• Mehr als 3 Millionen Wörter Inhalt
  • |
  • info@itmedialaw.com
  • |
  • Tel: 03322 5078053
Rechtsanwalt Marian Härtel - ITMediaLaw

No products in the cart.

  • en English
  • de Deutsch
  • Informationen
    • Ideal partner
    • About lawyer Marian Härtel
    • Quick and flexible access
    • Principles as a lawyer
    • Why a lawyer and business consultant?
    • Focus areas of attorney Marian Härtel
      • Focus on start-ups
      • Investment advice
      • Corporate law
      • Cryptocurrencies, Blockchain and Games
      • AI and SaaS
      • Streamers and influencers
      • Games and esports law
      • IT/IP Law
      • Law firm for GMBH,UG, GbR
      • Law firm for IT/IP and media law
    • The everyday life of an IT lawyer
    • How can I help clients?
    • Testimonials
    • Team: Saskia Härtel – WHO AM I?
    • Agile and lean law firm
    • Price overview
    • Various information
      • Terms
      • Privacy policy
      • Imprint
  • Services
    • Support and advice of agencies
    • Contract review and preparation
    • Games law consulting
    • Consulting for influencers and streamers
    • Advice in e-commerce
    • DLT and Blockchain consulting
    • Legal advice in corporate law: from incorporation to structuring
    • Legal compliance and expert opinions
    • Outsourcing – for companies or law firms
    • Booking as speaker
  • News
    • Gloss / Opinion
    • Law on the Internet
    • Online retail
    • Law and computer games
    • Law and Esport
    • Blockchain and web law
    • Data protection Law
    • Copyright
    • Labour law
    • Competition law
    • Corporate
    • EU law
    • Law on the protection of minors
    • Tax
    • Other
    • Internally
  • Podcast
    • ITMediaLaw Podcast
  • Knowledge base
    • Laws
    • Legal terms
    • Contract types
    • Clause types
    • Forms of financing
    • Legal means
    • Authorities
    • Company forms
    • Tax
    • Concepts
  • Videos
    • Information videos – about Marian Härtel
    • Videos – about me (Couch)
    • Blogpost – individual videos
    • Videos on services
    • Shorts
    • Podcast format
    • Third-party videos
    • Other videos
  • Contact
Kurzberatung
  • Informationen
    • Ideal partner
    • About lawyer Marian Härtel
    • Quick and flexible access
    • Principles as a lawyer
    • Why a lawyer and business consultant?
    • Focus areas of attorney Marian Härtel
      • Focus on start-ups
      • Investment advice
      • Corporate law
      • Cryptocurrencies, Blockchain and Games
      • AI and SaaS
      • Streamers and influencers
      • Games and esports law
      • IT/IP Law
      • Law firm for GMBH,UG, GbR
      • Law firm for IT/IP and media law
    • The everyday life of an IT lawyer
    • How can I help clients?
    • Testimonials
    • Team: Saskia Härtel – WHO AM I?
    • Agile and lean law firm
    • Price overview
    • Various information
      • Terms
      • Privacy policy
      • Imprint
  • Services
    • Support and advice of agencies
    • Contract review and preparation
    • Games law consulting
    • Consulting for influencers and streamers
    • Advice in e-commerce
    • DLT and Blockchain consulting
    • Legal advice in corporate law: from incorporation to structuring
    • Legal compliance and expert opinions
    • Outsourcing – for companies or law firms
    • Booking as speaker
  • News
    • Gloss / Opinion
    • Law on the Internet
    • Online retail
    • Law and computer games
    • Law and Esport
    • Blockchain and web law
    • Data protection Law
    • Copyright
    • Labour law
    • Competition law
    • Corporate
    • EU law
    • Law on the protection of minors
    • Tax
    • Other
    • Internally
  • Podcast
    • ITMediaLaw Podcast
  • Knowledge base
    • Laws
    • Legal terms
    • Contract types
    • Clause types
    • Forms of financing
    • Legal means
    • Authorities
    • Company forms
    • Tax
    • Concepts
  • Videos
    • Information videos – about Marian Härtel
    • Videos – about me (Couch)
    • Blogpost – individual videos
    • Videos on services
    • Shorts
    • Podcast format
    • Third-party videos
    • Other videos
  • Contact
Rechtsanwalt Marian Härtel - ITMediaLaw

Can a fine for a data protection breach be levied against a corporation?

