• Mehr als 3 Millionen Wörter Inhalt
  • |
  • info@itmedialaw.com
  • |
  • Tel: 03322 5078053
ITMediaLaw - Rechtsanwalt Marian Härtel
Warenkorb
Plugin Install : Cart Icon need WooCommerce plugin to be installed.
  • en English
  • de Deutsch
  • Informationen
    • Ideal partner
    • About lawyer Marian Härtel
    • Quick and flexible access
    • Principles as a lawyer
    • Why a lawyer and business consultant?
    • Focus areas of attorney Marian Härtel
      • Focus on start-ups
      • Investment advice
      • Corporate law
      • Cryptocurrencies, Blockchain and Games
      • AI and SaaS
      • Streamers and influencers
      • Games and esports law
      • IT/IP Law
      • Law firm for GMBH,UG, GbR
      • Law firm for IT/IP and media law
    • The everyday life of an IT lawyer
    • How can I help clients?
    • Testimonials
    • Team: Saskia Härtel – WHO AM I?
    • Agile and lean law firm
    • Price overview
    • Various information
      • Terms
      • Privacy policy
      • Imprint
  • Services
    • Support and advice of agencies
    • Contract review and preparation
    • Games law consulting
    • Consulting for influencers and streamers
    • Advice in e-commerce
    • DLT and Blockchain consulting
    • Legal advice in corporate law: from incorporation to structuring
    • Legal compliance and expert opinions
    • Outsourcing – for companies or law firms
    • Booking as speaker
  • News
    • Gloss / Opinion
    • Law on the Internet
    • Online retail
    • Law and computer games
    • Law and Esport
    • Blockchain and web law
    • Data protection Law
    • Copyright
    • Labour law
    • Competition law
    • Corporate
    • EU law
    • Law on the protection of minors
    • Tax
    • Other
    • Internally
  • Podcast
    • ITMediaLaw Podcast
  • Knowledge base
    • Laws
    • Legal terms
    • Contract types
    • Clause types
    • Forms of financing
    • Legal means
    • Authorities
    • Company forms
    • Tax
    • Concepts
  • Videos
    • Information videos – about Marian Härtel
    • Videos – about me (Couch)
    • Blogpost – individual videos
    • Videos on services
    • Shorts
    • Podcast format
    • Third-party videos
    • Other videos
  • Contact
Kurzberatung
  • Informationen
    • Ideal partner
    • About lawyer Marian Härtel
    • Quick and flexible access
    • Principles as a lawyer
    • Why a lawyer and business consultant?
    • Focus areas of attorney Marian Härtel
      • Focus on start-ups
      • Investment advice
      • Corporate law
      • Cryptocurrencies, Blockchain and Games
      • AI and SaaS
      • Streamers and influencers
      • Games and esports law
      • IT/IP Law
      • Law firm for GMBH,UG, GbR
      • Law firm for IT/IP and media law
    • The everyday life of an IT lawyer
    • How can I help clients?
    • Testimonials
    • Team: Saskia Härtel – WHO AM I?
    • Agile and lean law firm
    • Price overview
    • Various information
      • Terms
      • Privacy policy
      • Imprint
  • Services
    • Support and advice of agencies
    • Contract review and preparation
    • Games law consulting
    • Consulting for influencers and streamers
    • Advice in e-commerce
    • DLT and Blockchain consulting
    • Legal advice in corporate law: from incorporation to structuring
    • Legal compliance and expert opinions
    • Outsourcing – for companies or law firms
    • Booking as speaker
  • News
    • Gloss / Opinion
    • Law on the Internet
    • Online retail
    • Law and computer games
    • Law and Esport
    • Blockchain and web law
    • Data protection Law
    • Copyright
    • Labour law
    • Competition law
    • Corporate
    • EU law
    • Law on the protection of minors
    • Tax
    • Other
    • Internally
  • Podcast
    • ITMediaLaw Podcast
  • Knowledge base
    • Laws
    • Legal terms
    • Contract types
    • Clause types
    • Forms of financing
    • Legal means
    • Authorities
    • Company forms
    • Tax
    • Concepts
  • Videos
    • Information videos – about Marian Härtel
    • Videos – about me (Couch)
    • Blogpost – individual videos
    • Videos on services
    • Shorts
    • Podcast format
    • Third-party videos
    • Other videos
  • Contact
ITMediaLaw - Rechtsanwalt Marian Härtel
Home Data protection Law

Can a fine for a data protection breach be levied against a corporation?

