1. CASE FACT
Deutsche Wohnen SE ("Deutsche Wohnen") is a listed real estate company based in Berlin that indirectly owns approximately 163,000 residential units and 3,000 commercial units. The operational business and management are carried out by subsidiaries. The subsidiaries process personal data relating to tenants, including copies of IDs, bank statements, salary statements, tax, social security and health insurance data.
In 2017, following an on-site inspection of Deutsche Wohnen, the Berlin Data Protection Authority objected to the fact that the group companies were storing tenants' personal data in an electronic archiving system that was no longer required. As a result, the Berlin Data Protection Commissioner ordered Deutsche Wohnen to delete the data from the archive system – but the data was still there until 2020. As a result, the data protection authority fined Deutsche Wohnen more than 14 million euros for intentionally violating the data processing principles of lawfulness, data minimization, and storage limitation.
The Berlin Regional Court discontinued the proceedings due to the lack of a chargeable administrative offense. Since Deutsche Wohnen, as a legal entity, could not have committed an administrative offense itself, an administrative offense committed by a member of the legal entity's executive body must be established. Direct liability of the corporation, i.e., regardless of any fault attributable to a natural person, would contradict the principle of culpability enshrined in German law. The Berlin Public Prosecutor's Office objected to this decision, and the Berlin Court of Appeal requested a preliminary ruling from the CJEU on the interpretation of Article 83(4) to (6) GDPR.
In its previous case law pursuant to Article 30 of the Austrian Data Protection Act, the Austrian Higher Administrative Court also sees the need to determine the constitutive, unlawful and culpable conduct of a natural person in order to impose a fine on a legal person for a violation of the GDPR. Therefore, since the beginning of 2022, all administrative criminal proceedings in Austria regarding GDPR violations by legal persons have been suspended until the CJEU publishes its decision in the Deutsche Wohnen case.
2. OPINION OF THE ADVOCATE GENERAL
According to the opinion of Advocate General Campos Sánchez-Bordona of April 27, 2023, the CJEU has the rare opportunity to rule on the conditions under which an administrative fine may be imposed on a legal person for a violation of the GDPR. In particular, the CJEU must determine whether a penalty can be imposed on a legal person without establishing the liability of a natural person, and whether the infringement must be committed intentionally or negligently, or whether the mere fact of an infringement is sufficient to impose a penalty.
Advocate General Sánchez-Bordona argues that the GDPR allows for direct liability of companies for data protection violations. He states that this is in line with the objective of the GDPR, which is to create an effective and dissuasive sanctioning mechanism that harmonizes the different national legal systems. He points out that Article 83 of the GDPR must be interpreted in such a way that an administrative fine can be imposed on a legal entity without having to prove the infringement of a natural person acting on behalf of that legal entity. He adds, however, that an administrative fine would require that the causal conduct be intentional or negligent. These two aspects seem somewhat contradictory since any "causal intentional or negligent conduct" can only be committed by a natural person. The Advocate General's opinion leaves open how this shall be handled in practice.
3. CONCLUSION
The Advocate General's opinion is not binding on the CJEU, but it often gives an indication of the direction of the final decision. If the CJEU follows the opinion, it would mean that the mere fact that a company violates the rules of the GDPR would not be enough to justify administrative fines. The CJEU is expected to deliver its judgment on December 5, 2023. The decision could have a significant impact on the practices of data protection authorities in the EU, potentially leading to an increase in fines.
The opinion of the Advocate General can be accessed here in different languages:
https://curia.europa.eu/juris/documents.jsf?nat=or&mat=or&pcs=Oor&jur=C%2CT%2CF&num=C-807%252F21&for=&jge=&dates=&language=de&pro=&cit=none%252CC%252CCJ%252CR%252C2008E%252C%252C%252C%252C%252C%252C%252C%252C%252C%252Ctrue%252Cfalse%252Cfalse&oqp=&td=%3BALL&avg=&lgrec=de&page=1&lg=&cid=3801407
Article provided by INPLP member: Stephan Winklbauer (Aringer Herbst Winklbauer Rechtsanwälte, Austria)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)