7. November 2022
in Data protection Law
Reading Time: 7 mins read
0 0
A A
0
security 2168233 1280
Key Facts
  • The Berlin data protection authority has discontinued proceedings against Deutsche Wohnen SE for a fine of EUR 14.5 million.
  • The Berlin Regional Court ruled that legal entities cannot be held directly liable for administrative offenses.
  • Legal issue concerns the GDPR and the application of national regulations regarding fines.
  • Bonn Regional Court considers GDPR to take precedence, while Berlin Regional Court disagrees
  • Comprehensive argumentation on the legal opinion of the legislator and the circumstances of control.
  • If the Court of Appeal confirms the decision of the Regional Court, this could intensify the company audits.
  • Personal liability could increase significantly >for managing directors and data protection officers

The situation

Content Hide
1. The situation
2. The Berlin Regional Court on this
3. Berlin Regional Court contradicts Bonn Regional Court
4. What is the consequence of this legal opinion?
4.1. Author: Marian Härtel

Berlin and data protection are currently not the best of friends, and the Berlin Commissioner for Data Protection and Freedom of Information does not have the best reputation either. Whether rightly or not, I will abstain from giving an opinion for once. Moreover, much of data protection is currently controversial. Nevertheless, there is a possibility that the Kammergericht in Berlin will soon have to rule on a very exciting legal question. Namely, whether in Germany a fine can be levied against a company or whether this can only be the case against a natural person.

What happened?

Criminal Division 26 of the Berlin Regional Court has discontinued fine proceedings against “Deutsche Wohnen SE” in the amount of 14.5 million euros because the fine notice suffers from serious defects. A while after the press release from “Deutsche Wohnen” and the Berlin Regional Court:

“Criminal Chamber 26 of the Berlin Regional Court has discontinued the proceedings because the fine notice was invalid. The Berlin LfDI can lodge an immediate appeal against the decision of the Berlin Regional Court with the Court of Appeal within one week.”

There was speculation as to what might have happened and where the authority might have failed. Now it’s clear, it’s about a hard-hitting legal issue that has been extremely controversial since the GDPR and that many are hardly aware of. Thus, the Berlin Regional Court writes in its decision

The fine notice issued by the Berlin Commissioner for Data Protection and Freedom of Information on October 30, 2019 suffers from such serious deficiencies that it cannot form the basis of the proceedings.

The fine notice was issued against Deutsche Wohne SE, i.e. against a European company, a legal entity under private law with its own legal personality within the meaning of Section 1 (1) AktG in conjunction with Sections 1 et seq. SEAG in conjunction with Article 1 (3) of Council Regulation (EC) No. 2157/2001 of October 8, 2001 on the Statute for a European company. The was treated by BInBDI as an affected party within the meaning of the Code of Administrative Offences. In the penalty notice, she was accused in numerous places of intentionally committing administrative offenses. In the statement of the Berlin Commissioner for Data Protection and Freedom of Information of October 28, 2020 on the grounds for objection by the persons concerned, the authority arguably reiterated that the notice would be directed solely against Deutsche Wohnen SE, represented by its management.

The Berlin Regional Court on this

However, a legal person cannot be a data subject in a fine proceeding, including one under Article 83 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data, on the free movement of such data and repealing Directive 95/46/EC (the General Data Protection Regulation or GDPR). This is because only a natural person can commit a misdemeanor. Only the actions of the members of the legal entity’s bodies or representatives (natural persons) can be attributed to the legal entity. It can therefore only be a secondary party in the fine proceedings. The imposition of a fine on them is governed by Section 30 OWiG, which also applies to infringements under Article 83(4) to (6) of the GDPR via Section 41(1) BDSG. According to this provision, a fine may be imposed on the legal entity either in a unified proceeding if fine proceedings are conducted against the legal entity because of the act of the member of the executive body or representative, i.e. the natural person, or in an independent proceeding pursuant to Section 30 (4) OWiG. A prerequisite for this is, of course, that no proceedings are instituted or that such proceedings are discontinued due to the actions of the member of the executive body or representative of the legal entity. However, since the legal entity itself cannot commit an administrative offense, a reproachable administrative offense committed by a member of the legal entity’s governing body must also be established in these so-called independent proceedings.