7. November 2022
in Data protection Law
Reading Time: 7 mins read
0 0
A A
0
security 2168233 1280
Key Facts
  • The Berlin data protection authority has discontinued proceedings against Deutsche Wohnen SE for a fine of EUR 14.5 million.
  • The Berlin Regional Court ruled that legal entities cannot be held directly liable for administrative offenses.
  • Legal issue concerns the GDPR and the application of national regulations regarding fines.
  • Bonn Regional Court considers GDPR to take precedence, while Berlin Regional Court disagrees
  • Comprehensive argumentation on the legal opinion of the legislator and the circumstances of control.
  • If the Court of Appeal confirms the decision of the Regional Court, this could intensify the company audits.
  • Personal liability could increase significantly >for managing directors and data protection officers

The situation

Content Hide
1. The situation
2. The Berlin Regional Court on this
3. Berlin Regional Court contradicts Bonn Regional Court
4. What is the consequence of this legal opinion?

Berlin and data protection are currently not the best of friends, and the Berlin Commissioner for Data Protection and Freedom of Information does not have the best reputation either. Whether rightly or not, I will abstain from giving an opinion for once. Moreover, much of data protection is currently controversial. Nevertheless, there is a possibility that the Kammergericht in Berlin will soon have to rule on a very exciting legal question. Namely, whether in Germany a fine can be levied against a company or whether this can only be the case against a natural person.

What happened?

Criminal Division 26 of the Berlin Regional Court has discontinued fine proceedings against “Deutsche Wohnen SE” in the amount of 14.5 million euros because the fine notice suffers from serious defects. A while after the press release from “Deutsche Wohnen” and the Berlin Regional Court:

“Criminal Chamber 26 of the Berlin Regional Court has discontinued the proceedings because the fine notice was invalid. The Berlin LfDI can lodge an immediate appeal against the decision of the Berlin Regional Court with the Court of Appeal within one week.”

There was speculation as to what might have happened and where the authority might have failed. Now it’s clear, it’s about a hard-hitting legal issue that has been extremely controversial since the GDPR and that many are hardly aware of. Thus, the Berlin Regional Court writes in its decision

The fine notice issued by the Berlin Commissioner for Data Protection and Freedom of Information on October 30, 2019 suffers from such serious deficiencies that it cannot form the basis of the proceedings.

The fine notice was issued against Deutsche Wohne SE, i.e. against a European company, a legal entity under private law with its own legal personality within the meaning of Section 1 (1) AktG in conjunction with Sections 1 et seq. SEAG in conjunction with Article 1 (3) of Council Regulation (EC) No. 2157/2001 of October 8, 2001 on the Statute for a European company. The was treated by BInBDI as an affected party within the meaning of the Code of Administrative Offences. In the penalty notice, she was accused in numerous places of intentionally committing administrative offenses. In the statement of the Berlin Commissioner for Data Protection and Freedom of Information of October 28, 2020 on the grounds for objection by the persons concerned, the authority arguably reiterated that the notice would be directed solely against Deutsche Wohnen SE, represented by its management.

The Berlin Regional Court on this

However, a legal person cannot be a data subject in a fine proceeding, including one under Article 83 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data, on the free movement of such data and repealing Directive 95/46/EC (the General Data Protection Regulation or GDPR). This is because only a natural person can commit a misdemeanor. Only the actions of the members of the legal entity’s bodies or representatives (natural persons) can be attributed to the legal entity. It can therefore only be a secondary party in the fine proceedings. The imposition of a fine on them is governed by Section 30 OWiG, which also applies to infringements under Article 83(4) to (6) of the GDPR via Section 41(1) BDSG. According to this provision, a fine may be imposed on the legal entity either in a unified proceeding if fine proceedings are conducted against the legal entity because of the act of the member of the executive body or representative, i.e. the natural person, or in an independent proceeding pursuant to Section 30 (4) OWiG. A prerequisite for this is, of course, that no proceedings are instituted or that such proceedings are discontinued due to the actions of the member of the executive body or representative of the legal entity. However, since the legal entity itself cannot commit an administrative offense, a reproachable administrative offense committed by a member of the legal entity’s governing body must also be established in these so-called independent proceedings.

