- It remains unclear whether fines under Art. 83 GDPR always require proof of culpable conduct by a specific manager.
- German courts and authorities are divided: Bonn Regional Court denies requirement of proof, Berlin Regional Court and Federal Ministry of the Interior affirm applicability of Section 30 OWiG.
- Austrian Administrative Court requires culpable managers to be named; national procedural regulations have priority for sanctions.
As is well known, the GDPR provides for high fine frameworks against companies, amounting to up to 4% of the company’s global turnover in the previous year. In individual cases, there have also been high fines, but these have usually been challenged in court. It is not clear in this case, however, whether the corporate fines are requires that a culpable breach of the GDPR by a natural manager is proven. attributed to the company.
This discussion is being held in Germany, among other countries, and shows the extent to which the unifying effect of the GDPR depends on the legal understanding of the member states. At the same time, it shows that companies can greatly reduce their legal risks if they carefully select, instruct, train and monitor their data-processing personnel.
Germany
In Germany, the Federal Data Protection Act (BDSG) refers, § 41, to the Administrative Offences Act (OWiG), but only “mutatis mutandis”. According to § 30 OWiG a fine imposed on a legal person shall then be deemed to be the Evidence of a breach of duty by a management person presupposed. However, it has not been conclusively clarified whether this provision applies to data protection violations, but the tendency is certainly in this direction.
The Regional Court (LG) Bonn has in the 1&1 method a fine of EUR 9.55 million was reduced to EUR 900,000. This was mainly based on the Fines concept of the German regulatory authorities. It held in its Judgment 29 OWi 1/20 of 11.11.2020 but also states that a fine under the GDPR can be imposed without proof of a breach of duty by a specific natural person. Not § 30 OWiG was applicable, but – due to the GDPR – the Principles of supranational antitrust lawwhich, in the event of violations of Articles 101 and 102 TFEU, assumes a direct responsibility of the companies [for this purpose e.g. ECJ, Case C‑68/12, para. 28], regardless of which natural person acted on behalf of the company:
bb) The Linking of the Fine to Misconduct by Corporate Bodies or Management Persons Pursuant to Section 30 OWiG Cannot be meaningfully reconciled with the liability concept based on the EU antitrust model and the function bearer principle […]. Compared to the European liability model, the application of Section 30 OWiG would lead to a considerable restriction of the imposition of fines on companies if internal responsibilities had to be clarified despite the fact that a data protection violation had been established. […]
In contrast, the Berlin Regional Court in Decision 526 OWi LG from February 18, 2021 ruled that § 30 OWiG was applicable, which is why a to prove culpable misconduct on the part of a management person is. The GDPR does not contain any more detailed provisions on the criminal liability of legal persons. The reference to the OWiG in the BDSG is therefore valid. The attribution of the infringement to a natural person is also necessary because the legal person acts through its organs and representatives:
In this respect the Determination of a reproachable conduct of a natural person the necessary basic condition for the establishment of liability of the potentially liable entity.
The German Federal Ministry of the Interior, for Construction and Home Affairs (BMI) for its part evaluated the new BDSG and stated in the evaluation report of October 2021 that the OWiG had been deliberately referred to and that the GDPR leaves room for this:
In this regard, it should first be pointed out that the legislator at the time conscious – and in knowledge of the legal opinion of the data protection supervisory authorities55 on this subject – has decided not to exclude Sections 30, 130 OWiG from the provisions of the OWiG applicable under Section 41 (1) sentence 1 BDSG.
This decision is thereby based on the consideration that Article 83(8) of the GDPR allows precisely leaves it to the Member States to regulate the details of the procedure for imposing fines. Moreover, nothing to the contrary can be derived from recital 150 of the GDPR, which must be read as a whole and in its systematic context. It refers to Article 83 of the GDPR and specifically to the rules on the amount of fines, but does not contain any provisions on the conditions under which violations by natural persons trigger liability under fine law for legal persons and associations of persons.
Austria
In Austria, the Administrative Court (VwGH) on May 12, 2020 (Ro 2019÷04÷0229). also ruled that a fine pursuant to Art. 83 GDPR against a legal person the proof of the culpable conduct of a management person is required. It took as its starting point the legal situation under the Austrian Banking Act (BWG):
29 Since the legal person cannot act on its own, its criminal liability under Section 99d of the Banking Act is a consequence of the constituent, unlawful and culpable conduct of a leading person. Accordingly, for the prosecution action directed against the legal person to be effective, the precise description of the act of the natural person is necessary. […]
These principles are transferable to the area of the GDPR. The Administrative Penalties Act (VStG) is applicable:
18 Rather, the imposition of fines pursuant to Art. 83 GDPR is subject to the VStG insofar as applicationthan the GDPR does not provide for more specific rules within the scope of the primacy of application. […] […]
20 The authority filing the appeal objects to the […] requirement of naming the natural person whose unlawful and culpable conduct is attributable to the legal entity, Art. 83 The content of the GDPR is modeled on the competition law provisions of the European Union. […]. […] […]
23 In contrast to the imposition of fines for breaches of Union competition rules, the fines to be imposed by the supervisory authority of a Member State for breaches of the GDPR pursuant to Article 83 (4) to (6) GDPR are criminal sanctions (cf. recital 150 of the GDPR). Moreover, in accordance with Article 83(8) of the GDPR, unlike with regard to the European Commission’s power to impose fines for infringements of European Union competition law, the exercise of the sanctioning power of the supervisory authority of the individual Member State must be subject not only to appropriate procedural safeguards of Union law (such as the GRC), but also to those of the law of the Member States. In this respect, the imposition of fines by the European Commission for violations of competition law […] is not comparable […].
24 Proceeding from this, the argument presented in the appeal is Case law of the ECJ concerning the lack of obligation to designate the persons who have acted culpably within an undertaking fined for an infringement of Union competition law, not relevant for proceedings concerning the imposition of fines pursuant to Art. 83 GDPR by the supervisory authority of a Member State. […]
25 Pursuant to § 44a Z 1 VStG, it is legally required to describe the act with regard to the perpetrator and the circumstances of the act so precisely that the assignment of the conduct of the act to the administrative regulation that has been violated by the act is made possible with regard to all elements of the act […].
26 In the present case, in the request for justification sent to the co-participating party for the attention of its managing director under commercial law, the authority seeking review identified the natural persons whose conduct deemed to be in accordance with the facts, unlawful and culpable was attributable to the co-participating party, not namedbut merely paraphrased as “organs or employees” of the co-participating party. In the sentence of the decision of the authority appealing against the decision, the co-participating party is not shown to have acted in an unlawful and culpable manner, in accordance with the facts, by a natural person, which can be attributed to the co-participating party. Even in the statement of grounds, the authority filing the appeal did not disclose which natural person specifically committed the constituent, unlawful and culpable conduct attributable to the co-participating party with regard to the individual allegations. […]