The Berlin Court of Appeal recently asked the European Court of Justice whether, under the EU General Data Protection Regulation (GDPR) regime, an undertaking may be directly and solely prosecuted and fined, irrespective of regulatory requirements under the German law on administrative offences.
A real estate group company from Berlin holds over 100,000 residential units and approximately 3,000 commercial units. The management of these units is carried out by internal service companies. In the course of its business, the company and the group companies process personal data of tenants.(1)
In 2017, the Berlin Commissioner for Data Protection pointed out that the personal data of tenants was stored in an insufficient electronic archiving system; it was unclear whether data that was no longer required would be deleted. The company was requested to take action, but it did not, stating that deletion was not possible for technical and legal reasons. After an audit in 2020, the authorities imposed fines under the German law on administrative offences. The real estate company was accused, among other things, of having wilfully failed to take the necessary measures in 2018 and 2019 to ensure that the regular deletion of tenant data that was no longer required.
Upon the company's objection, the Berlin Court of Appeal ceased the proceedings. The Court ruled that a legal person, such as the real estate company, could not solely be subject to proceedings and fines, even in light of article 83 of the EU GDPR. Such proceedings must be directed against a natural person as the perpetrator. The liability of the company always derives from the actions or omissions of its managers under the German law on administrative offences. The public prosecutor appealed.
The Higher Regional Court in Berlin suspended the court proceedings and referred two questions on the interpretation of article 83 of the EU GDPR to the European Court of Justice for a preliminary ruling as per article 267 (3) of the Treaty on the Functioning of the European Union (TFEU).
In particular, the Berlin Court of Appeal asked the following – simplified – questions:
- Must article 83 (4) to (6) of the EU GDPR be interpreted in line with articles 101 and 102 of the TFEU with the result that proceedings for a fine may be brought directly against an undertaking and the fine does not require an administrative offence committed by a natural person, possibly in a fully criminal manner?
- If the answer to the first question is in the affirmative, must article 83 (4) to (6) of the EU GDPR be interpreted to mean that the undertaking must be culpably responsible for the violation committed by an employee, or is there strict liability that must merely be attributable to the undertaking?
The Berlin Court of Appeal has not revealed its position, but it extensively refers to the opposing views on the issue. Reading between the lines, the Court seems to be in favour of an interpretation disregarding the requirements under the German law on administrative offences. Considering the importance of the effet-utile principle for the European Court of Justice, it is likely that this will be the outcome. Its findings will, in any event, be closely watched by all EU member states, as the underlying general issue is the interplay between domestic law and the GDPR in respect of penalties.
For further information on this topic please contact Jörg Noltin at Arnecke Sibeth Dabelstein by telephone (+49 40 31 779 70) or email ([email protected]). The Arnecke Sibeth Dabelstein website can be accessed at www.asd-law.com.
(1) The file number of the Berlin Court of Appeal is 3 Ws 250/21.