2024-2025 Global AI Trends Guide
Following the European Court of Justice’s (“ECJ”) landmark judgement of 5 December 2023 (case no. C-807/21), the Higher Regional Court of Berlin specified the requirements for GDPR fine notices issued by data protection authorities under German administrative laws in its decision dated 22 January 2024. In line with the position previously taken by some German data protection authorities, the Berlin court particularly clarified that it is not required to identify a specific individual responsible for the alleged GDPR violation in the fine notice. This differs from traditional national laws requiring individual culpability and reflects a shift towards a more direct corporate liability for GDPR infringements, facilitating the way for German data protection authorities to impose GDPR fines.
The decision of the Higher Regional Court of Berlin marks the most recent decision relating to a dispute around a GDPR fine notice issued by the Berlin Data Protection Commissioner (“Berlin DPA”) against a German real estate company in 2019. In these enforcement proceedings, the first GDPR administrative fine totaling over EUR 14 million in Germany was imposed for alleged GDPR violations for what the authority considered to be the excessive storage and archiving of (current and historical) tenant data. While the first instance court dismissed the fine on formal grounds because the fine notice lacked an individualized description of the GDPR violation and therefore suffered from such “serious deficiencies” that it cannot form the basis of the proceedings, the Berlin court as the second instance court asked the ECJ to clarify the GDPR’s requirements for fines.
Under Art. 83 GDPR, national supervisory authorities are entitled to impose fines against companies up to EUR 20 million or 4% of an undertaking's total global annual turnover in the previous financial year (whichever is higher). However, the GDPR does not provide rules for fine proceedings, but refers to other EU law and national laws of the Member States (Art. 83 (8) GDPR) instead. For Germany, the Federal Data Protection Act states that the Administrative Offences Act (Ordnungswidrigkeitengesetz, “OWiG”) shall apply “accordingly” for GDPR fine proceedings.
Against this background, it was highly disputed amongst German privacy professionals and in the proceedings at hand, to what extent the requirements for the prosecution of administrative offences and the imposition of administrative fines regulated in the OWiG apply to fines under the GDPR. It was particularly controversial, whether fines against a legal person acting as controller require that the violation has been committed by a specific person in a management position (as required under Section 30 (1) OWiG) and whether these violations of individualized persons need to be described in the fine notice in accordance with Section 66 (1)(3) OWiG.
Following the reference for a preliminary ruling by the Berlin court, the ECJ issued its landmark judgment of 5 December 2023 clarifying some of the requirements for GDPR fines. The ECJ essentially found that:
Following the ECJ’s decision, the Higher Regional Court of Berlin resumed proceedings regarding the lawfulness of the administrative fine imposed by the Berlin DPA. Based on the grounds for the rejection of the fine by the first instance, the Berlin court was only tasked to decide whether the fine notice met the formal requirements of the OWiG. The court took into account the ECJ’s judgment and found that
Given this legal position, the court concluded that the fine notice issued by the Berlin DPA adequately described the GDPR violation. By taking this view, the court transposed the ECJ’s decision by confirming that companies as legal entities are directly liable for GDPR fines under Art. 83 GDPR, and by expanding the responsibility of companies to all individuals acting for them.
The decision of the Berlin court lowers the thresholds for the formal requirements for GDPR fine notices under German law. This could embolden German data protection authorities in their enforcement practices and thus lead to a higher enforcement risk for companies.
However, the decision does not mark the final answer to other important questions. Following the Higher Regional Court of Berlin’s decision, the Regional Court of Berlin is now tasked with deciding upon the broader question of the legality of the administrative fine. In particular it will have to decide whether the real estate company actually violated the GDPR and – more importantly – whether Section 30 OWiG (and the related Section 130 OWiG) can be interpreted in light of the ECJ’s decision to also allow for so-called “anonymous fines” which do not require the individualization of violations or whether it is inapplicable due to violation of EU law. Further, the question of whether or not the multi-million Euro fine’s height is adequate remains to be answered.
Authored by Henrik Hanssen, Michael Thiesen, Christian Tinnefeld, and Anna Vogel.