In its very recent decision (see this blog post), the Regional Court of Bonn took a different view of the matter, arguing that the GDPR takes precedence over national regulations, as otherwise there could be undesirable distortions of competition in the member states of the European Union with regard to the enforcement of European data protection rules. National provisions such as Section 41 (1) of the BDSG in conjunction with Sections 30 and 130 of the OWiG must be interpreted on the basis of the principle of effet utile in such a way that their application cannot lead to enforcement deficits – and where this is not possible, they must not be applied at all.

Berlin Regional Court contradicts Bonn Regional Court

The Berlin Regional Court expressly does NOT wish to endorse this legal opinion.

Pursuant to Article 83 GDPR in conjunction with Article 4 No. 7 and 8 GDPR, fines for violations of the GDPR pursuant to Article 83(4) to (6) GDPR are not only to be imposed on natural persons, but also on legal persons as “controller” within the meaning of Article 4 No. 7 GDPR or “processor” within the meaning of Article 4 No. 8 GDPR. However, the Regulation does not contain more detailed provisions on the criminal liability of legal persons for breaches of the General Data Protection Regulation committed by natural persons attributable to them.

The Regional Court therefore extensively reasoned that a legal person could not be a data subject in a fine proceeding, including one under Article 83 GDPR. A misdemeanor can only be committed by a natural person. The legal entity can only be held responsible for the actions of its members or representatives (natural persons), which is why the legal entity can only be a secondary party in the fine proceedings.

The imposition of a fine on a legal person is governed by Section 30 OWiG, which, according to the District Court, also applies to infringements under Article 83(4) to (6) GDPR via Section 41(1) BDSG.

According to this provision, a fine may be imposed on the legal entity either in a unified proceeding if fine proceedings are conducted against the legal entity because of the act of the member of the executive body or representative, i.e. the natural person, or in an independent proceeding pursuant to Section 30 (4) OWiG. However, the prerequisite for this is that no proceedings are initiated or that such proceedings are discontinued due to the actions of the member of the executive body or representative of the legal entity. However, since the legal entity itself
cannot commit an administrative offense, a reproachable administrative offense by a member of the legal entity’s governing body must also be established in these so-called independent proceedings.

The district court puts forward many arguments in favor of this, including the supposed view of the legislator:

The historical legislator of the Federal Data Protection Act apparently assumed the applicability of Sections 30, 130 OWiG in the event of a violation of the GDPR. This is because while the first draft bill for an act to adapt data protection law to Regulation (EU) 2016/679 and to implement Directive (EU) 2016/680 (Data Protection Adaptation and Implementation Act EU) still expressly provided in Section 39 (1) sentence 2 BDSGRefE for the non-application of Section 30,130 OWiG, this normative command has been deleted in the provision of Section 41 (1) sentence 2 BDSG, which has become law and is otherwise identical in wording, and has not been changed by the last amendment to the Federal Data Protection Act, by the Second Act for the Adaptation of Data Protection Law of 20. November 2019, has been amended. In this context, the legislator was aware of the consequences of its decision at least through the resolution of the 97th Conference of the Independent Data Protection Authorities of the Federation and the Länder of April 3, 2019, which advocates a “clarifying” addition to Section 41 (1) sentence 2 BDSG and the non-application of Sections 30, 130 OWiG.

Moreover, the argumentation shows that the chamber was a large criminal chamber:

Finally, it is also not discernible for the Board that an obligation to adopt the Union law model of association responsibility should arise from the Union law requirement of effectiveness (Art. 197 TFEU). This is because the latter leaves the Member States a margin of discretion in the design of the sanction regime, which must be filled in conformity with the Constitution, in this case in particular in compliance with the principle of culpability.

What is the consequence of this legal opinion?

The question is therefore very exciting and, after the authority has filed an appeal, will now have to be decided by the Superior Court.

But what are the implications of this decision for data protection officers? I don’t think that, as initial voices think, all startup hipster ventures can now celebrate. This is because, in addition to other tax law and labor law aspects of the possible responsibility of managing directors and/or data protection officers, there could be two not-so-exhilarating aspects and one perhaps not-so-bad aspect to consider in the future.

