KG Berlin - 3 Ws 250/21 - 161 AR 64/21

From GDPRhub
KG Berlin - 3 Ws 250/21 - 161 AR 64/21
Courts logo1.png
Court: KG Berlin (Germany)
Jurisdiction: Germany
Relevant Law: Article 83 GDPR
Article 83(4) GDPR
Article 83(5) GDPR
Article 83(6) GDPR
Article 101 TFEU
Article 102 TFEU
Article 23 Council Regulation (EC) No 1/2003 of 16 December 2002
§ 30 OWiG
§ 41 BDSG
Decided:
Published: 06.12.2021
Parties: BlnBDI
Deutsche Wohnen SE
National Case Number/Name: 3 Ws 250/21 - 161 AR 64/21
European Case Law Identifier: ECLI:EN:KG:2021:1206:3WS250:21:00
Appeal from: LG Berlin (Germany)
(526 OWi LG) 212 Js-OWi 1/20 (1/20), 526 OWiG LG 1/20
Appeal to: Unknown
Original Language(s): German
Original Source: Berliner Vorschriften- und Rechtsprechungsdatenbank (in German)
Initial Contributor: Giel Ritzen

The Higher Regional Court of Berlin (KG Berlin) suspended ongoing proceedings and referred two preliminary questions to clarify the relationship between the GDPR and national law regarding administrative offences to the CJEU.

English Summary

Facts

On 30/10/2019, the Berlin DPA fined Deutsche Wohnen SE € 14,500,000 for violating Article 5(1)(e) and Article 25(1) GDPR as the company's archive system was structurally unable to delete unnecessary data. Deutsche Wohnen did not agree and brought the action before court. On 18/02/2021, the Regional Court Berlin overturned the DPA’s decision because it held that a legal entity cannot be the subject of a fine procedure pursuant to Article 83 GDPR. According to the Court, only a natural person could commit an administrative offence in a reproachable way, while the legal entity just could be a secondary party, to which the actions of its representatives or board members are attributable. Since there was no proof of the personal responsibility of a representative or board member, the Court held that Deutsche Wohnen could not be fined.

The Berlin DPA appealed to this decision.

Holding

The KG Berlin decided to suspend proceedings and referred the following preliminary questions to the CJEU:

(1) Is Article 83(4) to Article 83(6) GDPR of the GDPR to be interpreted as incorporating into national law the functional concept of undertaking and the functionary principle associated with Articles 101 and 102 TFEU, with the consequence that, by extending the principle of legal entity on which Paragraph 30 of the OWiG is based, a fine procedure may be conducted directly against an undertaking and the penalty is not imposed on the determination of a person identified by a natural and identified person: if applicable, a fully tort, committed administrative offence is required?

(2) If the answer to Question (1) is in the affirmative, must Article 83(4) and Article 83(6) GDPR be interpreted as meaning that the undertaking must have culpably committed the infringement mediated by an employee (see Article 23 of Council Regulation (EC) No 1/2003 of 16 December 2002 implementing the rules on competition laid down in Articles 81 and 82 of the Treaty), or is an objective breach of duty attributable to the company ("strict liability") already sufficient in principle for a fine of the company?

Comment

Regarding the liability regime, the Court discussed the contradiction between the limited liability regime under national law, and the view as expressed in LG Bonn 29 OWi 1/20. In this case, the LG Bonn held that Article 83 GDPR, with a rule of direct association liability, supersedes the traditional national regime of attribution of the actions of directors only with legal consequences. Moreover, the majority of legal scholars share the opinion of the Court (See KG Berlin 3. Senat für Bußgeldsachen - 3 Ws 250/21 - 161 AR 64/21, para 9 for the full list).

In short, due to the primacy of EU Law, as well as the GDPR being a regulation and the supranational principles of corporate sanctioning prescribed by Article 83 GDPR, the traditional national principles are not to be followed if this weakens the level of data protection laid down by the GDPR. For more details, see KG Berlin 3. Senat für Bußgeldsachen - 3 Ws 250/21 - 161 AR 64/21, paras 12-25, or LG Bonn 29 OWi 1/20.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

Court: KG Berlin 3rd Senate for Fine Matters
Date of decision: 06.12.2021
Reference: 3 Ws 250/21 - 161 AR 64/21
ECLI: ECLI:DE:KG:2021:1206.3WS250.21.00
Document type: ECJ submission
Source: juris Logo
Standards:	Art 26(1) TFEU, Art 81 TFEU, Art 82 TFEU, Art 101 TFEU, Art 102 TFEU ... more
Document tab

    Short textLong text

    ECJ referral: Can a company be a directly affected party in fine proceedings for a breach of Art. 83 GDPR?

Editorial

    The following questions are referred to the Court of Justice of the European Union for a preliminary ruling on the interpretation of Article 83 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data, on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation):

    (1) Is Article 83(4) to (6) of the GDPR to be interpreted as incorporating the functional concept of undertaking attributed to Articles 101 and 102 TFEU and the function bearer principle into domestic law with the result that, by extending the principle of function bearer underlying Paragraph 30 of the OWiG, proceedings for a fine may be brought directly against an undertaking and the fine does not require a finding of an administrative offence committed by a natural and identified person, possibly in a fully criminal manner?

