GDPR fines: German court specifies requirements for fine notices in light of ECJ case-law

Background: The Underlying Proceedings

The decision of the Higher Regional Court of Berlin marks the most recent decision relating to a dispute around a GDPR fine notice issued by the Berlin Data Protection Commissioner (“Berlin DPA”) against a German real estate company in 2019. In these enforcement proceedings, the first GDPR administrative fine totaling over EUR 14 million in Germany was imposed for alleged GDPR violations for what the authority considered to be the excessive storage and archiving of (current and historical) tenant data. While the first instance court dismissed the fine on formal grounds because the fine notice lacked an individualized description of the GDPR violation and therefore suffered from such “serious deficiencies” that it cannot form the basis of the proceedings, the Berlin court as the second instance court asked the ECJ to clarify the GDPR’s requirements for fines.

Under Art. 83 GDPR, national supervisory authorities are entitled to impose fines against companies up to EUR 20 million or 4% of an undertaking's total global annual turnover in the previous financial year (whichever is higher). However, the GDPR does not provide rules for fine proceedings, but refers to other EU law and national laws of the Member States (Art. 83 (8) GDPR) instead. For Germany, the Federal Data Protection Act states that the Administrative Offences Act (Ordnungswidrigkeitengesetz, “OWiG”) shall apply “accordingly” for GDPR fine proceedings.

Against this background, it was highly disputed amongst German privacy professionals and in the proceedings at hand, to what extent the requirements for the prosecution of administrative offences and the imposition of administrative fines regulated in the OWiG apply to fines under the GDPR. It was particularly controversial, whether fines against a legal person acting as controller require that the violation has been committed by a specific person in a management position (as required under Section 30 (1) OWiG) and whether these violations of individualized persons need to be described in the fine notice in accordance with Section 66 (1)(3) OWiG.

Landmark Judgment of the ECJ

Following the reference for a preliminary ruling by the Berlin court, the ECJ issued its landmark judgment of 5 December 2023 clarifying some of the requirements for GDPR fines. The ECJ essentially found that:

• Legal entities are directly liable for violations committed by any persons acting in the course of their business activities and on behalf of these legal entities – regardless of whether they are persons in a management position (para. 44). The ECJ stated that it is not even necessary for management to have actual knowledge about the violation (para. 77). As a consequence, it is not necessary to identify a specific person who committed the GDPR violation on behalf of the legal entity for the imposition of a fine (para. 60).
• In addition, the ECJ clarified that the imposition of a GDPR fine requires a culpable breach (intent or negligence). This requirement shall in the future be interpreted along the lines of the formula introduced by the ECJ in the antitrust case Schenker & Co. According to this formula, a controller can be liable where the controller “could not be unaware of the infringing nature of its conduct, whether or not it is aware that it is infringing the provisions of the GDPR” (para. 76).

Key Findings of the Higher Regional Court of Berlin

Following the ECJ’s decision, the Higher Regional Court of Berlin resumed proceedings regarding the lawfulness of the administrative fine imposed by the Berlin DPA. Based on the grounds for the rejection of the fine by the first instance, the Berlin court was only tasked to decide whether the fine notice met the formal requirements of the OWiG. The court took into account the ECJ’s judgment and found that

• fines provided for in Art. 83 GDPR can be imposed directly on legal persons if they qualify as data controllers,
• the liability of a company for GDPR infringements requires neither the fault of a representative nor a breach of supervisory duties,
• the fine notice does not have to specify a natural person responsible for the GDPR violation within the company, and
• the relevant national procedural laws (here: the formal requirements for fine notices under Section 66 (1)(3) OWiG) must be interpreted in light of the legal principles for GDPR fines developed by the ECJ.

Given this legal position, the court concluded that the fine notice issued by the Berlin DPA adequately described the GDPR violation. By taking this view, the court transposed the ECJ’s decision by confirming that companies as legal entities are directly liable for GDPR fines under Art. 83 GDPR, and by expanding the responsibility of companies to all individuals acting for them.

What’s next?

The decision of the Berlin court lowers the thresholds for the formal requirements for GDPR fine notices under German law. This could embolden German data protection authorities in their enforcement practices and thus lead to a higher enforcement risk for companies.

However, the decision does not mark the final answer to other important questions. Following the Higher Regional Court of Berlin’s decision, the Regional Court of Berlin is now tasked with deciding upon the broader question of the legality of the administrative fine. In particular it will have to decide whether the real estate company actually violated the GDPR and – more importantly – whether Section 30 OWiG (and the related Section 130 OWiG) can be interpreted in light of the ECJ’s decision to also allow for so-called “anonymous fines” which do not require the individualization of violations or whether it is inapplicable due to violation of EU law. Further, the question of whether or not the multi-million Euro fine’s height is adequate remains to be answered.

Authored by Henrik Hanssen, Michael Thiesen, Christian Tinnefeld, and Anna Vogel.