GDPR fines: German courtroom specifies necessities for tremendous notices in gentle of ECJ case-law – Cyber Tech

Background: The Underlying Proceedings

The choice of the Greater Regional Courtroom of Berlin marks the newest resolution referring to a dispute round a GDPR tremendous discover issued by the Berlin Knowledge Safety Commissioner (“Berlin DPA”) towards a German actual property firm in 2019. In these enforcement proceedings, the primary GDPR administrative tremendous totaling over EUR 14 million in Germany was imposed for alleged GDPR violations for what the authority thought of to be the extreme storage and archiving of (present and historic) tenant information. Whereas the primary occasion courtroom dismissed the tremendous on formal grounds as a result of the tremendous discover lacked an individualized description of the GDPR violation and subsequently suffered from such “critical deficiencies” that it can not kind the premise of the proceedings, the Berlin courtroom because the second occasion courtroom requested the ECJ to make clear the GDPR’s necessities for fines.

Below Artwork. 83 GDPR, nationwide supervisory authorities are entitled to impose fines towards firms as much as EUR 20 million or 4% of an enterprise’s whole international annual turnover within the earlier monetary 12 months (whichever is greater). Nonetheless, the GDPR doesn’t present guidelines for tremendous proceedings, however refers to different EU legislation and nationwide legal guidelines of the Member States (Artwork. 83 (8) GDPR) as a substitute. For Germany, the Federal Knowledge Safety Act states that the Administrative Offences Act (Ordnungswidrigkeitengesetz, “OWiG”) shall apply “accordingly” for GDPR tremendous proceedings.

In opposition to this background, it was extremely disputed amongst German privateness professionals and within the proceedings at hand, to what extent the necessities for the prosecution of administrative offences and the imposition of administrative fines regulated within the OWiG apply to fines underneath the GDPR. It was notably controversial, whether or not fines towards a authorized individual appearing as controller require that the violation has been dedicated by a particular individual in a administration place (as required underneath Part 30 (1) OWiG) and whether or not these violations of individualized individuals have to be described within the tremendous discover in accordance with Part 66 (1)(3) OWiG.

Landmark Judgment of the ECJ

Following the reference for a preliminary ruling by the Berlin courtroom, the ECJ issued its landmark judgment of 5 December 2023 clarifying a number of the necessities for GDPR fines. The ECJ basically discovered that:

• Authorized entities are instantly responsible for violations dedicated by any individuals appearing in the midst of their enterprise actions and on behalf of those authorized entities – no matter whether or not they’re individuals in a administration place (para. 44). The ECJ acknowledged that it’s not even mandatory for administration to have precise information concerning the violation (para. 77). As a consequence, it’s not essential to determine a particular one that dedicated the GDPR violation on behalf of the authorized entity for the imposition of a tremendous (para. 60).
• As well as, the ECJ clarified that the imposition of a GDPR tremendous requires a culpable breach (intent or negligence). This requirement shall sooner or later be interpreted alongside the strains of the system launched by the ECJ within the antitrust case Schenker & Co. In accordance with this system, a controller might be liable the place the controller “couldn’t be unaware of the infringing nature of its conduct, whether or not or not it’s conscious that it’s infringing the provisions of the GDPR” (para. 76).

Key Findings of the Greater Regional Courtroom of Berlin

Following the ECJ’s resolution, the Greater Regional Courtroom of Berlin resumed proceedings relating to the lawfulness of the executive tremendous imposed by the Berlin DPA. Primarily based on the grounds for the rejection of the tremendous by the primary occasion, the Berlin courtroom was solely tasked to resolve whether or not the tremendous discover met the formal necessities of the OWiG. The courtroom took under consideration the ECJ’s judgment and located that

• fines offered for in Artwork. 83 GDPR might be imposed instantly on authorized individuals in the event that they qualify as information controllers,
• the legal responsibility of an organization for GDPR infringements requires neither the fault of a consultant nor a breach of supervisory duties,
• the tremendous discover doesn’t should specify a pure individual liable for the GDPR violation throughout the firm, and
• the related nationwide procedural legal guidelines (right here: the formal necessities for tremendous notices underneath Part 66 (1)(3) OWiG) should be interpreted in gentle of the authorized ideas for GDPR fines developed by the ECJ.

Given this authorized place, the courtroom concluded that the tremendous discover issued by the Berlin DPA adequately described the GDPR violation. By taking this view, the courtroom transposed the ECJ’s resolution by confirming that firms as authorized entities are instantly responsible for GDPR fines underneath Artwork. 83 GDPR, and by increasing the duty of firms to all people appearing for them.

What’s subsequent?

The choice of the Berlin courtroom lowers the thresholds for the formal necessities for GDPR tremendous notices underneath German legislation. This might embolden German information safety authorities of their enforcement practices and thus result in the next enforcement threat for firms.

Nonetheless, the choice doesn’t mark the ultimate reply to different necessary questions. Following the Greater Regional Courtroom of Berlin’s resolution, the Regional Courtroom of Berlin is now tasked with deciding upon the broader query of the legality of the executive tremendous. Particularly it should resolve whether or not the true property firm really violated the GDPR and – extra importantly – whether or not Part 30 OWiG (and the associated Part 130 OWiG) might be interpreted in gentle of the ECJ’s resolution to additionally enable for so-called “nameless fines” which don’t require the individualization of violations or whether or not it’s inapplicable as a result of violation of EU legislation. Additional, the query of whether or not or not the multi-million Euro tremendous’s top is sufficient stays to be answered.

Authored by Henrik Hanssen, Michael Thiesen, Christian Tinnefeld, and Anna Vogel.