Thus, the district court subliminally criticized the agency as follows:

Moreover, it was merely stated in a general manner that the proof of the commission of an administrative offense was made more difficult by the requirement of proof of an act of an executive body in breach of duty within the meaning of Sections 30, 130 OWiG. However, it has not been shown that this would not be possible for the acting supervisory authorities. In this case, it is particularly surprising that the violations of data protection laws which are the subject matter of the proceedings were already identified by the authority in 2017 – and thus before the entry into force of the GDPR -, that various on-site meetings took place, that information, for example on technical details of data processing, was requested, and that the data subject also provided corresponding information, but that the authority did not conduct sufficient investigations into the internal responsibilities for the violations complained of. In this case, it is likely that disclosure of the organizational structure in the company of the data subjects would already have led to an identification of persons responsible for the data processing operations and thus possibly a breach of supervisory duty could have been demonstrated.

So if the view prevails and Deutsche Wohnen thus gets away without paying a fine, because no new notice can then be issued either, data protection authorities will take a more thorough look at the companies and their decision-making processes. What supposedly sounds good for data protection is likely to be bad for companies, because there are certainly skeletons in the closet everywhere that may now be discovered.

Of course, this makes the audits more costly and then affects fewer companies. However, if one is affected, the effort required to communicate with the authority is likely to be disproportionately higher and more expensive.

In addition, there could be problems for the natural persons or those responsible. Because if a personal accusation is established, the legal entity is liable for the established error of the institution. Depending on the labor law situation, this could lead to a claim for recourse by the company and trigger problems under labor law or tax law.

 

Marian Härtel
Author: Marian Härtel

Marian Härtel ist Rechtsanwalt und Fachanwalt für IT-Recht mit einer über 25-jährigen Erfahrung als Unternehmer und Berater in den Bereichen Games, E-Sport, Blockchain, SaaS und Künstliche Intelligenz. Seine Beratungsschwerpunkte umfassen neben dem IT-Recht insbesondere das Urheberrecht, Medienrecht sowie Wettbewerbsrecht. Er betreut schwerpunktmäßig Start-ups, Agenturen und Influencer, die er in strategischen Fragen, komplexen Vertragsangelegenheiten sowie bei Investitionsprojekten begleitet. Dabei zeichnet sich seine Beratung durch einen interdisziplinären Ansatz aus, der juristische Expertise und langjährige unternehmerische Erfahrung miteinander verbindet. Ziel seiner Tätigkeit ist stets, Mandanten praxisorientierte Lösungen anzubieten und rechtlich fundierte Unterstützung bei der Umsetzung innovativer Geschäftsmodelle zu gewährleisten.

Tags: Berlin Regional CourtBlogCorporationCourt of AppealCustomizationData protection LawGeneral Data Protection RegulationInformationLabour lawLawsLegal entityLegal questionModelNatural personPrivacyRegulationSanctionSicherheit

Weitere spannende Blogposts

Streamers, marketing agencies and the artists’ social security fund

Streamers, marketing agencies and the artists’ social security fund
7. November 2022

Recently, it has happened more and more that larger streamers but especially marketing agencies, influencer agencies or managers have to...

Read moreDetails

Declaration of revocation without line breaks anti-competitive

Online shops: Attention to advertising with EIA
28. January 2019

It is actually an old hat, but I know that there are repeated warnings because the declaration of withdrawal is...

Read moreDetails

Data protection because of Facebook scraping? Finally at the BGH!

BGH considers Uber Black to be anti-competitive
22. May 2024

The VI. Civil Senate, which is responsible for legal disputes regarding claims arising from the General Data Protection Regulation, will...

Read moreDetails

ECJ rules on the right to be forgotten

Lego brick still protected as a design patent
8. December 2022

Following the Federal Constitutional Court, the ECJ has now also ruled on the right to be forgotten in search engines....

Read moreDetails

Compensation in esport in case of player change?

Compensation in esport in case of player change?
19. December 2019

In the last few months, I have had to deal several times with the question of whether a team/organization is...

Read moreDetails

MiCar is partly there

a0f26104d9663e140f79896d2d5ee77a
4. July 2024

When the Markets in Crypto-Assets Regulation (MiCAR) comes into force on June 30, 2024, a new era for stablecoins in...

Read moreDetails

Copyright in the digital world: What’s next for AI image generators?

Copyright in the digital world: What’s next for AI image generators?
17. January 2023

Introduction The use of AI image generators has become an increasingly important factor in copyright law in recent years. This...

Read moreDetails

Unauthorized discarding of returns soon prohibited?

