Update Data Protection No. 159 & Update Compliance 9/2023
ECJ on Deutsche Wohnen SE case: GDPR association sanction requires culpability – but not the action of a management body
A company that is a controller under the GDPR can only be fined under Art. 83 GDPR if it is proven that the company committed the infringement intentionally or negligently. However, it is not necessary to prove that a member of the management acted intentionally or negligently, or even that it was aware of the infringement. This is what the ECJ decided in the current judgment (C-807/21, judgment of 5 December 2023). The Court essentially follows the Advocate General’s Opinion.
In this respect, according to the ECJ's judgment, the German system of sanctioning companies under Sections 30 and 130 of the German Law on Administrative Offences (OWiG) differs from the system of the GDPR. Under the German OWiG, proof of an intentional or negligent act by an identified member of the management that violated the company's obligations or enriched or was intended to enrich the company is a prerequisite for the imposition of an administrative fine (the so-called "attribution model").
In its judgment, the ECJ did not comment on how the intentional or negligent conduct of a company can be determined independently of the individual conduct of a natural person.
In this respect, the ECJ's judgment leads to a separation of German corporate sanctions law into data protection sanctions law under the GDPR on the one hand, and general corporate sanctions law based on the attribution model, which claims to apply to all other areas of law, on the other.
The ECJ judgment was preceded by a decision of the Berlin Commissioner for Data Protection and Freedom of Information (BlnBDI), which ordered Deutsche Wohnen SE to pay an adminis-trative fine of € 14.5 million for breaches of the General Data Protection Regulation (GDPR).
During an on-site inspection on 23 July 2017, the BlnBDI had previously pointed out to Deutsche Wohnen SE that it could not understand why some tenants' personal data was still being retained, although the BlnBDI considered this no longer necessary. Deutsche Wohnen SE was then instructed to delete this data.
Following a further inspection, the BlnBDI accused the real estate company in its penalty notice of 30 October 2020 of failing to take the necessary measures between 25 May 2018 and 5 March 2019 to enable the regular deletion of tenants' personal data that wasno longer needed or otherwise retained unlawfully. The company was also accused of continuing to retain the personal data of at least 15 specified tenants despite knowing that this was not or no longer necessary.
The property company was accused that the systems of Deutsche Wohnen SE did not comply with the data protection principles because technical designs and privacy friendly settings were not effectively implemented, although this was required under Art. 25 GDPR. Furthermore, some tenant’s personal data was allegedly stored even though this was not necessary for the purpose for which it was originally collected. The required legal basis under Art. 6 GDPR was therefore missing.
The BInBDI imposed an administrative fine of € 14.5 million, the second highest fine ever im-posed in Germany for alleged breaches of data protection law. Only the clothing retailer H&M was hit with a higher fine of € 35 million.
Deutsche Wohnen SE lodged a formal objection against the administrative fine with the result that the Berlin Regional Court discontinued the proceedings pursuant to Section 46 (1) OWiG, read in conjunction with Section 206a German Code of Criminal Procedure (StPO). It based its objection on the fact that, under German law, the imposition of a fine on a legal entity is regulated by Section 30 OWiG, and that this provision presupposes a company-related culpable infringement by an identified member of the management. Such an infringement had not been established in the penalty notice. The imposition of an administrative was regulated conclusively in Section 30 OWiG; this provision would be also applicable to infringements under the GDPR. The Berlin Regional Court upheld Deutsche Wohnen's action. The Berlin Public Prosecutor’s Office (Staatsanwaltschaft Berlin) lodged an immediate appeal. The Higher Regional Court Berlin (Kammergericht Berlin) then had to decide again.
