Waiting for Cjeu Ruling in the Matter of “Deutsche Wohnen” (C-807/21)

23.11.2023

Since the end of December 2021, the preliminary ruling of the European Court of Justice (CJEU) on the conditions under which an administrative fine may be imposed on a legal entity for violating the GDPR has been pending. Since then, the Austrian Data Protection Authority and the administrative courts have suspended all proceedings against legal persons who have violated the GDPR pending the decision of the CJEU. This decision is now expected to be rendered on December 5, 2023.

1.    CASE FACT

Deutsche Wohnen SE ("Deutsche Wohnen") is a listed real estate company based in Berlin that indirectly owns approximately 163,000 residential units and 3,000 commercial units. The operational business and management are carried out by subsidiaries. The subsidiaries process personal data relating to tenants, including copies of IDs, bank statements, salary statements, tax, social security and health insurance data.

In 2017, following an on-site inspection of Deutsche Wohnen, the Berlin Data Protection Authority objected to the fact that the group companies were storing tenants' personal data in an electronic archiving system that was no longer required. As a result, the Berlin Data Protection Commissioner ordered Deutsche Wohnen to delete the data from the archive system – but the data was still there until 2020. As a result, the data protection authority fined Deutsche Wohnen more than 14 million euros for intentionally violating the data processing principles of lawfulness, data minimization, and storage limitation.

The Berlin Regional Court discontinued the proceedings due to the lack of a chargeable administrative offense. Since Deutsche Wohnen, as a legal entity, could not have committed an administrative offense itself, an administrative offense committed by a member of the legal entity's executive body must be established. Direct liability of the corporation, i.e., regardless of any fault attributable to a natural person, would contradict the principle of culpability enshrined in German law. The Berlin Public Prosecutor's Office objected to this decision, and the Berlin Court of Appeal requested a preliminary ruling from the CJEU on the interpretation of Article 83(4) to (6) GDPR.

In its previous case law pursuant to Article 30 of the Austrian Data Protection Act, the Austrian Higher Administrative Court also sees the need to determine the constitutive, unlawful and culpable conduct of a natural person in order to impose a fine on a legal person for a violation of the GDPR. Therefore, since the beginning of 2022, all administrative criminal proceedings in Austria regarding GDPR violations by legal persons have been suspended until the CJEU publishes its decision in the Deutsche Wohnen case.

 

2.    OPINION OF THE ADVOCATE GENERAL

According to the opinion of Advocate General Campos Sánchez-Bordona of April 27, 2023, the CJEU has the rare opportunity to rule on the conditions under which an administrative fine may be imposed on a legal person for a violation of the GDPR. In particular, the CJEU must determine whether a penalty can be imposed on a legal person without establishing the liability of a natural person, and whether the infringement must be committed intentionally or negligently, or whether the mere fact of an infringement is sufficient to impose a penalty.

Advocate General Sánchez-Bordona argues that the GDPR allows for direct liability of companies for data protection violations. He states that this is in line with the objective of the GDPR, which is to create an effective and dissuasive sanctioning mechanism that harmonizes the different national legal systems. He points out that Article 83 of the GDPR must be interpreted in such a way that an administrative fine can be imposed on a legal entity without having to prove the infringement of a natural person acting on behalf of that legal entity. He adds, however, that an administrative fine would require that the causal conduct be intentional or negligent. These two aspects seem somewhat contradictory since any "causal intentional or negligent conduct" can only be committed by a natural person. The Advocate General's opinion leaves open how this shall be handled in practice.

 

3. CONCLUSION

The Advocate General's opinion is not binding on the CJEU, but it often gives an indication of the direction of the final decision. If the CJEU follows the opinion, it would mean that the mere fact that a company violates the rules of the GDPR would not be enough to justify administrative fines. The CJEU is expected to deliver its judgment on December 5, 2023. The decision could have a significant impact on the practices of data protection authorities in the EU, potentially leading to an increase in fines.
The opinion of the Advocate General can be accessed here in different languages:

https://curia.europa.eu/juris/documents.jsf?nat=or&mat=or&pcs=Oor&jur=C%2CT%2CF&num=C-807%252F21&for=&jge=&dates=&language=de&pro=&cit=none%252CC%252CCJ%252CR%252C2008E%252C%252C%252C%252C%252C%252C%252C%252C%252C%252Ctrue%252Cfalse%252Cfalse&oqp=&td=%3BALL&avg=&lgrec=de&page=1&lg=&cid=3801407


Article provided by INPLP member: Stephan Winklbauer (Aringer Herbst Winklbauer Rechtsanwälte, Austria)

 

 

Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.