Landmark data protection ruling issued

The ruling not only affects organizations operating in the EU, but also those with EU subsidiaries and are processing personal data on EU citizens, or providing goods and services within the EU.  

Case timeline

• In 2019, Deutsche Wohnen was fined €14.5 million by the Berlin Data Protection Commissioner. During an on-site inspection, the responsible data protection supervisory authority found that personal data of tenants was being stored in an electronic archive system for longer than necessary. This breaches the data minimization and storage limitation principles set out by the General Data Protection Regulation (GDPR).
• In 2021, this preliminary ruling was overturned by the Court of Appeal (Kammergericht - KG) in Berlin. Under German law, the KG determined that the company could not be held responsible for violating the GDPR unless blame could be apportioned to a specific individual or executive.

Critical questions raised

This landmark case affects interpretation of Article 83 of the GDPR, specifically how administrative fines should be imposed.

In this case, the KG referred two critical questions to the CJEU:

1. Can a fine be imposed on a company under the GDPR without the infringement first being attributed to a specific individual? For example, a specific employee of Deutsche Wohnen.
2. If question 1 was answered affirmative, could this then be interpreted as meaning that either the company had culpably committed the breach mediated by an employee or was the objective breach of duty (“strict liability”) attributed to the company sufficient?

According to the KG, culpable breach of the GDPR is difficult to prove.

CJEU responses

The CJEU answered the first question by stating that, according to the GDPR, the controller within the meaning of the regulation is generally liable. The controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. It therefore depends solely on whether the company determines the purposes and means of the processing.

According to European legislation it is therefore not necessary for the company's liability to be attributed to a specific employee. In contrast, the German Administrative Offences Act (OWiG) requires that fines are attributed to a specific person. 

As a European regulation, the GDPR applies directly in all member states and takes precedence over national laws. The regulation does not offer national legislators any discretionary powers to reduce the conditions for imposing fines.

Following the CJEU’s ruling, the German regulation must now be interpreted by the courts in accordance with European law and national legislators are required to adapt the German law on fines to the new case law.

In the second question, the CJEU referred to the general liability principles of the GDPR. This means that the controller must commit an infringement culpably - i.e. intentionally or negligently - in order for a fine to be imposed on them. This view is also confirmed by the rest of the GDPR's system of sanctions.

Instead of, or in addition to fines, if there is a lack of culpable infringement in individual cases, or if there are problems regarding proof, the supervisory authorities can impose further sanctions in the form of warnings, cautions or instructions.

Even if fines are an effective means of enforcing the provisions of the GDPR, the European legislator has not provided for strict liability.

The CJEU ruling also raised the question as to  whether a company is at fault in the event of an intentional or negligent employee infringement. The KG may examine whether Deutsche Wohnen SE at management level can be accused of organisational fault. This could be regarded the case if there is no established compliance or data protection management system. Nevertheless, the CJEU still stated that the management does not need knowledge of the specific act of infringement by the employee or even have committed an act of infringement itself.

Significance for practice

This landmark CJEU ruling generally provides more clarity when imposing GDPR administrative fines on companies. The decision now makes it easier for data protection supervisory authorities in EU member states to sanction legal entities. However, there still remain many contractions, particularly with regards to culpability and the German understanding of principle of fault.

Conversely, the CJEU ruling has strengthened companies to the extent that they can only be accused of an infringement by an employee if the company acted culpably. Therefore, if companies generally ensure that their data protection management functions properly, they should be protected against fines for individual data protection breaches that are not attributable to a systematic failure.

This makes it even more imperative for companies to ensure that their compliance management system includes robust data protection controls, supported by appropriate guidelines, defined responsibilities, training, documentation, etc.

For more guidance on data protection and the implications of this landmark case, please contact Dr Christian Lenz, dhpg, Germany