Unauthorized discarding of returns soon prohibited?
7. November 2022

At the suggestion of Federal Environment Minister Svenja Schulze, the Federal Cabinet today launched the draft bill to amend the...

Read moreDetails

What must be included in a marketing contract for influencers?

cropped 512x512 1
17. May 2024

Here on the blog, I have already provided many tips and advice on drafting contracts in influencer marketing. Today I...

Read moreDetails
VSOP program

VSOP program

26. June 2023

Virtual Stock Ownership Plan (VSOP) is a term that is increasingly heard in the corporate world, especially in startups and...

Read moreDetails
Greenwashing: what it is and why it might violate competition law

Greenwashing

29. March 2025
LG Munich: Focus doctors seal is misleading

Federal constitutional court

25. June 2023
Software maintenance contract

Software maintenance contract

16. October 2024
legal framework for crowd sensing projects data protection and remuneration models for participatory sensor networks

Termination

24. June 2023

Podcast Folgen

da884f9e2769f2f96d6b74255be62c27

The role of the IT lawyer

5. September 2024

In this exciting podcast episode, we delve into the fascinating world of IT start-ups and find out why an experienced...

d00527fd01b1f807a4f80c0f202069e7

Legal basics for startup founders – how to start on the safe side!

9. November 2024

In this episode of the Itmedialaw podcast, lawyer and entrepreneur Marian Härtel takes you on a journey through the legal...

4f3597d5481e0f38e37bf80eaad208c7

The IT Media Law Podcast. Episode No. 1: What is this actually about?

26. August 2024

Yeah, the first real episode with myself! In this podcast, we dive into the exciting world of IT law and...

092def0649c76ad70f0883df970929cb

Influencers and gaming: legal challenges in the digital entertainment world

26. September 2024

In this captivating episode, lawyer Marian Härtel takes listeners on an exciting journey through the dynamic world of influencers and...

  • Privacy policy
  • Imprint
  • Contact
  • About lawyer Marian Härtel
Marian Härtel, Rathenaustr. 58a, 14612 Falkensee, info@itmedialaw.com

Marian Härtel - Rechtsanwalt für IT-Recht, Medienrecht und Startups, mit einem Fokus auf innovative Geschäftsmodelle, Games, KI und Finanzierungsberatung.

Welcome Back!

Login to your account below

Forgotten Password? Sign Up

Create New Account!

Fill the forms below to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In
  • Informationen
    • Ideal partner
    • About lawyer Marian Härtel
    • Quick and flexible access
    • Principles as a lawyer
    • Why a lawyer and business consultant?
    • Focus areas of attorney Marian Härtel
      • Focus on start-ups
      • Investment advice
      • Corporate law
      • Cryptocurrencies, Blockchain and Games
      • AI and SaaS
      • Streamers and influencers
      • Games and esports law
      • IT/IP Law
      • Law firm for GMBH,UG, GbR
      • Law firm for IT/IP and media law
    • The everyday life of an IT lawyer
    • How can I help clients?
    • Testimonials
    • Team: Saskia Härtel – WHO AM I?
    • Agile and lean law firm
    • Price overview
    • Various information
      • Terms
      • Privacy policy
      • Imprint
  • Services
    • Support and advice of agencies
    • Contract review and preparation
    • Games law consulting
    • Consulting for influencers and streamers
    • Advice in e-commerce
    • DLT and Blockchain consulting
    • Legal advice in corporate law: from incorporation to structuring
    • Legal compliance and expert opinions
    • Outsourcing – for companies or law firms
    • Booking as speaker
  • News
    • Gloss / Opinion
    • Law on the Internet
    • Online retail
    • Law and computer games
    • Law and Esport
    • Blockchain and web law
    • Data protection Law
    • Copyright
    • Labour law
    • Competition law
    • Corporate
    • EU law
    • Law on the protection of minors
    • Tax
    • Other
    • Internally
  • Podcast
    • ITMediaLaw Podcast
  • Knowledge base
    • Laws
    • Legal terms
    • Contract types
    • Clause types
    • Forms of financing
    • Legal means
    • Authorities
    • Company forms
    • Tax
    • Concepts
  • Videos
    • Information videos – about Marian Härtel
    • Videos – about me (Couch)
    • Blogpost – individual videos
    • Videos on services
    • Shorts
    • Podcast format
    • Third-party videos
    • Other videos
  • Contact
  • en English
  • de Deutsch
Kostenlose Kurzberatung