Who is liable for what and when?
The preliminary ruling procedure was preceded by a referral from the Court of Appeal (Kammergericht - KG) in Berlin. It had to rule on an action brought by Deutsche Wohnen SE against a fine imposed by the Berlin public prosecutor's office. During an on-site inspection, the competent data protection supervisory authority found that personal data of tenants was stored in an electronic archive system where it was not possible to determine whether the storage was necessary at all or whether data that was no longer required was deleted. This approach constitutes a breach of the principles of data minimisation and storage limitation under the General Data Protection Regulation (GDPR), which the supervisory authority fined a staggering €14.5 million.
Court refers two questions to the ECJ for a preliminary ruling
Firstly, it had to be clarified whether a fine can be imposed on a company under the GDPR without the infringement first being attributed to an identifiable natural person - i.e. a specific employee of Deutsche Wohnen.
If the first question was answered in the affirmative, the subsequent question arose as to whether the company must have culpably committed the breach mediated by an employee or whether an objective breach of duty ("strict liability") - i.e. liability regardless of fault - is sufficient. According to the KG, the problem is that a culpable breach of the GDPR is often difficult to prove.
Opinion of the ECJ
The ECJ answered the first question by stating that under the GDPR, the person who is the controller within the meaning of the regulation is generally liable. The controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. It therefore depends solely on whether the company determines the purposes and means of the processing. It is therefore not necessary for the company's liability to be attributed to a specific employee. The problem here is that the German provisions on fines from the German Administrative Offences Act (OWiG) require an attribution to a specific person, in contrast to the European regulation. As a European regulation, the GDPR applies directly in all member states and takes precedence over national laws. The regulation does not offer national legislators any discretionary powers to reduce the conditions for imposing fines. Following the ECJ's ruling, the German regulation must now be interpreted by the courts in accordance with European law and national legislators are required to adapt the German law on fines to the new case law.
For the second question, the ECJ referred to the general liability principles of the GDPR. According to this, the controller must commit an infringement culpably - i.e. intentionally or negligently - in order for a fine to be imposed on them. This view is also confirmed by the rest of the GDPR's system of sanctions. In addition to or instead of fines, the supervisory authorities have the option of imposing further sanctions in the form of warnings, cautions or instructions if there is a lack of culpable infringement in individual cases or if there are problems with evidence. Even if fines are an effective means of effectively enforcing the provisions of the GDPR, the European legislator has not provided for strict liability.
However, the ECJ left open the question of when a company is at fault in the event of an infringement by an employee. The KG will have to answer this question itself in the further proceedings. It will probably examine whether the management level of Deutsche Wohnen SE can be accused of organisational fault. This could be the case if the company has not established a functioning compliance or data protection management system. In any case, the ECJ still stated that the management level does not have to have knowledge of the specific act of infringement by the employee or even have committed an act of infringement itself.
Significance for practice
Overall, the ECJ's judgement has provided more clarity when imposing fines on companies under the GDPR. In an international comparison, it was previously more difficult for German supervisory authorities to take action against companies under German fine law if an infringement could not be attributed to a specific employee. This hurdle has now been removed.
On the other hand, the ECJ has strengthened companies to the extent that they can only be accused of an infringement by an employee if the company acted culpably. Therefore, if companies generally ensure that their data protection management functions properly, they should be immune to fines for individual data protection breaches that are not attributable to a systematic failure.
It is therefore strongly recommended that areas such as data protection are also provided with appropriate guidelines, responsibilities, training, documentation, controls, etc. within a compliance management system (CMS) - which every company should have.