Property company accused of breaching EU GDPR – Commentary
The Berlin Court of Appeal recently asked the European Court of Justice whether under the EU’s General Data Protection Regulation (GDPR) regime, a company can be directly and solely sued and sentenced to a fine, regardless of regulatory requirements under the German Administrative Offenses Act.
A Berlin real estate group company owns more than 100,000 residential units and around 3,000 commercial units. These units are managed by internal service companies. As part of their activities, the company and the group companies process the personal data of the tenants.(1)
In 2017, the Berlin data protection commissioner pointed out that tenants’ personal data was stored in an insufficient electronic archiving system; it was unclear whether data that was no longer needed would be deleted. The company was asked to take action, but it did not, saying the removal was not possible for technical and legal reasons. After an audit in 2020, authorities issued fines under Germany’s Administrative Offenses Act. The real estate company was accused, among other things, of deliberately failing to take the necessary measures in 2018 and 2019 to ensure the regular deletion of tenant data that was no longer necessary.
On the company’s objection, the Berlin Court of Appeal terminated the proceedings. The Court ruled that a legal person, such as the real estate company, could not only be subject to lawsuits and fines, even under Article 83 of the EU GDPR. These proceedings must be directed against a natural person as author. The company’s liability always arises from the actions or omissions of its directors under the German Administrative Offenses Act. The public prosecutor appealed.
The Higher Regional Court of Berlin suspended the legal proceedings and referred two questions on the interpretation of Article 83 of the EU GDPR to the Court of Justice of the European Communities for a preliminary ruling pursuant to Article 267, paragraph 3 of the Treaty on the Functioning of the European Union. European Union (TFEU).
In particular, the Berlin Court of Appeal asked the following questions – simplified:
- Is Article 83(4-6) EU GDPR to be interpreted in accordance with Articles 101 and 102 TFEU, so that an action for a fine can be brought directly against a company and the fine does not require an administrative offense committed by a natural person, possibly in a fully criminal manner?
- If the answer to the first question is yes, should Article 83, paragraphs 4 to 6, of the EU GDPR be interpreted as meaning that the company must be liable for the breach committed by an employee, or exists there an objective responsibility which must be simply imputable to the company?
The Berlin appeals court did not reveal its position, but it does refer extensively to opposing views on the issue. By reading between the lines, the Court seems to favor an interpretation that disregards the requirements of German law on administrative offences. Considering the importance of useful-effect principle for the Court of Justice of the European Communities, it is likely that this will be the result. Its conclusions will, in any case, be closely watched by all EU Member States, as the general underlying question is the interaction between national law and the GDPR in relation to sanctions.
For more information on this subject, please contact Jörg Noltin to Arnecke Sibeth Dabelstein by phone (+49 40 31 779 70) or email ([email protected]). The Arnecke Sibeth Dabelstein website is accessible at the address www.asd-law.com.