In its very recent decision (see this blog post), the Regional Court of Bonn took a different view of the matter, arguing that the GDPR takes precedence over national regulations, as otherwise there could be undesirable distortions of competition in the member states of the European Union with regard to the enforcement of European data protection rules. National provisions such as Section 41 (1) of the BDSG in conjunction with Sections 30 and 130 of the OWiG must be interpreted on the basis of the principle of effet utile in such a way that their application cannot lead to enforcement deficits – and where this is not possible, they must not be applied at all.

Berlin Regional Court contradicts Bonn Regional Court

The Berlin Regional Court expressly does NOT wish to endorse this legal opinion.

Pursuant to Article 83 GDPR in conjunction with Article 4 No. 7 and 8 GDPR, fines for violations of the GDPR pursuant to Article 83(4) to (6) GDPR are not only to be imposed on natural persons, but also on legal persons as “controller” within the meaning of Article 4 No. 7 GDPR or “processor” within the meaning of Article 4 No. 8 GDPR. However, the Regulation does not contain more detailed provisions on the criminal liability of legal persons for breaches of the General Data Protection Regulation committed by natural persons attributable to them.

The Regional Court therefore extensively reasoned that a legal person could not be a data subject in a fine proceeding, including one under Article 83 GDPR. A misdemeanor can only be committed by a natural person. The legal entity can only be held responsible for the actions of its members or representatives (natural persons), which is why the legal entity can only be a secondary party in the fine proceedings.

The imposition of a fine on a legal person is governed by Section 30 OWiG, which, according to the District Court, also applies to infringements under Article 83(4) to (6) GDPR via Section 41(1) BDSG.

According to this provision, a fine may be imposed on the legal entity either in a unified proceeding if fine proceedings are conducted against the legal entity because of the act of the member of the executive body or representative, i.e. the natural person, or in an independent proceeding pursuant to Section 30 (4) OWiG. However, the prerequisite for this is that no proceedings are initiated or that such proceedings are discontinued due to the actions of the member of the executive body or representative of the legal entity. However, since the legal entity itself
cannot commit an administrative offense, a reproachable administrative offense by a member of the legal entity’s governing body must also be established in these so-called independent proceedings.

The district court puts forward many arguments in favor of this, including the supposed view of the legislator:

The historical legislator of the Federal Data Protection Act apparently assumed the applicability of Sections 30, 130 OWiG in the event of a violation of the GDPR. This is because while the first draft bill for an act to adapt data protection law to Regulation (EU) 2016/679 and to implement Directive (EU) 2016/680 (Data Protection Adaptation and Implementation Act EU) still expressly provided in Section 39 (1) sentence 2 BDSGRefE for the non-application of Section 30,130 OWiG, this normative command has been deleted in the provision of Section 41 (1) sentence 2 BDSG, which has become law and is otherwise identical in wording, and has not been changed by the last amendment to the Federal Data Protection Act, by the Second Act for the Adaptation of Data Protection Law of 20. November 2019, has been amended. In this context, the legislator was aware of the consequences of its decision at least through the resolution of the 97th Conference of the Independent Data Protection Authorities of the Federation and the Länder of April 3, 2019, which advocates a “clarifying” addition to Section 41 (1) sentence 2 BDSG and the non-application of Sections 30, 130 OWiG.

Moreover, the argumentation shows that the chamber was a large criminal chamber:

Finally, it is also not discernible for the Board that an obligation to adopt the Union law model of association responsibility should arise from the Union law requirement of effectiveness (Art. 197 TFEU). This is because the latter leaves the Member States a margin of discretion in the design of the sanction regime, which must be filled in conformity with the Constitution, in this case in particular in compliance with the principle of culpability.

What is the consequence of this legal opinion?

