On February 18, 2021, the District Court of Berlin overturned a €14.5 million fine that had been imposed on German real estate company Deutsche Wohnen SE.  The Court held that the fine – which was issued by the Berlin Supervisory Authority (“SA”) and had been the second highest fine in Germany so far under the EU General Data Protection Regulation (“GDPR”) – failed to satisfy certain rules under German law, and therefore was invalid.

This case raises important questions on the interplay between the GDPR and German law regarding the attribution of regulatory offenses to a company.  In this blog post, we consider this topic in greater depth and how it may eventually be resolved in court.

Background  

The Berlin SA first announced the fine in 2019, after concluding that Deutsche Wohnen retained the personal data of tenants for prolonged periods of time without a valid legal basis (see our prior blog post on the case here).  Deutsche Wohnen appealed the fine in court, and now appears to have won on procedural grounds.  Although the official decision of the Berlin District Court has yet to be published, the Berlin SA said the Court concluded that “fines can only be imposed on legal entities if there is evidence of a specific act by management or legal representatives that led to the offense” (see press release of the Berlin SA here, in German).  The Berlin SA said the prosecution will appeal the decision.

Key Issue

The fundamental issue at stake in this case is the legal criteria that an SA must satisfy to fine a company for a data breach under the GDPR.  In particular, the question is whether Art. 83 GDPR lists all the requirements that SAs must address to fine a company, or whether national laws can impose additional requirements.  The national law at issue in this case is the German Act on Regulatory Offenses, which stipulates that a fine cannot be issued against a company unless the illegal act(s) and/or omission(s) can be attributed to a legal representative of the company, and can be demonstrably linked to an intentional or negligent act of management.  This goes well beyond the standard of Art. 83 GDPR for administrative fines, which merely requires an SA to establish that a company has breached a relevant provision of the GDPR.

The Conference of German SAs (known as the Datenschutzkonferenz or “DSK”) has consistently expressed the view that an SA need only establish that a breach of the GDPR has occurred for a company to be held responsible and be subject to a fine (see DSK statement here, in German).  To that end, the DSK has demanded that the German legislature clarify this issue by amending Germany’s Federal Data Protection Act to exclude this requirement arising under the Act on Regulatory Offenses.

In a recent case, the District Court of Bonn aligned with the DSK’s view, holding that the German legislature violated Art. 83 GDPR by stating that the relevant national rule on attribution is also applicable in GDPR cases (see the decision here, in German).  In the present case, it appears that the District Court of Berlin has now taken the opposite position.

Situation in other EU Member States

Courts in a number of other Member States have also addressed this issue in varying degrees within the framework of their respective national rules on corporate responsibility, evidence and procedure:

  • In Austria, the Federal Administrative Court annulled a decision imposing an €18 million fine on the Austrian Post last year, stating that Austrian procedural law requires an SA to establish that one or several individuals (not necessarily managers) of a company committed a GDPR breach (see decision here, in German).
  • By contrast, the French Conseil d’Etat has held that the French SA (“CNIL”) needs only to explain its reasons for imposing a fine on the basis of Art 83 GDPR, but it is not required to discuss all the criteria listed in that statute, or explain how it calculated the amount of a particular fine (see decision here, in French).

What’s Next?

The prosecution has filed an appeal against the decision of the District Court of Berlin.  Thus, this question of the interplay between Art. 83 GDPR and national rules on evidence and procedure may ultimately be referred to the Court of Justice of the European Union.  Only time will tell whether this issue can be aligned across Europe, and the outcome will be of major importance for GDPR enforcement activity going forward.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Lars Lensdorf Lars Lensdorf

Lars Lensdorf is a partner in the Frankfurt office. He focuses on IT law, outsourcing, digitalization/ industry 4.0, IT related bank regulatory matters and data protection. Dr. Lensdorf’s practice covers all types of IT and outsourcing agreements, all matters of digitalization and industry…

Lars Lensdorf is a partner in the Frankfurt office. He focuses on IT law, outsourcing, digitalization/ industry 4.0, IT related bank regulatory matters and data protection. Dr. Lensdorf’s practice covers all types of IT and outsourcing agreements, all matters of digitalization and industry 4.0, including online procurement platforms, IT-compliance matters (including cybersecurity) as well as data protection.

Furthermore, he is also focused on interfaces to other practice areas to the extent that IT related matters are affected, e. g. regulatory requirements for banking and financial services as well as public procurement law. A significant part of Dr. Lensdorf’s practice is currently advice in connection with the implementation of the GDPR (data protection) in Europe.

Photo of Ulrike Elteste Ulrike Elteste

Ulrike Elteste is an experienced technology, media and intellectual property lawyer in the firm’s Frankfurt office. She also advises on related regulatory aspects, in particular, privacy law, financial services supervisory law, and telecommunications law. She is regularly involved in cross-border transactions with a…

Ulrike Elteste is an experienced technology, media and intellectual property lawyer in the firm’s Frankfurt office. She also advises on related regulatory aspects, in particular, privacy law, financial services supervisory law, and telecommunications law. She is regularly involved in cross-border transactions with a focus on technology or IP. Ulrike also represents clients in commercial and IP litigation.

Photo of Moritz Hüsch Moritz Hüsch

Moritz Hüsch is partner in Covington’s Frankfurt office and co-chair of Covington’s Technology Industry Group and Covington’s Internet of Things (IoT) Group. His practice focuses on complex technology- and data-driven licensing deals and cooperations, outsourcing, commercial contracts, e-commerce, m-commerce, as well as privacy…

Moritz Hüsch is partner in Covington’s Frankfurt office and co-chair of Covington’s Technology Industry Group and Covington’s Internet of Things (IoT) Group. His practice focuses on complex technology- and data-driven licensing deals and cooperations, outsourcing, commercial contracts, e-commerce, m-commerce, as well as privacy and cybersecurity.

Moritz is regularly advising on issues and contracts with respect to IoT, AV, big data, digital health, and cloud-related subject matters. In addition, he regularly advises on all IP/IT-related questions in connection with M&A transactions. A particular focus of Moritz’s practice is on advising companies in the pharmaceutical, life sciences and healthcare sectors, where he regularly advises on complex licensing, data protection and IT law issues.

Moritz is regularly listed as one of the best lawyers in the areas of IT and data protection, among others by Best Lawyers in cooperation with Handelsblatt, Wirtschaftswoche and Legal 500.

Photo of Nicholas Shepherd Nicholas Shepherd

Nicholas Shepherd is an associate in Covington’s Brussels office, where he is a member of the Data Privacy and Cybersecurity practice group, advising clients on compliance with all aspects of the European General Data Protection Regulation (GDPR), ePrivacy Directive, European direct marketing laws…

Nicholas Shepherd is an associate in Covington’s Brussels office, where he is a member of the Data Privacy and Cybersecurity practice group, advising clients on compliance with all aspects of the European General Data Protection Regulation (GDPR), ePrivacy Directive, European direct marketing laws, and other privacy and cybersecurity laws worldwide.  Nick counsels on topics that include adtech, anonymization, children’s privacy, cross-border transfer restrictions, and much more, providing advice tailored to product- and service-specific contexts to help clients apply a risk-based approach in addressing requirements related to transparency, consent, lawful processing, data sharing, and others.

A U.S.-trained and qualified lawyer registered on the B-List of the Brussels Bar, Nick leverages his multi-faceted legal background and international experience to provide clear and pragmatic advice to help organizations address their privacy compliance obligations across jurisdictions.