A fine of several million Euros was imposed on Deutsche Wohnen for GDPR violations. The Regional Court of Berlin ruled that the penalty notice was ineffective and discontinued the proceedings.

Violations of the European General Data Protection Regulation (GDPR) – are not trivial offenses and can incur severe sanctions. As one of the first fined companies, “Deutsche Wohnen SE” was hit by this at the end of 2019. At that time, the Berlin Commissioner for Data Protection and Freedom of Information imposed a fine of 14.5 million Euros on the real estate company. This was because the company’s archive system stored tenants’ personal data, without any checks as to whether such storage was even permissible. In the opinion of the Berlin Commissioner for Data Protection and Freedom of Information, the company had thus massively violated GDPR.

Here comes the tipping point: the Regional Court of Berlin discontinued the penalty proceedings against Deutsche Wohnen in a ruling dated February 18, 2021 (Ref.: 526 OWi LG) 212 Js-OWi 1/20 (1/20). The court found that the penalty notice was invalid.

Penalty Proceedings Cannot Be R Directly Against Companies

The court’s reasoning packs a punch. Legal persons cannot be party to a penalty proceeding, according to the Regional Court of Berlin. This is also applicable to penalty proceedings for the protection of natural persons in the context of personal data processing in light of GDPR. This is because an administrative offense can only be reprehensibly committed by a natural person, explained the Regional Court of Berlin. Therefore, legal persons, i.e. the company, can only be held responsible for the actions of its board members or representatives.

This means that first of all, those responsible for the company, such as the executive board or managing directors, would have to be determined as personally responsible for the violation. However, such personal responsibility was not determined by the Berlin data protection authority.

The decision is based on the regulatory principles of the German Law on Regulatory Offenses (Ordnungswidrigkeitengesetz, OWiG): Article 30 OWiG only allows penalties for companies if a natural person has violated an obligation.

The court dealt extensively with the question whether GDPR, as an EU directive, could even be restricted by Article 30 OWiG. This was not the case. Above all, this is because Article 41 (1) Federal Data Protection Act specifically prescribes the application of the German OWiG.

The Regional Court of Bonn took a different opinion as recently as November 2020: in its ruling dated November 11, 2020 (29 OWi 1/20), it held that Article 30 OWiG does not apply to the sanctioning of violations of the GDPR.

Prosecutor’s Office Issues Complaint

As expected, the Berlin Commissioner for Data Protection and Freedom of Information did not take long to speak out against the discontinuation of the proceedings. The authority does not consider the decision of the Regional Court of Berlin in accordance with the intentions of the European legislators. According to the authority, the decisive factor is that a violation of data protection law is established, rather than the actions of the responsible natural persons that caused it.

The decision of the Berlin Regional Court is not yet final as the Berlin public prosecutor has issued a complaint. The court of next instance has to decide this now.

It remains to be seen which way the decision will turn in the next instance. However, one consequence of the case is likely to be that in the future, authorities will focus more on the personal misconduct of the responsible persons in a company in data privacy violation cases.