The long-awaited ECJ judgement in the case of Deutsche Wohnen SE against the Berlin public prosecutor’s office has just been published. The two most important rough findings first
- It is not necessary to attribute the offence to a previously identified natural person in order to impose a fine on a legal entity as the responsible party
- The principle of culpability also applies to offences subject to fines – a fine cannot therefore be imposed without intentional or negligent action/omission
It is not only the German data protection community that has been eagerly awaiting the ECJ‘s decision, which has now been published, since the Berlin Court of Appeal ‘s order for reference of 6 December 2021 (3 Ws 250/21 – 161 AR 84/21)
The reason for this was a dispute between the Berlin public prosecutor’s office and Deutsche Wohnen SE regarding a fine imposed under Art. 83 GDPR. The Berlin Regional Court seised in this matter (18 February 2021, 526 OWi LG 212 JS-Owi 1/20) took the view that Sections 30 and 130 OWiG must be observed and that consequently no fine could be imposed on a company without being able to prove culpable action by a manager (Section 30 OWiG) or negligent failure to take supervisory measures (Section 130 OWiG)
However, following the Opinion of the ECJ Advocate General of 27 April 2023 (C-807/21), it was already foreseeable that the ECJ would not agree with this view
On the first question referred:
“Is Article 83(4) to (6) GDPR to be interpreted as incorporating into national law the functional concept of undertaking and the functional entity principle assigned to Articles 101 and 102 TFEU with the consequence that, by extending the legal entity principle underlying Section 30 OWiG, proceedings for a fine can be brought directly against an undertaking and the fine does not require the establishment of an administrative offence committed by a natural and identified person, possibly in full criminal offence?”
Answer from the ECJ:
Article 58(2)(i) and Article 83(1) to (6) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) must be interpreted as meaning that they preclude a national provision under which a fine is imposed for an offence referred to in Art. 83 (4) to (6) GDPR can only be imposed on a legal person in its capacity as controller if this infringement was previously attributed to an identified natural person
In short:
National law does not apply to the final provisions on fines from the GDPR. This can be seen as a simplification of the application of the law and, above all, standardisation within Europe. It was also “clarified” that the term “undertaking” within the meaning of Art. 101 and 102 TFEU must be taken as a basis and that the amount of the fine must be calculated on the basis of the actual and material capacity of the economic entity (addressee) (para. 56, 58, 59)
The second question referred:
“Is Article 83(4) to (6) GDPR to be interpreted as meaning that the undertaking must have culpably committed the infringement mediated by an employee [see Article 23 of Regulation (EC) No 1/2003](4), or is an objective breach of duty attributable to it (“strict liability”) already sufficient in principle for the undertaking to be fined?”
Only in the alternative did the Advocate General then address the question of whether a fine may be imposed if an obligation under data protection law has been (objectively) breached, or whether proof of culpable behaviour is also required. As a result, the Advocate General believes that an objective breach of duty is not sufficient and relies heavily on Art. 83 para. 3 GDPR, which stipulates that in cases where a controller or processor “intentionally or negligently” violates several provisions of the GDPR (concurrence of several violations), the amount of the fine shall not exceed the amount for the most serious violation. It follows from this that purely objective infringements are irrelevant for the sanction insofar as they are not taken into account cumulatively with intentional or negligent infringements
Answer of the ECJ:
Article 83 of Regulation 2016/679 must be interpreted as meaning that, according to that provision, a fine may only be imposed if it is established that the controller, which is a legal person and at the same time an undertaking, has committed an infringement referred to in Article 83(4) to (6) GDPR intentionally or negligently
In short:
The (European) culpability principle is observed – the requirements for intent and negligence and their proof vis-à-vis a legal person remain in place
The problem of implementation in Germany remains, as so far only the recourse through the fault of managing persons or their negligence in monitoring according to the OWiG is known, how in concreto the proof of intent/negligence will/must be provided will probably be taken from the Berlin proceedings.