party to proceedings for an administrative fine. Staatsanwaltschaft Berlin (The Berlin Public Prosecutor's Office) appealed against the dismissal, and the Kammergericht Berlin (Court of Appeal, Berlin) has been asked to rule in the final instance.

 


II. The Dispute

 


The problem arouses because of the nature of German Law. According to the Section 30 of Gesetz über Ordnungswidrigkeiten (OWiG) (Law on Administrative Offences of Germany)[6], an administrative fine on legal person, such person or on association can only be imposed when a natural person has committed an unlawful and culpable offence that can be attributed to the legal person.

In contrast to this, as the GDPR became applicable, the German legislator stipulated in Section 41(1) of Bundesdatenschutzgesetz (the German Data Protection Act)[7] (BDSG) that the provisions of the OWiG apply mutatis mutandis to violations under Article 83(4) to (6) GDPR, unless the BDSG provides otherwise.

GDPR on its own does not contain any provisions on the specific conditions under which an administrative fine can be imposed on a company.

This seemed only logical, as the GDPR provides for severe sanctions for data protection infringements with administrative fines of up to EUR 10 million or EUR 20 million and, in the case of a company, even up to 2% or 4% of the total worldwide annual turnover of the preceding financial year.

In particular, the GDPR does not regulate when the commission of an offence by natural persons acting on behalf of a company can be attributed to that company.

The Staatsanwaltschaft Berlin (Berlin Public Prosecutor’s Office, Germany) brought an appeal against the first-instance decision before the Kammergericht Berlin (Higher Regional Court, Berlin, Germany), which has referred the following questions to the Court of Justice for a preliminary ruling:

If Article 83(4) to (6) of the GDPR to be interpreted that for an administrative fine it requires a natural and identified person committed an administrative offence, if necessary, in satisfaction of the objective and subjective elements of tortious liability? And if the Question 1 is answered in the affirmative, shall the administrative fine be imposed if it is proven that the data controller, as a natural or legal person – committed the relevant data protection infringement intentionally or negligently or to be interpreted as a “strict liability” of the legal person?


III. ECJ Judgment


The ECJ decided that the relevant provision Art. 83 GDPR has a broader interpretation following Advocate General’s opinion as that “the imposition of a fine on a legal person responsible for the processing of personal data is not dependent on the prior infringement by one or more individual(s) in the service of that legal person"(paragraph 86 of the Opinion of Advocate General)[8].

And, how does GDPR measure the liability according to Art. 83 GDPR?

ECJ clearly states that Art. 82 of the GDPR supports the exclusion of a strict liability which has almost no conditions other than breaches in connection with the imposition of penalties. The court lays out that it requires the “punishable conduct to be intentional or negligent[9] (Rec. 66).

To conclude: More responsibility in the practice if the legal person or natural person is intentional or negligent. More to answer for objecting against the fines, less to get fined from authorities. Having functional compliance systems and effective implementation becomes critical.

GDPR has a wide field of interpretation at the will of the legislator, where in some cases more than one view can be genuinely held and one can be lost in the practice as to which one to choose. It will therefore be interesting to see what the coming cases will bring.

 

 

References

- 1.2 billion euro fine for Facebook as a result of EDPB binding decision, 2024, 1st of March, https://edpb.europa.eu/news/news/2023/12-billion-euro-fine-facebook-result-edpb-binding-decision_en.

- Act on Regulatory Offences in the version published on 19 February 1987 (Federal Law Gazette [Bundesgesetzblatt] I p. 602), last amended by Article 31 of the Act of 5 October 2021 (Federal Law Gazette I, p. 4607), Section 30, 2nd of March 2024, https://www.gesetze-im-internet.de/englisch_owig/englisch_owig.html#p0156.

- Federal Data Protection Act of 30 June 2017 (Federal Law Gazette I p. 2097), as last amended by Article 10 of the Act of 23 June 2021 (Federal Law Gazette I, p. 1858; 2022 I p. 1045), Section 41, 5th of March, https://www.gesetze-im-internet.de/englisch_bdsg/englisch_bdsg.html#p0335.

