On February 18, 2021, the District Court of Berlin overturned a €14.5 million fine that had been imposed on German real estate company Deutsche Wohnen SE.  The Court held that the fine – which was issued by the Berlin Supervisory Authority (“SA”) and had been the second highest fine in Germany so far under the EU General Data Protection Regulation (“GDPR”) – failed to satisfy certain rules under German law, and therefore was invalid.

This case raises important questions on the interplay between the GDPR and German law regarding the attribution of regulatory offenses to a company.  In this blog post, we consider this topic in greater depth and how it may eventually be resolved in court.

Background  

The Berlin SA first announced the fine in 2019, after concluding that Deutsche Wohnen retained the personal data of tenants for prolonged periods of time without a valid legal basis (see our prior blog post on the case here).  Deutsche Wohnen appealed the fine in court, and now appears to have won on procedural grounds.  Although the official decision of the Berlin District Court has yet to be published, the Berlin SA said the Court concluded that “fines can only be imposed on legal entities if there is evidence of a specific act by management or legal representatives that led to the offense” (see press release of the Berlin SA here, in German).  The Berlin SA said the prosecution will appeal the decision.

Key Issue

The fundamental issue at stake in this case is the legal criteria that an SA must satisfy to fine a company for a data breach under the GDPR.  In particular, the question is whether Art. 83 GDPR lists all the requirements that SAs must address to fine a company, or whether national laws can impose additional requirements.  The national law at issue in this case is the German Act on Regulatory Offenses, which stipulates that a fine cannot be issued against a company unless the illegal act(s) and/or omission(s) can be attributed to a legal representative of the company, and can be demonstrably linked to an intentional or negligent act of management.  This goes well beyond the standard of Art. 83 GDPR for administrative fines, which merely requires an SA to establish that a company has breached a relevant provision of the GDPR.

The Conference of German SAs (known as the Datenschutzkonferenz or “DSK”) has consistently expressed the view that an SA need only establish that a breach of the GDPR has occurred for a company to be held responsible and be subject to a fine (see DSK statement here, in German).  To that end, the DSK has demanded that the German legislature clarify this issue by amending Germany’s Federal Data Protection Act to exclude this requirement arising under the Act on Regulatory Offenses.

In a recent case, the District Court of Bonn aligned with the DSK’s view, holding that the German legislature violated Art. 83 GDPR by stating that the relevant national rule on attribution is also applicable in GDPR cases (see the decision here, in German).  In the present case, it appears that the District Court of Berlin has now taken the opposite position.

Situation in other EU Member States

Courts in a number of other Member States have also addressed this issue in varying degrees within the framework of their respective national rules on corporate responsibility, evidence and procedure:

  • In Austria, the Federal Administrative Court annulled a decision imposing an €18 million fine on the Austrian Post last year, stating that Austrian procedural law requires an SA to establish that one or several individuals (not necessarily managers) of a company committed a GDPR breach (see decision here, in German).
  • By contrast, the French Conseil d’Etat has held that the French SA (“CNIL”) needs only to explain its reasons for imposing a fine on the basis of Art 83 GDPR, but it is not required to discuss all the criteria listed in that statute, or explain how it calculated the amount of a particular fine (see decision here, in French).

What’s Next?

The prosecution has filed an appeal against the decision of the District Court of Berlin.  Thus, this question of the interplay between Art. 83 GDPR and national rules on evidence and procedure may ultimately be referred to the Court of Justice of the European Union.  Only time will tell whether this issue can be aligned across Europe, and the outcome will be of major importance for GDPR enforcement activity going forward.