Previously, the Court of Appeal referred two questions to the ECJ for a preliminary ruling:
„ Is Article 83(4) to (6) of the GDPR to be interpreted as incorporating into national law the functional concept of an undertaking, as defined in Articles 101 and 102 TFEU, and the principle of an economic entity, with the result that proceedings for an administrative fine may be initiated directly against an undertaking by broadening the principle of legal entity forming the basis of Paragraph 30 of the Gesetz über Ordnungswidrigkeiten (Law on administrative offences; ‘the OWiG’) and that the imposition of a fine does not require a finding that a natural and identified person committed an administrative offence, if necessary in satisfaction of the objective and subjective elements of tortious liability?“
as well as
„ If Question 1 is answered in the affirmative: Is Article 83(4) to (6) of the GDPR to be interpreted as meaning that the undertaking must have intentionally or negligently committed the breach by an employee vicariously (see Article 23 of Council Regulation (EC) No 1/2003 of 16 December 2002 on the implementation of the rules on competition laid down in Articles 81 and 82 of the Treaty), or is the objective fact of breach of obligations caused by it sufficient, in principle, for a fine to be imposed on that undertaking (‘strict liability’)?“
In other words:
- Is it necessary to identify a natural and identified person who may have committed the offence (in its entirety), as required by Section 30 OWiG, in order to impose a fine on a company?
- And if so, is culpability a prerequisite for the imposition of a fine, or is an objective breach of the GDPR sufficient?
The BlnBDI is of the opinion that the European legislator assumes a direct sanctioning of legal persons and companies, so that the identification of a natural and identified person is not required and therefore the provisions of the OWiG are not applicable. The BlnBDI is also of the opinion that culpability is not required, so that the objective breach of duty alone is sufficient for the fine to be imposed.
These views are shared by, among others, the German Data Protection Conference (Datenschutzkonferenz, DSK), as can be seen from its statement of 5 January 2002.
Deutsche Wohnen, on the other hand, believes that it is necessary to identify a natural person and to prove culpability. In other words, the data protection authorities must prove that the company's management acted culpably, for example by failing to carry out sufficient monitoring. In his opinion of 27 April 2023, Advocate General Manuel Campos Sánchez-Bordona considers that data protection authorities may impose fines directly on companies without the need to identify a natural person. However, the imposition of fines should be based on the presence of intent or negligence. The Advocate General applies low standards for the existence of negligence, leading to criticism that strict liability could be introduced "by the back door".
ECJ Judgement and first assessment
The ECJ has rejected the view that the GDPR allows companies responsible for data protection to be sanctioned completely regardless of the presence of intent or negligence. The mere finding of an objective breach of data protection regulations is not sufficient to impose a fine. The ECJ, however, does not want the so-called "attribution model" of German association sanctions law (Section 30 OWiG), which requires the finding of a culpable offence by a mem-ber of the management, to be applied to the GDPR.
In response to the first question referred, the ECJ therefore found that the sanction system of the GDPR conflicts with the German law on corporate sanctions. The establishment of a com-pany-related act by a member of the management, as required by Section 30 OWiG, is not required by Art. 83 GDPR. The ECJ answered the second question by stating that corporate sanctions may nevertheless only be based on the presence of fault, i. e. intent or negligence must be proven. However, it is not necessary to prove that a member of the management acted intentionally or negligently, or even that a member of the management was aware of the unlawful conduct within the company.
Consequences for the fine imposed on Deutsche Wohnen SE
This judgment leads to a separation of the GDPR's sanction rules from the association sanction system, which otherwise applies under German law.
The Berlin Higher Regional Court must now assess the administrative fine imposed by BInBDI to determine whether the fining authority has proven the presence of intent or negligence. If this is not the case, the Berlin Higher Regional Court will annul the penalty order, as the ECJ has stated that intent or negligence must be proven in order to impose an administrative fine on a company under the GDPR.
If such culpability was established in the fine notice, this would be sufficient to impose the administrative fine. According to the ECJ, it is no longer necessary to prove who within the sanctioned company is personally culpable for the offence. This is in contrast to Section 30 of the OWiG, which requires individual culpability on the part of one of the management bodies named therein in order to impose sanctions on a company.
It remains to be seen how the guilt of a company is to be proven independently of findings relating to natural persons – i. e. people. This is not unproblematic, and it remains to be seen how the German authorities will deal with the ECJ ruling: This is because the German criminal law system is based on the idea that "guilt" is to be understood in the sense of the principle pf personal fault (Persönliche Vorwerfbarkeit), which means that "guilt" can only affect natural persons, not legal persons or groups of persons. In the German legal system, not only the sanctioning of natural persons but also – as shown – the sanctioning of companies depends on this principle of personal fault.