In case an entity receives a letter from a German Data Protection Authority (“DPA”) regarding an alleged breach of data protection law, the response should be well-coordinated to avoid potential fines and cease-anddesist orders. Below rough guidelines for recommendable actions are set out.
Step 1: Amicable solution
In many cases, German DPAs are open to discussions on how the alleged data protection breach can be remedied. Following steps are usually recommendable in these negotiations with the DPAs:
- Collection of relevant facts
- If applicable: involvement of internal data protection officer (there is an obligation to implement an internal data protection officer in many cases)
- Draft of response letter to the DPA with relevant facts and short legal examination whether and to what extent the data processing is lawful; potentially proposal of solution to achieve compliance
- Implement final solution
Step 2: Court proceedings
In some cases no amicable solution can be found with the DPA, e.g. because the requirements of the DPA are not regarded as reasonable. In this case, the DPA will likely issue an order against the alleged offender which can then be attacked in legal proceedings. All orders of a DPA can be attacked in court, e.g.:
- Order to alter data processing activities;
- Order to entirely stop data processing activities and/or
- Administrative fines for unlawful behaviour.
During the time of the on-going and usually very lengthy court proceedings the risk of enforcement activities by the DPA is significantly reduced.
Order to alter data processing activities
The DPA may issue an order which (i) obliges the alleged offender to alter their data processing activities in a way which is deemed lawful by the DPA and (ii) threaten a penalty payment in case respective order is not followed. In addition, (iii) the DPA may determine that its order is immediately enforceable. Respective order could be attacked in main and (if the order is immediately enforceable, which will often be the case) interim proceedings as follows:
a) Depending on the competent DPA, potentially administrative objection proceedings must be commenced and court proceedings are only possible against the DPA’s ruling on the objection.
b) Court proceedings first Instance: time frame: 1 to 2 years for main proceedings and 3 to 12 months for interim proceedings
- Writ to lodge claim and interim proceedings must be handed in before the local administrative court within one month of receipt of the order/objection ruling
- Writ to give reasoning must be handed in within an additional month
- Likely additional writs must be handed in and one oral hearing must be attended
c) Court proceedings second Instance: time frame: another 1 to 3 years for main proceedings, 3 to 12 months for interim proceedings
First instance judgements can be appealed by both parties; proceeding is similar as described under (b).
d) Under limited circumstances: Court proceedings third Instance: time frame: another 1 to 3
Only in main proceedings and only in limited cases a second appeal is possible; proceeding is similar as described under (b).
Order to stop data processing activities
The DPA could also require that the alleged offender ceases the relevant data processing activities entirely. As a general rule, the order to completely cease data processing activities should only be issued by the DPA as a second step once the order to alter the data processing activities (see 2.1 above) has not been successful. However, in exceptional cases where the DPA deems that changes are unlikely/not possible, they may immediately order cease and desist.
Actions against such an order will be similar as the ones against the order to amend the data processing as set above under 2.1.
2.3 Monetary fine proceedings
Options 2.1 and 2.2 are directed at changing the alleged offender’s behaviour for the future. In addition to options 2.1 and 2.2, the DPA might also issue a fine for alleged wrong-doings in the past (even though it is rather unlikely that the DPA will start monetary fine proceedings before an order as described under 2.1 or 2.2 above has been issued). Necessity to attack will depend on the amount of the fine issued. Respective monetary fine order could be attacked as follows:
a) First Instance: time frame: roughly up to 6 months
- Writ to the DPA to require them to review its decision (time frame: 2 weeks)
- Writ to give reasoning why order should be amended (time frame: another 2 to 4 weeks)
- Likely but not in all cases: oral hearing
b) Second Instance: time frame: another 6 to 12 months
- Appeal writ to Court (time frame: 1 week)
- Writ to give reasoning for appeal (time frame: another month)
- Likely but not in all cases: Oral hearing