Can a fine for a data protection breach be levied against a corporation?

The situation

Berlin and data protection are currently not the best of friends, and the Berlin Commissioner for Data Protection and Freedom of Information does not have the best reputation either. Whether rightly or not, I will abstain from giving an opinion for once. Moreover, much of data protection is currently controversial. Nevertheless, there is a possibility that the Kammergericht in Berlin will soon have to rule on a very exciting legal question. Namely, whether in Germany a fine can be levied against a company or whether this can only be the case against a natural person.

What happened?

Criminal Division 26 of the Berlin Regional Court has discontinued fine proceedings against “Deutsche Wohnen SE” in the amount of 14.5 million euros because the fine notice suffers from serious defects. A while after the press release from “Deutsche Wohnen” and the Berlin Regional Court:

“Criminal Chamber 26 of the Berlin Regional Court has discontinued the proceedings because the fine notice was invalid. The Berlin LfDI can lodge an immediate appeal against the decision of the Berlin Regional Court with the Court of Appeal within one week.”

There was speculation as to what might have happened and where the authority might have failed. Now it’s clear, it’s about a hard-hitting legal issue that has been extremely controversial since the GDPR and that many are hardly aware of. Thus, the Berlin Regional Court writes in its decision

The fine notice issued by the Berlin Commissioner for Data Protection and Freedom of Information on October 30, 2019 suffers from such serious deficiencies that it cannot form the basis of the proceedings.

The fine notice was issued against Deutsche Wohne SE, i.e. against a European company, a legal entity under private law with its own legal personality within the meaning of Section 1 (1) AktG in conjunction with Sections 1 et seq. SEAG in conjunction with Article 1 (3) of Council Regulation (EC) No. 2157/2001 of October 8, 2001 on the Statute for a European company. The was treated by BInBDI as an affected party within the meaning of the Code of Administrative Offences. In the penalty notice, she was accused in numerous places of intentionally committing administrative offenses. In the statement of the Berlin Commissioner for Data Protection and Freedom of Information of October 28, 2020 on the grounds for objection by the persons concerned, the authority arguably reiterated that the notice would be directed solely against Deutsche Wohnen SE, represented by its management.

The Berlin Regional Court on this

However, a legal person cannot be a data subject in a fine proceeding, including one under Article 83 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data, on the free movement of such data and repealing Directive 95/46/EC (the General Data Protection Regulation or GDPR). This is because only a natural person can commit a misdemeanor. Only the actions of the members of the legal entity’s bodies or representatives (natural persons) can be attributed to the legal entity. It can therefore only be a secondary party in the fine proceedings. The imposition of a fine on them is governed by Section 30 OWiG, which also applies to infringements under Article 83(4) to (6) of the GDPR via Section 41(1) BDSG. According to this provision, a fine may be imposed on the legal entity either in a unified proceeding if fine proceedings are conducted against the legal entity because of the act of the member of the executive body or representative, i.e. the natural person, or in an independent proceeding pursuant to Section 30 (4) OWiG. A prerequisite for this is, of course, that no proceedings are instituted or that such proceedings are discontinued due to the actions of the member of the executive body or representative of the legal entity. However, since the legal entity itself cannot commit an administrative offense, a reproachable administrative offense committed by a member of the legal entity’s governing body must also be established in these so-called independent proceedings.

In its very recent decision (see this blog post), the Regional Court of Bonn took a different view of the matter, arguing that the GDPR takes precedence over national regulations, as otherwise there could be undesirable distortions of competition in the member states of the European Union with regard to the enforcement of European data protection rules. National provisions such as Section 41 (1) of the BDSG in conjunction with Sections 30 and 130 of the OWiG must be interpreted on the basis of the principle of effet utile in such a way that their application cannot lead to enforcement deficits – and where this is not possible, they must not be applied at all.

Berlin Regional Court contradicts Bonn Regional Court

The Berlin Regional Court expressly does NOT wish to endorse this legal opinion.

Pursuant to Article 83 GDPR in conjunction with Article 4 No. 7 and 8 GDPR, fines for violations of the GDPR pursuant to Article 83(4) to (6) GDPR are not only to be imposed on natural persons, but also on legal persons as “controller” within the meaning of Article 4 No. 7 GDPR or “processor” within the meaning of Article 4 No. 8 GDPR. However, the Regulation does not contain more detailed provisions on the criminal liability of legal persons for breaches of the General Data Protection Regulation committed by natural persons attributable to them.