- Berliner Datenschutzbeauftragte verhängt Bußgeld gegen Immobiliengesellschaft, 2024, 3rd of March, https://www.datenschutz-berlin.de/fileadmin/user_upload/pdf/pressemitteilungen/2019/20191105-PM-Bussgeld_DW.pdf.

- GDPR hub, BlnBDI (Berlin) – C-807/21 – Deutsche Wohnen, 2024, 3rd of March, https://gdprhub.eu/index.php?title=BlnBDI_(Berlin)_-_C-807/21_-_Deutsche_Wohnenhttps://www.gesetze-im-internet.de/englisch_bdsg/englisch_bdsg.html#p0335.Opinion of Advocate General Campos Sanchez-Bordona, Deutsche Wohnen SE

- Staatsanwaltschaft Berlin, Case C807/21, EU:C:2023:360, https://curia.europa.eu/juris/document/document.jsf?text=&docid=272981&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=4831879.

- Judgment of the Court (Grand Chamber), Deutsche Wohnen SE v Staatsanwaltschaft Berlin (Case C807/21) EU:C:2023:360, https://curia.europa.eu/juris/document/document.jsf?text=&docid=272981&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=2079669.

-Smirnova, Y. and Travieso-Morales, V. (2024), "Understanding challenges of GDPR implementation in business enterprises: a systematic literature review", International Journal of Law and Management https://doi.org/10.1108/IJLMA-08-2023-0170 (p.11).


[1] 1.2 billion euro fine for Facebook as a result of EDPB binding decision, 2024, 1st of March, https://edpb.europa.eu/news/news/2023/12-billion-euro-fine-facebook-result-edpb-binding-decision_en.

[2] Smirnova, Y. and Travieso-Morales, V. (2024), "Understanding challenges of GDPR implementation in business

enterprises: a systematic literature review", International Journal of Law and Management

https://doi.org/10.1108/IJLMA-08-2023-0170 (p.11).

[3] Judgment of the Court (Grand Chamber), Deutsche Wohnen SE v Staatsanwaltschaft Berlin (Case C807/21) EU:C:2023:360, https://curia.europa.eu/juris/document/document.jsf?text=&docid=272981&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=2079669.

[4] Berliner Datenschutzbeauftragte verhängt Bußgeld gegen Immobiliengesellschaft, 2024, 3rd of March, https://www.datenschutz-berlin.de/fileadmin/user_upload/pdf/pressemitteilungen/2019/20191105-PM-Bussgeld_DW.pdf.

[5] GDPR hub, BlnBDI (Berlin) – C-807/21 – Deutsche Wohnen, 2024, 3rd of March, https://gdprhub.eu/index.php?title=BlnBDI_(Berlin)_-_C-807/21_-_Deutsche_Wohnen.

[6] Act on Regulatory Offences in the version published on 19 February 1987 (Federal Law Gazette [Bundesgesetzblatt] I p. 602), last amended by Article 31 of the Act of 5 October 2021 (Federal Law Gazette I, p. 4607), Section 30, 2nd of March 2024,

https://www.gesetze-im-internet.de/englisch_owig/englisch_owig.html#p0156.

[7] Federal Data Protection Act of 30 June 2017 (Federal Law Gazette I p. 2097), as last amended by Article 10 of the Act of 23 June 2021 (Federal Law Gazette I, p. 1858; 2022 I p. 1045), Section 41, 5th of March,

https://www.gesetze-im-internet.de/englisch_bdsg/englisch_bdsg.html#p0335.

[8]Opinion of Advocate General Campos Sanchez-Bordona, Deutsche Wohnen SE v Staatsanwaltschaft Berlin, Case C807/21, EU:C:2023:360, https://curia.europa.eu/juris/document/document.jsf?text=&docid=272981&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=4831879.

 

This website is available “as is. Turkish Law Blog is not responsible for any actions (or lack thereof) taken as a result of relying on or in any way using information contained in this website, and in no event shall they be liable for any loss or damages.

The content and materials published on this website are provided for informational purposes only and should not be used as a legal opinion in any way. This website and the information contained are not intended to establish an attorney-client relationship.
Ready to stay ahead of the curve?
Share your interest anonymously and let us guide you through the informative articles on the hottest legal topics.
|
Successful Your message has been sent