The question is therefore very exciting and, after the authority has filed an appeal, will now have to be decided by the Superior Court.

But what are the implications of this decision for data protection officers? I don’t think that, as initial voices think, all startup hipster ventures can now celebrate. This is because, in addition to other tax law and labor law aspects of the possible responsibility of managing directors and/or data protection officers, there could be two not-so-exhilarating aspects and one perhaps not-so-bad aspect to consider in the future.

Thus, the district court subliminally criticized the agency as follows:

Moreover, it was merely stated in a general manner that the proof of the commission of an administrative offense was made more difficult by the requirement of proof of an act of an executive body in breach of duty within the meaning of Sections 30, 130 OWiG. However, it has not been shown that this would not be possible for the acting supervisory authorities. In this case, it is particularly surprising that the violations of data protection laws which are the subject matter of the proceedings were already identified by the authority in 2017 – and thus before the entry into force of the GDPR -, that various on-site meetings took place, that information, for example on technical details of data processing, was requested, and that the data subject also provided corresponding information, but that the authority did not conduct sufficient investigations into the internal responsibilities for the violations complained of. In this case, it is likely that disclosure of the organizational structure in the company of the data subjects would already have led to an identification of persons responsible for the data processing operations and thus possibly a breach of supervisory duty could have been demonstrated.

So if the view prevails and Deutsche Wohnen thus gets away without paying a fine, because no new notice can then be issued either, data protection authorities will take a more thorough look at the companies and their decision-making processes. What supposedly sounds good for data protection is likely to be bad for companies, because there are certainly skeletons in the closet everywhere that may now be discovered.

Of course, this makes the audits more costly and then affects fewer companies. However, if one is affected, the effort required to communicate with the authority is likely to be disproportionately higher and more expensive.

In addition, there could be problems for the natural persons or those responsible. Because if a personal accusation is established, the legal entity is liable for the established error of the institution. Depending on the labor law situation, this could lead to a claim for recourse by the company and trigger problems under labor law or tax law.

 

Tags: Berlin Regional CourtBlogCorporationCourt of AppealCustomizationData protection LawGeneral Data Protection RegulationInformationLabour lawLawsLegal entityLegal questionModelNatural personPrivacyRegulationSanctionSicherheit

Weitere spannende Blogposts

GAME e.V: Focus on the Esports Industry

GAME e.V: Focus on the Esports Industry
7. November 2022

Based on the selection of legal news here on the blog, it should be apparent that I represent many, many...

Read moreDetails

Regulation of DLT – a brief overview

Regulation of DLT – a brief overview
2. December 2022

Regulation of DLT (distributed ledger technology) is a hot topic in the crypto world. Many executives and decision makers are...

Read moreDetails

When can I use the Ecotest label?

International trademark application at WIPO
9. July 2019

The I. Civil Senate of the Federal Court of Justice, which is responsible for trademark law, has to decide in...

Read moreDetails

Gamertag/Nickname “stolen”, what can be done?

Gamertag/Nickname “stolen”, what can be done?
15. October 2019

The problem with stolen gamertags In recent months, more and more clients, especially well-known streamers, have approached me because their...

Read moreDetails

Right of withdrawal for sales of blockchain content

Right of withdrawal for sales of blockchain content
22. December 2022

Content from blockchain providers in particular, be it coins of various kinds, utility tokens, security tokens or NFTs, is generally...

Read moreDetails

GDPR and Pseudonymization: A Surprising Ruling by the ECJ

District Court Frankfurt a.M. on the right to be forgotten
5. June 2023

Introduction The application of the General Data Protection Regulation (GDPR) to pseudonymized data is a controversial topic that generates much...

Read moreDetails

Attention: Homepage 2.0

Some news about ITMediaLaw.com
7. November 2022

I'm currently working on a lot of background work for an update to the site, which will be joined in...

Read moreDetails

Blockchain and smart contracts

Blockchain and smart contracts
10. October 2024

Blockchain technology and smart contracts have the potential to revolutionize numerous industries and enable new business models. These technologies offer...

