In Germany, what is probably the first decision by a supervisory authority on the GDPR in what is probably the first ruling on the GDPR cashed. This is interesting – at least for companies in Switzerland – less because of the legal considerations than because of the activism of a data protection supervisory authority, which does not fit in with the serious efforts of many companies to implement the data protection innovations appropriately.
The State Data Protection Commissioner of Baden-Württemberg had a Disposition against a credit agency enact, because violations of the company’s GDPR are already foreseeable now. It is necessary to prevent abuses that may occur after the entry into force of the GDPR are to be expected on May 25, 2018. The assumption of a data protection breach is already justified if there are special circumstances that lead to the expectation of future breaches.
The Administrative Court (VG) Karlsruhe upheld the action brought by the credit agency against this order (the decision dated July 6, 2017 is available here) because there was no basis for such an order. Article 58 (2) of the GDPR (remedial powers of supervisory authorities) did not come into consideration for this purpose because this provision only claims validity as of May 25, 2018. A possible basis in the applicable German Federal Data Protection Act (BDSG) was also not applicable because the unlawful data processing had not already been clearly marked as required.
Specifically, the proceedings concerned the deletion of information relevant to creditworthiness; a topic that is also relevant in Switzerland, where the comments of the FDPIC in the Teledata clarification are likely to remain valid. In Germany, a Code of Conduct is currently being discussed in this regard; further details on this can be found in the aforementioned judgment and in the Minutes of the Düsseldorf Circle of March 7, 2017.