BlnBDI (Berlin) - C-807/21 - Deutsche Wohnen: Difference between revisions
(Changed appeal court to LG Berlin) |
No edit summary |
||
| (7 intermediate revisions by 2 users not shown) | |||
| Line 65: | Line 65: | ||
}} | }} | ||
The German Kammergericht decided to pose a set of preliminary questions to the CJEU. It wanted to ascertain whether EU law, specifically [[Article 83 GDPR]] read in conjunction with Articles 101 and 102 TFEU, would require Germany to allow that GDPR fines may be initiated directly against an undertaking, despite Germany's administrative law requiring a culpable natural person for administrative fines. | |||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
The case concerned a publicly listed real estate enterprise (the "undertaking" and the "controller"), which held participating interests in around 163,000 housing units and 3,000 commercial units. The companies who owned these units were subsidiaries of the controller and managed the operational side of the business. The controller handled higher management. Among other things, the controller's business activities included the processing of tenants' personal data. The data handled included: proof of identity, data on health and social insurance, tax, and information relating to previous tenancies. | |||
On its own initiative, the Berlin Commissioner for Data Protection (the DPA) started an "on-the-spot" investigation into the controller. The DPA found that the controller's subsidiary companies were storing personal data of tenants in an electronic archive system, although there was no apparent necessity to still store such data and without a guarantee that personal data, which was no longer required, would be erased. | |||
The DPA required the controller to delete all the documents from its electronic archive by the end of 2017. The controller refused to do so, stating that deletion was impossible for technical and legal reasons. In particular, deleting the documents would first require this old archive data to be transferred to a new archive system that is compliant with statutory retention obligations under commercial and tax law. The undertaking concerned and the authority then entered into an oral and written exchange concerning the deletion order. | |||
The | Three years later, in 2020, the DPA carried out another inspection and found that there had been no substantial change in the GDPR-infringing data storage. The controller responded to these findings by informing the DPA that the archive system, which the DPA had objected to, had already been decommissioned and that the data would be migrated to the new system imminently. Consequently, the DPA issued a penalty order on the grounds that, in the period from 25 May 2018 to 5 March 2019, the controller concerned deliberately omitted to take the necessary measures to allow the proper deletion of tenant data that were no longer required or were otherwise wrongly stored. The DPA also alleged that the controller had continued to store personal data relating to at least 15 named tenants, even though it was known that this was not necessary or was no longer necessary. For the intentional infringement of [[Article 25 GDPR#1|Article 25(1) GDPR]] and [[Article 5 GDPR#1a|Article 5(1)(a),]] [[Article 5 GDPR#1c|(c),]] [[Article 5 GDPR#1e|and (e) GDPR]], the authority imposed a pecuniary penalty of €14,385,000, as well as 15 further pecuniary penalties each ranging from €3,000 to €17,000 for infringements of [[Article 6 GDPR#1|Article 6(1)GDPR]]. | ||
Following an appeal by the controller, the Regional Court of Berlin discontinued the proceedings on the grounds that, under German law, specifically Paragraph 30 of the Law on Administrative Offences (the OWiG), a legal person could not be the party concerned by proceedings for an administrative fine. Only a natural person can culpably commit an administrative offence. The direct liability of undertakings, as codified in [[Article 83 GDPR]], is contrary to the principle of fault enshrined in German law and therefore could not be applied. | |||
The | The Berlin Public Prosecutor’s Office lodged an immediate appeal against the discontinuation of the proceedings, on which the Kammergericht, the referring court, is called upon to rule at final instance. | ||
=== Holding === | |||
As the Kammergericht was called upon to rule at final instance, it decided to pose a set of preliminary questions to the CJEU to ascertain whether the EU law primacy would require Germany to allow that administrative fine may be initiated directly against an undertaking, despite this being contrary to its law on administrative offences. | |||
Questions referred for a preliminary ruling: | |||
1. Is [[Article 83 GDPR|Article 83(4) to (6) of the GDPR]] to be interpreted as incorporating into national law the functional concept of an undertaking, as defined in Articles 101 and 102 TFEU, and the principle of an economic entity, with the result that proceedings for an administrative fine may be initiated directly against an undertaking by broadening the principle of legal entity forming the basis of Paragraph 30 of the Gesetz über Ordnungswidrigkeiten (Law on administrative offences; ‘the OWiG’) and that the imposition of a fine does not require a finding that a natural and identified person committed an administrative offence, if necessary in satisfaction of the objective and subjective elements of tortious liability? | |||
2. If Question 1 is answered in the affirmative: Is [[Article 83 GDPR|Article 83(4) to (6) of the GDPR]] to be interpreted as meaning that the undertaking must have intentionally or negligently committed the breach by an employee vicariously (see Article 23 of Council Regulation (EC) No 1/2003 of 16 December 2002 on the implementation of the rules on competition laid down in Articles 81 and 82 of the Treaty), or is the objective fact of breach of obligations caused by it sufficient, in principle, for a fine to be imposed on that undertaking (‘strict liability’)? | |||
== Comment == | == Comment == | ||
Latest revision as of 16:39, 12 December 2023
| BlnBDI - C-807/21 - Deutsche Wohnen | |
|---|---|
 | |
| Authority: | BlnBDI (Berlin) |
| Jurisdiction: | Germany |
| Relevant Law: | Article 83 GDPR § 30 OWiG |
| Type: | Other |
| Outcome: | n/a |
| Started: | 21.12.2021 |
| Decided: | |
| Published: | 16.01.2023 |
| Fine: | 14385000 EUR |
| Parties: | Deutsche Wohnen SE Staatsanwaltschaft Berlin |
| National Case Number/Name: | C-807/21 - Deutsche Wohnen |
| European Case Law Identifier: | n/a |
| Appeal: | Appealed - Confirmed LG Berlin (Germany) |
| Original Language(s): | English |
| Original Source: | Curia (in EN) |
| Initial Contributor: | Norman Aasma |
The German Kammergericht decided to pose a set of preliminary questions to the CJEU. It wanted to ascertain whether EU law, specifically Article 83 GDPR read in conjunction with Articles 101 and 102 TFEU, would require Germany to allow that GDPR fines may be initiated directly against an undertaking, despite Germany's administrative law requiring a culpable natural person for administrative fines.