Read moreDetails

Draft bill on the FinmadiG

Draft bill on the FinmadiG
10. January 2024

The Financial Market Digitization Act (FinmadiG) marks a turning point in the regulation of digital financial markets in Germany. It...

Read moreDetails
Key Learnings from my presentation: Navigating the Complex World of AI and Law

Service Information Obligations Ordinance (DL-InfoV)

10. November 2024

Legal definition and context of origin The Service Information Obligations Ordinance (DL-InfoV) is a federal ordinance with a complex history....

Read moreDetails
Airdrop

Airdrop

30. June 2023
Crypto-Asset Reporting Framework (CARF)

What is Proof of Stake Off-Chain (POSOF)?

9. February 2025
Bridge Financing

Bridge Financing

16. October 2024
Phantom Shares

Phantom Shares

26. June 2023

Podcast Folgen

d5e1e6cad87cb839a9e23af79034bd94

AI in the legal system: Towards a digital future of justice

16. October 2024

In this fascinating podcast episode, we take a deep dive into the world of artificial intelligence (AI) and its impact...

43a60cb39d7ea477ac8f3845c1b7739c

Legal advice for start-ups – investments that pay off

8. December 2024

This episode of the ITmedialaw.com podcast is all about the importance of legal advice for startups. Host Marian Härtel talks...

092def0649c76ad70f0883df970929cb

Influencers and gaming: legal challenges in the digital entertainment world

26. September 2024

In this captivating episode, lawyer Marian Härtel takes listeners on an exciting journey through the dynamic world of influencers and...

9e9bbb286e0d24cb5ca04eccc9b0c902

Legal challenges of innovative business models

1. October 2024

In this captivating podcast episode, I dive deep into the world of legal challenges associated with innovative business models as...

  • Privacy policy
  • Imprint
  • Contact
  • About lawyer Marian Härtel
Marian Härtel, Rathenaustr. 58a, 14612 Falkensee, info@itmedialaw.com

Marian Härtel - Rechtsanwalt für IT-Recht, Medienrecht und Startups, mit einem Fokus auf innovative Geschäftsmodelle, Games, KI und Finanzierungsberatung.

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In
  • Informationen
    • Ideal partner
    • About lawyer Marian Härtel
    • Quick and flexible access
    • Principles as a lawyer
    • Why a lawyer and business consultant?
    • Focus areas of attorney Marian Härtel
      • Focus on start-ups
      • Investment advice
      • Corporate law
      • Cryptocurrencies, Blockchain and Games
      • AI and SaaS
      • Streamers and influencers
      • Games and esports law
      • IT/IP Law
      • Law firm for GMBH,UG, GbR
      • Law firm for IT/IP and media law
    • The everyday life of an IT lawyer
    • How can I help clients?
    • Testimonials
    • Team: Saskia Härtel – WHO AM I?
    • Agile and lean law firm
    • Price overview
    • Various information
      • Terms
      • Privacy policy
      • Imprint
  • Services
    • Support and advice of agencies
    • Contract review and preparation
    • Games law consulting
    • Consulting for influencers and streamers
    • Advice in e-commerce
    • DLT and Blockchain consulting
    • Legal advice in corporate law: from incorporation to structuring
    • Legal compliance and expert opinions
    • Outsourcing – for companies or law firms
    • Booking as speaker
  • News
    • Gloss / Opinion
    • Law on the Internet
    • Online retail
    • Law and computer games
    • Law and Esport
    • Blockchain and web law
    • Data protection Law
    • Copyright
    • Labour law
    • Competition law
    • Corporate
    • EU law
    • Law on the protection of minors
    • Tax
    • Other
    • Internally
  • Podcast
    • ITMediaLaw Podcast
  • Knowledge base
    • Laws
    • Legal terms
    • Contract types
    • Clause types
    • Forms of financing
    • Legal means
    • Authorities
    • Company forms
    • Tax
    • Concepts
  • Videos
    • Information videos – about Marian Härtel
    • Videos – about me (Couch)
    • Blogpost – individual videos
    • Videos on services
    • Shorts
    • Podcast format
    • Third-party videos
    • Other videos
  • Contact
  • en English
  • de Deutsch
Kostenlose Kurzberatung