The Regional Court therefore extensively reasoned that a legal person could not be a data subject in a fine proceeding, including one under Article 83 GDPR. A misdemeanor can only be committed by a natural person. The legal entity can only be held responsible for the actions of its members or representatives (natural persons), which is why the legal entity can only be a secondary party in the fine proceedings.

The imposition of a fine on a legal person is governed by Section 30 OWiG, which, according to the District Court, also applies to infringements under Article 83(4) to (6) GDPR via Section 41(1) BDSG.

According to this provision, a fine may be imposed on the legal entity either in a unified proceeding if fine proceedings are conducted against the legal entity because of the act of the member of the executive body or representative, i.e. the natural person, or in an independent proceeding pursuant to Section 30 (4) OWiG. However, the prerequisite for this is that no proceedings are initiated or that such proceedings are discontinued due to the actions of the member of the executive body or representative of the legal entity. However, since the legal entity itself
cannot commit an administrative offense, a reproachable administrative offense by a member of the legal entity’s governing body must also be established in these so-called independent proceedings.

The district court puts forward many arguments in favor of this, including the supposed view of the legislator:

The historical legislator of the Federal Data Protection Act apparently assumed the applicability of Sections 30, 130 OWiG in the event of a violation of the GDPR. This is because while the first draft bill for an act to adapt data protection law to Regulation (EU) 2016/679 and to implement Directive (EU) 2016/680 (Data Protection Adaptation and Implementation Act EU) still expressly provided in Section 39 (1) sentence 2 BDSGRefE for the non-application of Section 30,130 OWiG, this normative command has been deleted in the provision of Section 41 (1) sentence 2 BDSG, which has become law and is otherwise identical in wording, and has not been changed by the last amendment to the Federal Data Protection Act, by the Second Act for the Adaptation of Data Protection Law of 20. November 2019, has been amended. In this context, the legislator was aware of the consequences of its decision at least through the resolution of the 97th Conference of the Independent Data Protection Authorities of the Federation and the Länder of April 3, 2019, which advocates a “clarifying” addition to Section 41 (1) sentence 2 BDSG and the non-application of Sections 30, 130 OWiG.

Moreover, the argumentation shows that the chamber was a large criminal chamber:

Finally, it is also not discernible for the Board that an obligation to adopt the Union law model of association responsibility should arise from the Union law requirement of effectiveness (Art. 197 TFEU). This is because the latter leaves the Member States a margin of discretion in the design of the sanction regime, which must be filled in conformity with the Constitution, in this case in particular in compliance with the principle of culpability.

What is the consequence of this legal opinion?

The question is therefore very exciting and, after the authority has filed an appeal, will now have to be decided by the Superior Court.

But what are the implications of this decision for data protection officers? I don’t think that, as initial voices think, all startup hipster ventures can now celebrate. This is because, in addition to other tax law and labor law aspects of the possible responsibility of managing directors and/or data protection officers, there could be two not-so-exhilarating aspects and one perhaps not-so-bad aspect to consider in the future.

Thus, the district court subliminally criticized the agency as follows:

Moreover, it was merely stated in a general manner that the proof of the commission of an administrative offense was made more difficult by the requirement of proof of an act of an executive body in breach of duty within the meaning of Sections 30, 130 OWiG. However, it has not been shown that this would not be possible for the acting supervisory authorities. In this case, it is particularly surprising that the violations of data protection laws which are the subject matter of the proceedings were already identified by the authority in 2017 – and thus before the entry into force of the GDPR -, that various on-site meetings took place, that information, for example on technical details of data processing, was requested, and that the data subject also provided corresponding information, but that the authority did not conduct sufficient investigations into the internal responsibilities for the violations complained of. In this case, it is likely that disclosure of the organizational structure in the company of the data subjects would already have led to an identification of persons responsible for the data processing operations and thus possibly a breach of supervisory duty could have been demonstrated.

In addition, there could be problems for the natural persons or those responsible. Because if a personal accusation is established, the legal entity is liable for the established error of the institution. Depending on the labor law situation, this could lead to a claim for recourse by the company and trigger problems under labor law or tax law.