English Summary
Facts
The case concerned a publicly listed real estate enterprise (the "undertaking" and the "controller"), which held participating interests in around 163,000 housing units and 3,000 commercial units. The companies who owned these units were subsidiaries of the controller and managed the operational side of the business. The controller handled higher management. Among other things, the controller's business activities included the processing of tenants' personal data. The data handled included: proof of identity, data on health and social insurance, tax, and information relating to previous tenancies.
On its own initiative, the Berlin Commissioner for Data Protection (the DPA) started an "on-the-spot" investigation into the controller. The DPA found that the controller's subsidiary companies were storing personal data of tenants in an electronic archive system, although there was no apparent necessity to still store such data and without a guarantee that personal data, which was no longer required, would be erased.
The DPA required the controller to delete all the documents from its electronic archive by the end of 2017. The controller refused to do so, stating that deletion was impossible for technical and legal reasons. In particular, deleting the documents would first require this old archive data to be transferred to a new archive system that is compliant with statutory retention obligations under commercial and tax law. The undertaking concerned and the authority then entered into an oral and written exchange concerning the deletion order.
Three years later, in 2020, the DPA carried out another inspection and found that there had been no substantial change in the GDPR-infringing data storage. The controller responded to these findings by informing the DPA that the archive system, which the DPA had objected to, had already been decommissioned and that the data would be migrated to the new system imminently. Consequently, the DPA issued a penalty order on the grounds that, in the period from 25 May 2018 to 5 March 2019, the controller concerned deliberately omitted to take the necessary measures to allow the proper deletion of tenant data that were no longer required or were otherwise wrongly stored. The DPA also alleged that the controller had continued to store personal data relating to at least 15 named tenants, even though it was known that this was not necessary or was no longer necessary. For the intentional infringement of Article 25(1) GDPR and Article 5(1)(a), (c), and (e) GDPR, the authority imposed a pecuniary penalty of €14,385,000, as well as 15 further pecuniary penalties each ranging from €3,000 to €17,000 for infringements of Article 6(1)GDPR.
Following an appeal by the controller, the Regional Court of Berlin discontinued the proceedings on the grounds that, under German law, specifically Paragraph 30 of the Law on Administrative Offences (the OWiG), a legal person could not be the party concerned by proceedings for an administrative fine. Only a natural person can culpably commit an administrative offence. The direct liability of undertakings, as codified in Article 83 GDPR, is contrary to the principle of fault enshrined in German law and therefore could not be applied.
The Berlin Public Prosecutor’s Office lodged an immediate appeal against the discontinuation of the proceedings, on which the Kammergericht, the referring court, is called upon to rule at final instance.
Holding
As the Kammergericht was called upon to rule at final instance, it decided to pose a set of preliminary questions to the CJEU to ascertain whether the EU law primacy would require Germany to allow that administrative fine may be initiated directly against an undertaking, despite this being contrary to its law on administrative offences.
Questions referred for a preliminary ruling:
1. Is Article 83(4) to (6) of the GDPR to be interpreted as incorporating into national law the functional concept of an undertaking, as defined in Articles 101 and 102 TFEU, and the principle of an economic entity, with the result that proceedings for an administrative fine may be initiated directly against an undertaking by broadening the principle of legal entity forming the basis of Paragraph 30 of the Gesetz über Ordnungswidrigkeiten (Law on administrative offences; ‘the OWiG’) and that the imposition of a fine does not require a finding that a natural and identified person committed an administrative offence, if necessary in satisfaction of the objective and subjective elements of tortious liability?
2. If Question 1 is answered in the affirmative: Is Article 83(4) to (6) of the GDPR to be interpreted as meaning that the undertaking must have intentionally or negligently committed the breach by an employee vicariously (see Article 23 of Council Regulation (EC) No 1/2003 of 16 December 2002 on the implementation of the rules on competition laid down in Articles 81 and 82 of the Treaty), or is the objective fact of breach of obligations caused by it sufficient, in principle, for a fine to be imposed on that undertaking (‘strict liability’)?
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
List of results List of results by case List of documents Search result: 1 case(s) 1 documents analysed Deutsche WohnenCase C-807/21 Reports of Cases Information not available
