On January 22nd 2024 the Higher Regional Court in Berlin issued a ruling on data protection violations by a legal person. It concerns a fine that the Berlin data protection officer had imposed on the company.
Fundamentals and norm´s recipients
The amount of fines for GDPR violations is regulated in article 83 section 4, 5 and 6 of the GDPR. In addition, supervisory authorities may impose sanctions under article 84 of the GDPR or other measures under article 58 of the GDPR. The exclusive recipients of the sanctions are controllers, processors, certification bodies and supervisory authorities under article 83 sec. 4 letter a, b and c of the GDPR. However, it remains debatable whether legal entities are liable for the penalties imposed.
Implication for the specific case
In the case under review, the company was alleged to have intentionally breached data protection legislation. It was found that the necessary steps had not been taken to systematically delete tenants’ data, resulting in unauthorized storage of personal data. As a result, a fine of €14.386.000 was imposed on the company. The proceedings were discontinued due to deficiencies in the fine notice. The Berlin Regional Court, to which the case was referred as a result of an objection, was of the opinion that a legal entity cannot be subject to a fine, even in proceedings under article 83 GDPR. Following an appeal by the Berlin public prosecutor’s office, the case went before the Berlin Higher Regional Court, which decided to suspend the proceedings and refer a question to the Court of Justice of the European Union (CJEU) for a preliminary ruling.
In a December 5, 2023 ruling (C-807/21), CJEU stated that it is permissible to impose fines directly on legal entities if they are responsible for the processing of data and have intentionally or unintentionally committed a breach pursuant to article 83 sec. 4 to 6 GDPR. According to the CJEU, this is due to the fact that companies are e liable not only for breaches committed by their agents, directors or managers, but also by any other person acting in the course of the business activities of these legal persons and on their behalf. As a result of the CJEU judgment, the Higher Regional Court of Berlin decided to refer the case back to the Regional Court of Berlin.
Grau Rechtsanwälte PartGmbB advises companies in the area of data protection, also as an external data protection officer.
If you have any further questions, please contact our law firm on +49 (0) 40 180 364 020 or office@graulaw.eu.