Fine Imposed on Deutsche Wohnen – Decision of the ECJ

The ruling of the European Court of Justice (ECJ) in the “Deutsche Wohnen” case was eagerly awaited (judgment of 05.12.2023, C-807/21). However, the verdict was not surprising. In essence, the ECJ followed the Advocate General’s observations.

On the one hand, the ECJ clarified that fines can be imposed on companies without the infringement of the GDPR having to be attributed to a natural person. On the other hand, the ECJ rejected strict liability.

Background

The verdict was preceded by a fine issued by the Berlin data protection authority against the real estate company Deutsche Wohnen SE for alleged violations of the GDPR. The regulator accused the company of unlawfully storing tenants’ personal data for a long time and failing to take measures to delete it. Therefore, in October 2020, the authority issued a fine notice of over 14.5 million euros.

Deutsche Wohnen SE brought an action against the fine before the Berlin Regional Court. In the company’s view, the provisions of the German law on administrative offences apply, so that fines may only be imposed if the company’s management can be proven to have committed reproachable misconduct, § 30 OWiG.

The supervisory authority, on the other hand, took the view that fines can be imposed on companies for breaches of the GDPR directly and regardless of proven fault. Proof of a breach of supervisory duty is not required.

The Berlin Regional Court followed the view of Deutsche Wohnen SE and discontinued the proceedings due to serious deficiencies in the fine notice. The Berlin Public Prosecutor’s Office lodged an appeal against this decision with the Berlin Court of Appeal. As a result, the Court of Appeal referred two questions to the CJEU on the interpretation of Article 83(4) to (6) of the GDPR:

1. The first question referred for a preliminary ruling seeks to ascertain whether a fine for an infringement of the GDPR can be imposed directly on an undertaking without the need to attribute that infringement to a natural and identified person.
2. The second question referred for a preliminary ruling was aimed at whether the infringement of the GDPR must be committed culpably or whether companies are liable in the context of the fine procedure regardless of fault (“strict liability”).

Decision of the ECJ

In its decision, the CJEU clarified that companies are liable not only for breaches committed by their representatives, directors or directors, but also for breaches committed by any other person acting in the course of business activities and on behalf of those legal entities (para. 44). Fines against legal entities pursuant to Art. 83 GDPR can therefore be imposed directly. A different interpretation ‘would weaken the effectiveness and deterrent effect of fines imposed on legal persons as controllers’ (paragraph 51).

In the context of the second question, the ECJ clarified that the GDPR does not provide for “strict liability“. The imposition of a fine presupposes culpable act, that is to say, intentional or negligent conduct on the part of the person responsible (paragraph 68). However, the requirements for this are not very high. In order for the controller to be culpable, it is sufficient if the controller “could not have been unaware of the unlawfulness of his conduct, regardless of whether he was aware that it infringed the provisions of the GDPR” (para. 76). This requires ‘no action or even knowledge on the part of the management body of that legal person’ (paragraph 77).

Result

There was little new in store for the decision. Supervisory authorities must prove that the breach of the GDPR is based on intentional or negligent action. The violation alone is not sufficient. However, the requirements for culpable conduct are not too high. In order to be able to effectively defend oneself from fines, it is therefore all the more important to implement and comply with data protection regulations. In particular, the careful selection of processors as well as the documentation of data processing agreements or agreements on joint responsibilities should be ensured. With regard to the proceedings against Deutsche Wohnen SE, it remains to be seen whether the Berlin Court of Appeal, in accordance with the requirements of the ECJ, will confirm the decision of the Berlin Regional Court or overturn its decision to discontinue the fine proceedings.

By MELCHERS, Germany, a Transatlantic Law International Affiliated Firm.  

For further information or for any assistance please contact germany@transatlanticlaw.com

Disclaimer: Transatlantic Law International Limited is a UK registered limited liability company providing international business and legal solutions through its own resources and the expertise of over 105 affiliated independent law firms in over 95 countries worldwide. This article is for background information only and provided in the context of the applicable law when published and does not constitute legal advice and cannot be relied on as such for any matter. Legal advice may be provided subject to the retention of Transatlantic Law International Limited’s services and its governing terms and conditions of service. Transatlantic Law International Limited, based at 42 Brook Street, London W1K 5DB, United Kingdom, is registered with Companies House, Reg Nr. 361484, with its registered address at 83 Cambridge Street, London SW1V 4PS, United Kingdom.