Please note that all my articles are for informational purposes only and not legal advice. I assume no liability for the content of my articles. The articles may be out of date, the legal situation may have changed, or the specific situation in a case may need to be assessed differently. A binding consultation can only be given by me directly in the individual case. Take advantage of my free brief consultation!
Can a fine for a data protection breach be levied against a corporation?
Berlin and data protection are currently not the best of friends, and the Berlin Commissioner for Data Protection and Freedom of Information does not have the best reputation either. Whether rightly or not, I will abstain from giving an opinion for once. Moreover, much of data protection is currently controversial. Nevertheless, there is a possibility that the Kammergericht in Berlin will soon have to rule on a very exciting legal question. Namely, whether in Germany a fine can be levied against a company or whether this can only be the case against a natural person.
What happened?
Criminal Division 26 of the Berlin Regional Court has discontinued fine proceedings against “Deutsche Wohnen SE” in the amount of 14.5 million euros because the fine notice suffers from serious defects. A while after the press release from “Deutsche Wohnen” and the Berlin Regional Court:
“Criminal Division 26 of the Berlin Regional Court discontinued the proceedings because the penalty notice was invalid. The Berlin LfDI may file an immediate appeal against the order of the Berlin Regional Court with the Court of Appeal within one week.”
there was speculation as to what might have happened and where the authority might have failed. Now it’s clear, it’s about a hard-hitting legal issue that has been extremely controversial since the GDPR and that many are hardly aware of. Thus, the Berlin Regional Court writes in its decision
The fine notice issued by the Berlin Commissioner for Data Protection and Freedom of Information on October 30, 2019 suffers from such serious defects that it cannot form the basis of the proceedings.
The penalty notice was issued against Deutsche Wohne SE, i.e. against a European company, a legal entity under private law with its own legal personality within the meaning of Section 1 (1) AktG in conjunction with Sections 1 et seq. SEAG in conjunction with Article 1 (3) of Council Regulation (EC) No. 2157/2001 of October 8, 2001 on the Statute for a European company. The was treated by BInBDI as an affected party within the meaning of the Code of Administrative Offences. In the penalty notice, she was accused in numerous places of intentionally committing administrative offenses. In the statement of the Berlin Commissioner for Data Protection and Freedom of Information of October 28, 2020 on the grounds for objection by the persons concerned, the authority arguably reiterated that the notice would be directed solely against Deutsche Wohnen SE, represented by its management.
The Berlin Regional Court on this
However, a legal person cannot be a data subject in a fine proceeding, including one under Article 83 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data, on the free movement of such data and repealing Directive 95/46/EC (the General Data Protection Regulation or GDPR). This is because only a natural person can commit a misdemeanor. Only the actions of the members of the legal entity’s bodies or representatives (natural persons) can be attributed to the legal entity. It can therefore only be a secondary party in the fine proceedings. The imposition of a fine on them is governed by Section 30 OWiG, which also applies to infringements under Article 83(4) to (6) of the GDPR via Section 41(1) BDSG. According to this provision, a fine may be imposed on the legal entity either in a unified proceeding if fine proceedings are conducted against the legal entity because of the act of the member of the executive body or representative, i.e. the natural person, or in an independent proceeding pursuant to Section 30 (4) OWiG. A prerequisite for this is, of course, that no proceedings are instituted or that such proceedings are discontinued due to the actions of the member of the executive body or representative of the legal entity. However, since the legal entity itself cannot commit an administrative offense, a reproachable administrative offense committed by a member of the legal entity’s governing body must also be established in these so-called independent proceedings.
In its very recent decision (see also this blog post) saw the matter differently and argued that the GDPR takes precedence over national regulations because otherwise there could be undesirable distortions of competition in the member states of the European Union with regard to the enforcement of the data protection rules under European law. National provisions such as Section 41 (1) of the BDSG in conjunction with Sections 30 and 130 of the OWiG must be interpreted on the basis of the principle of effet utile in such a way that their application cannot lead to enforcement deficits – and where this is not possible, they must not be applied at all.
Berlin Regional Court contradicts Bonn Regional Court
The Berlin Regional Court expressly does NOT wish to endorse this legal opinion.
Pursuant to Article 83 GDPR in conjunction with Article 4 No. 7 and 8 GDPR, fines for violations of the GDPR pursuant to Article 83(4) to (6) GDPR are not only to be imposed on natural persons, but also on legal persons as “controller” within the meaning of Article 4 No. 7 GDPR or “processor” within the meaning of Article 4 No. 8 GDPR. However, the Regulation does not contain more detailed provisions on the criminal liability of legal persons for breaches of the General Data Protection Regulation committed by natural persons attributable to them.
