Looking back over three years of the GDPR1 for Germany, one significant change is clear: German data protection authorities are imposing heavy fines for infringements.
Although the old legal data protection framework implementing the repealed Privacy Directive 95/46/EC2 already contained most of the GDPR principles and obligations, the fines just mounted up to €50,000 or €300,000 and the German data protection authorities did not even make use of this range: Fines stayed far below these levels and usually had no deterrent effect at all.
With the ability to impose fines amounting up to 4% of the total worldwide annual turnover of the preceding financial year, or €20 million, data protection finally emerged from the shadows. To be ready for significant increases of fines, the 16 data protection authorities of the German Länder (states) and the federal authority gathered together at the German Data Protection Conference (Datenschutzkonferenz – DSK) to agree on a guideline about imposing fines of the right size. With a total annual global turnover of €500 million, a company will already be subject to the highest fines: the 4% respectively 2% rate, according to Art. 83. The specific total annual global turnover will be divided by 360 days and then attributed to the severity of the violation – similar to German criminal law in which individuals receive either imprisonment in days or penalties depending on a daily income. After concluding this guideline, some authorities just went straight into action:
- The Berlin Commissioner for Data Protection and Freedom of Information (Berlin DPA) imposed a fine of €14.5 million on a German real estate company based in Berlin in October 2019. According to the Berlin DPA, the company stored personal tenant data in an archiving system that did not provide for the possibility of data deletion, although the Berlin DPA had already recommended converting the archiving system in 2017. The Berlin DPA considered this a violation of Art. 25 (1) and Art. 5. The fine was calculated based on the company’s annual turnover of more than €1 billion. The fine was challenged and declared void by the Berlin courts in the first instance. An appeal is pending.
- The Federal Commissioner for Data Protection and Freedom of Information (Federal DPA) imposed a fine of €9.55 million on a German telecommunications company at the end of 2019. According to the Federal DPA, the company had taken insufficient technical and organizational precautions to prevent unauthorized access to customer data during telephone customer care. The Federal DPA considered this a violation of Art. 32. Again, the fine was challenged and reduced by 90% to less than €1 million by the courts of Bonn (North Rhine-Westphalia). Appeals are also pending.
- The Hamburg Commissioner for Data Protection and Freedom of Information (Hamburg DPA) imposed a fine of €35.3 million on the German subsidiary of a Swedish clothing distributor in October 2020. According to the Hamburg DPA, the company had spied on employees to investigate absences e.g. for illness reasons. Minutes of interviews which also contained a lot of very private information were accessible for the entire management. The Hamburg DPA considered this a severe violation of employee data protection principles. Again, the fine is challenged.
Courts involved in proceedings against fines have questioned the mechanism developed by the DSK. The decision making process at the DSK requires unanimity, so, often only the strictest approach has a chance to be resolved. Therefore, in finding a consensus, DSK probably went somewhat to far which now has been indirectly cashed by the courts. Please take into account that the DSK resolutions only have the character of a recommendation. Nevertheless, the old days of small fines will not come back: GDPR infringements will have by far more significant financial consequences than infringements of the old BDSG.
As the GDPR did follow many approaches of the old BDSG, German data controllers and processors could simply continue complying with basic data protections principles, such as data minimization, transparency, validity of consents or the legal concept that processing of personal data for purely commercial purposes always requires a clear legal permission.
Today, German controllers and processors are already well positioned when it comes to the basic GDPR setup, such as information obligations (Art. 13 / Art. 14), definition of the legal basis for a processing activity (Art. 6) or the records of processing activities (Art. 30). The last topic briefly caused confusion among German small businesses due to the exemption in Art. 30 (5). Pursuant to Art. 30 (5) an enterprise is not obliged to maintain such records if it has fewer than 250 employees. This exemption does, however, not apply if the processing may result in a risk to the data subjects, is not occasional, or includes special categories of data (Art. 9) or data related to criminal convictions or offenses (Art. 10). Because nearly all companies have employees and process customer data, the German data protection authorities came to the conclusion that Art. 30 (5) is not applicable at all. Perhaps they were too quick in their clarification. The exemption cannot be completely disregarded. Also, German authorities have to give priority to EU law when interpreting the GDPR to avoid such overreaching interpretations. It is the intention of Art. 30 (5) to reduce administrative burdens for small and medium sized enterprises caused by privacy requirements: Why should the GDPR incorporate such an exemption if it cannot be applied at all?
Germany made use of Art. 88 and implemented a specific provision for processing of personal data in the context of employment relationships – Sec. 26 BDSG (current version). European employers with employees in Germany and other EU member states need to be aware that harmonization has been split in this context and ensure that they comply with the requirements of sec. 26 BDSG (current version), rather than with Art. 6 (1) lit. b). However, the German Federal Labor Court just ruled that Art. 83 will not apply to Sec. 26 BDSG, therefore penalties will stay low.
In summary, the German adaptation to GDPR has gone smoothly, although many controllers and processors only managed to finalize their internal documentation and compliance process by the end of 2019 / beginning of 2020. From the data subjects’ standpoint, the GDPR created more transparent and conscious processing and definitely raised awareness of the average data subject and consumer with regard to the importance of personal data and their respective rights.
One general remark perhaps: In Germany data protection law is always also an issue of politics. The principles of data protection were developed by the German Federal Constitutional Court in the 1970s against excessive data demands by German authorities. It developed into a principal human right which now enjoys 17 independent government supporters: the data protection authorities of the German states and the federation. If such support is always in the full interest of individuals and their human right’s position is an issue – and may have to be solved at the courts again.
- All articles mentioned here refer to the GDPR.
- German Federal Data Protection Act (Bundesdatenschutzgesetz, “old BDSG”)