January 05, 2024

GDPR fines: According to the ECJ, culpability is required

Who is liable for what and when?

The preliminary ruling procedure was preceded by a referral from the Court of Appeal (Kammergericht - KG) in Berlin. It had to rule on an action brought by Deutsche Wohnen SE against a fine imposed by the Berlin public prosecutor's office. During an on-site inspection, the competent data protection supervisory authority found that personal data of tenants was stored in an electronic archive system where it was not possible to determine whether the storage was necessary at all or whether data that was no longer required was deleted. This approach constitutes a breach of the principles of data minimisation and storage limitation under the General Data Protection Regulation (GDPR), which the supervisory authority fined a staggering €14.5 million.

Court refers two questions to the ECJ for a preliminary ruling

Firstly, it had to be clarified whether a fine can be imposed on a company under the GDPR without the infringement first being attributed to an identifiable natural person - i.e. a specific employee of Deutsche Wohnen.

If the first question was answered in the affirmative, the subsequent question arose as to whether the company must have culpably committed the breach mediated by an employee or whether an objective breach of duty ("strict liability") - i.e. liability regardless of fault - is sufficient. According to the KG, the problem is that a culpable breach of the GDPR is often difficult to prove.

Opinion of the ECJ

The ECJ answered the first question by stating that under the GDPR, the person who is the controller within the meaning of the regulation is generally liable. The controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. It therefore depends solely on whether the company determines the purposes and means of the processing. It is therefore not necessary for the company's liability to be attributed to a specific employee. The problem here is that the German provisions on fines from the German Administrative Offences Act (OWiG) require an attribution to a specific person, in contrast to the European regulation. As a European regulation, the GDPR applies directly in all member states and takes precedence over national laws. The regulation does not offer national legislators any discretionary powers to reduce the conditions for imposing fines. Following the ECJ's ruling, the German regulation must now be interpreted by the courts in accordance with European law and national legislators are required to adapt the German law on fines to the new case law.

For the second question, the ECJ referred to the general liability principles of the GDPR. According to this, the controller must commit an infringement culpably - i.e. intentionally or negligently - in order for a fine to be imposed on them. This view is also confirmed by the rest of the GDPR's system of sanctions. In addition to or instead of fines, the supervisory authorities have the option of imposing further sanctions in the form of warnings, cautions or instructions if there is a lack of culpable infringement in individual cases or if there are problems with evidence. Even if fines are an effective means of effectively enforcing the provisions of the GDPR, the European legislator has not provided for strict liability.

However, the ECJ left open the question of when a company is at fault in the event of an infringement by an employee. The KG will have to answer this question itself in the further proceedings. It will probably examine whether the management level of Deutsche Wohnen SE can be accused of organisational fault. This could be the case if the company has not established a functioning compliance or data protection management system. In any case, the ECJ still stated that the management level does not have to have knowledge of the specific act of infringement by the employee or even have committed an act of infringement itself.

Significance for practice

Overall, the ECJ's judgement has provided more clarity when imposing fines on companies under the GDPR. In an international comparison, it was previously more difficult for German supervisory authorities to take action against companies under German fine law if an infringement could not be attributed to a specific employee. This hurdle has now been removed.

On the other hand, the ECJ has strengthened companies to the extent that they can only be accused of an infringement by an employee if the company acted culpably. Therefore, if companies generally ensure that their data protection management functions properly, they should be immune to fines for individual data protection breaches that are not attributable to a systematic failure. 
It is therefore strongly recommended that areas such as data protection are also provided with appropriate guidelines, responsibilities, training, documentation, controls, etc. within a compliance management system (CMS) - which every company should have.

Back
To the profile of Christian Lenz

Christian Lenz

Lawyer / Specialist lawyer for tax law / Specialist lawyer for information technology law

To the profile of Christian Lenz

To the profile of René Manz

René Manz

IT-Consultant

To the profile of René Manz

By uploading the YouTube video, you consent to cookies being set by YouTube and Google and to data being transferred to these providers. We process the data in order to be able to analyse access to our YouTube videos or to evaluate the effectiveness of our advertising and ads. YouTube and Google also process the data for their own purposes. In addition, you also agree that your data may be transferred to the USA, although there is a risk in the USA that the US authorities may gain access to your data for surveillance purposes and that you may not have adequate legal protection against such. You will find further information in our Data Protection Policy.
Load YouTube Video
Permalink