The Regional Court therefore extensively reasoned that a legal person could not be a data subject in a fine proceeding, including one under Article 83 GDPR. A misdemeanor can only be committed by a natural person. The legal entity can only be held responsible for the actions of its members or representatives (natural persons), which is why the legal entity can only be a secondary party in the fine proceedings.
The imposition of a fine on a legal person is governed by Section 30 OWiG, which, according to the District Court, also applies to infringements under Article 83(4) to (6) GDPR via Section 41(1) BDSG.
According to this provision, a fine may be imposed on the legal entity either in a unified proceeding if fine proceedings are conducted against the legal entity because of the act of the member of the executive body or representative, i.e. the natural person, or in an independent proceeding pursuant to Section 30 (4) OWiG. However, the prerequisite for this is that no proceedings are initiated or that such proceedings are discontinued due to the actions of the member of the executive body or representative of the legal entity. However, since the legal entity itself would then have to
If the court finds that a member of an executive body of a legal entity cannot commit a misdemeanor, it may also find that the member of the executive body committed a reproachable misdemeanor in these so-called independent proceedings.
The district court puts forward many arguments in favor of this, including the supposed view of the legislator:
The historical legislator of the Federal Data Protection Act apparently assumed the applicability of Sections 30, 130 OWiG in the event of a violation of the GDPR. This is because while the first draft bill for an act to adapt data protection law to Regulation (EU) 2016/679 and to implement Directive (EU) 2016/680 (Data Protection Adaptation and Implementation Act EU) still expressly provided in Section 39 (1) sentence 2 BDSGRefE for the non-application of Section 30,130 OWiG, this normative command has been deleted in the provision of Section 41 (1) sentence 2 BDSG, which has become law and is otherwise identical in wording, and has not been changed by the last amendment to the Federal Data Protection Act, by the Second Act for the Adaptation of Data Protection Law of 20. November 2019, has been amended. In this context, the legislator was aware of the consequences of its decision at least through the resolution of the 97th Conference of the Independent Data Protection Authorities of the Federation and the Länder of April 3, 2019, which advocates a “clarifying” addition to Section 41 (1) sentence 2 BDSG and the non-application of Sections 30, 130 OWiG.
Moreover, the argumentation shows that the chamber was a large criminal chamber:
Finally, it is also not discernible for the Board that an obligation to adopt the Union law model of association responsibility should arise from the Union law requirement of effectiveness (Art. 197 TFEU). This is because the latter leaves the Member States a margin of discretion in the design of the sanction regime, which must be filled in conformity with the Constitution, in this case in particular in compliance with the principle of culpability.
What is the consequence of this legal opinion?
The question is therefore very exciting and, after the authority has filed an appeal, will now have to be decided by the Superior Court.
But what are the implications of this decision for data protection officers? I don’t think that, as initial voices think, all startup hipster ventures can now celebrate. This is because, in addition to other tax law and labor law aspects of the possible responsibility of managing directors and/or data protection officers, there could be two not-so-exhilarating aspects and one perhaps not-so-bad aspect to consider in the future.
Thus, the district court subliminally criticized the agency as follows:
Moreover, it was merely stated in a general manner that the proof of the commission of an administrative offense was made more difficult by the requirement of proof of an act of an executive body in breach of duty within the meaning of Sections 30, 130 OWiG. However, it has not been shown that this would not be possible for the acting supervisory authorities. In this case, it is particularly surprising that the violations of data protection laws which are the subject matter of the proceedings were already identified by the authority in 2017 – and thus before the entry into force of the GDPR -, that various on-site meetings took place, that information, for example on technical details of data processing, was requested, and that the data subject also provided corresponding information, but that the authority did not conduct sufficient investigations into the internal responsibilities for the violations complained of. In this case, it is likely that disclosure of the organizational structure in the company of the data subjects would already have led to an identification of persons responsible for the data processing operations and thus possibly a breach of supervisory duty could have been demonstrated.
So if the view prevails and Deutsche Wohnen thus gets away without paying a fine, because no new notice can then be issued either, data protection authorities will take a more thorough look at the companies and their decision-making processes. What supposedly sounds good for data protection is likely to be bad for companies, because there are certainly skeletons in the closet everywhere that may now be discovered.
Of course, this makes the audits more costly and then affects fewer companies. However, if one is affected, the effort required to communicate with the authority is likely to be disproportionately higher and more expensive.
In addition, there could be problems for the natural persons or those responsible. Because if a personal accusation is established, the legal entity is liable for the established error of the institution. Depending on the labor law situation, this could lead to a claim for recourse by the company and trigger problems under labor law or tax law.
Marian Härtel is a lawyer and entrepreneur specializing in copyright law, competition law and IT/IP law, with a focus on games, esports, media and blockchain.
