background
When imposing fines for data protection violations (Article 83 GDPR), the provisions of the Administrative Offenses Act (OWiG) generally apply in Germany under Section 41 BDSG. According to Section 30 OWiG, fines can only be imposed on companies if there is a connecting offence committed by a manager (e.g. board member, managing director, authorized signatory). The application of this restrictive “attribution model” to fines under Article 83 GDPR was criticized by the German data protection supervisory authorities from the outset as being contrary to EU law.
14.5 million euro fine as a hook
In 2017, the Berlin data protection supervisory authority imposed the highest GDPR fine in Germany to date on the real estate group Deutsche Wohnen, amounting to 14.5 million euros. The company was accused of storing the personal data of its tenants for an unlawful length of time, of not implementing appropriate measures to delete the data and of not responding to a previous request to remedy these situations. However, the Berlin Regional Court overturned the fine due to serious deficiencies and pointed out in particular that, contrary to the factual requirements of Section 30 OWiG, the explanations regarding attribution, i.e. a (culpable) connecting act by a manager of the company, were missing.
Request for interpretation by the Berlin Higher Regional Court
The Berlin Public Prosecutor’s Office lodged an appeal against this decision. The Berlin Higher Regional Court, which heard the case in the second instance, expressed concerns about the general applicability of Section 30 of the OWiG in this context and asked the ECJ to answer two key questions:
- Can a fine procedure under Art. 83 GDPR be conducted directly against a company without the need for a prior determination of an administrative offence committed by a natural and identified person?
- Must the company have committed the violation culpably, i.e. intentionally or negligently, or is an objective breach of duty attributable to the company sufficient for the imposition of a fine (“strict liability”)?
The ECJ’s statements
The ECJ’s answers to this question are ambivalent:
No connecting act by manager required
The ECJ shares the doubts of the German supervisory authorities and the Berlin Higher Regional Court as to whether the application of Section 30 OWiG to fines imposed on companies for GDPR violations is compatible with Union law. According to the ECJ, the main reason against making companies liable for fines only in the case of identifiable connecting acts by (certain) identified natural persons is to ensure both uniform implementation of the GDPR and the effectiveness of (deterrent) fines. It would run counter to these purposes and objectives if Member States were permitted to standardize additional substantive (attribution) requirements in addition to purely procedural ones.
Fault is assumed, but attribution criteria remain
From a company perspective, however, the ECJ’s statements on the question of whether a company’s liability for a fine requires fault or whether an objective GDPR violation is sufficient are somewhat more positive. The Luxembourg judges reject strict liability, as advocated by the German supervisory authorities. Rather, it also requires proof that this violation was committed intentionally or negligently by the person responsible. With regard to the requirements for fault, however, the ECJ refers to the generally broad standard of fault (attribution) in Union antitrust law. A negligent violation can therefore be assumed if the person responsible “[…] could not have been unaware of the illegality of his conduct, regardless of whether he was aware that he was violating the provisions of the GDPR […]In the event that the data protection controller is a legal person, the ECJ makes it clear that a culpable infringement does not require any action or even knowledge on the part of the management body of that legal person.
Authors: Tobias Schall & Felix Anselm Bohrisch