    (2) If the answer to Question 1 is in the affirmative: Is Article 83(4)(6) of the GDPR to be interpreted as meaning that the undertaking must be culpable for the infringement committed by an employee (cf. Article 23 of Council Regulation (EC) No 1/2003 of 16 December 2002 on the implementation of the rules on competition laid down in Articles 81 and 82 of the Treaty), or is an objective breach of obligations attributable to the undertaking already sufficient in principle for the undertaking to be fined ("strict liability")?

Hide course of proceedingsCourse of proceedings
preceding LG Berlin, (526 OWi LG) 212 Js-OWi 1/20 (1/20), Order
Tenor

    I. The following questions are referred to the Court of Justice of the European Union for a preliminary ruling on the interpretation of Article 83 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data, on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation):

    (1) Is Article 83(4)-(6) of the GDPR to be interpreted as incorporating the functional concept of undertaking attributed to Articles 101 and 102 TFEU and the function bearer principle into domestic law with the consequence that, extending the principle of function bearer underlying Paragraph 30 of the OWiG, fine proceedings may be brought directly against an undertaking and the fine does not require a finding of an administrative offence committed by a natural and identified person, where appropriate in a fully criminal manner?

    (2) If the answer to Question 1 is in the affirmative: Is Article 83(4)-(6) of the GDPR to be interpreted as meaning that the undertaking must be culpable for the infringement committed by an employee (cf. Article 23 of Council Regulation (EC) No 1/2003 of 16 December 2002 on the implementation of the rules on competition laid down in Articles 81 and 82 of the Treaty), or is an objective breach of obligations attributable to the undertaking already sufficient in principle for the undertaking to be fined ("strict liability")?

    II. the appeal proceedings are suspended until the Court of Justice of the European Union has answered the questions referred for a preliminary ruling.

Reasons

Paragraph 1

    I. The company concerned is a listed real estate company with its seat in Berlin. It indirectly holds around 163,000 residential units and 3,000 commercial units through shareholdings under company law. The owners of these units are subsidiaries, so-called holding companies, which run the operative business and form a group with the company concerned. The affected company's business activities are focused on higher-level management, such as executive management, human resources and finance and accounting. The ownership companies rent out the residential and commercial units, and the management of the units is also carried out by group companies ("service companies").

Requirement2

    In the course of their business activities, the company concerned and the group companies also process personal data of tenants of the residential and commercial units. This occurs in the context of the new letting of a property, the ongoing management of an existing tenancy, the acquisition of properties that have already been let and the takeover of tenancies existing here. This data includes, for example, proof of identity (e.g. copies of identity cards), proof of creditworthiness (e.g. bank statements), salary slips, proof of employment, tax, social security and health insurance data and details of previous tenancies.

Requirement3

    On 23 June 2017, as part of an on-site inspection, the Berlin Commissioner for Data Protection (hereinafter: "Authority") drew the attention of the company concerned to the fact that its group companies stored personal data of tenants in an electronic archiving system where it could not be traced whether the storage was necessary and ensured that data that was no longer necessary would be deleted. The authority subsequently requested the company concerned to delete documents from the electronic archiving system by the end of 2017. The company concerned replied that deletion was not possible for technical and legal reasons. In particular, deleting the documents would first require the old archive data to be transferred to a new archive system, which in turn would have to comply with the statutory retention obligations under commercial and tax law. At the request of the company concerned, a discussion took place with representatives of the authority regarding these objections, in which the authority expressed the opinion that there were indeed technical solutions for the required deletion. After the company concerned had again explained in writing that it would not be able to delete the data within the set deadline, it was requested in a letter dated 20 December 2017 to explain in writing the reasons opposing the deletion, in particular any disproportionate effort. The data subject subsequently reported on the planned construction of a new storage system to replace the previously objected-to system.

Paragraph4

    On 5 March 2020, the authority carried out an audit at the company's headquarters, during which a total of 16 samples were taken from the database. At the same time, the authority was informed that the offending archive system had already been decommissioned and that the migration of the data to the new system was imminent. In the penalty notice issued on 30 October 2020, the company concerned is accused of intentionally failing to take the necessary measures between 25 May 2018 and 5 March 2019 to enable the regular deletion of tenants' data that is no longer required or otherwise wrongfully stored. He is further accused of having continued to store personal data of at least 15 specified tenants, although it was known that this was not or no longer necessary. For the intentional violation of Art. 25(1), Art. 5(1)(a), (c) and (e) of the GDPR, the authority imposed a fine of 14,385,000 euros and for violations of Art. 6(1) of the GDPR, it imposed 15 further fines, each ranging from 3,000 to 17,000 euros.

Paragraph5

    Upon the objection of the company concerned, the Berlin Regional Court discontinued the proceedings pursuant to Section 46 (1) OWiG in conjunction with Section 206a StPO. The Regional Court is of the opinion that the penalty notice suffers from such serious defects that it cannot be the basis of the proceedings. Namely, a legal person could not be a party to fine proceedings, not even in such proceedings under Article 83 of the GDPR. Only a natural person can be accused of committing an administrative offence. The legal person can only be held responsible for the actions of its executive body members or representatives. Therefore, a legal person can only be a secondary party in a fine proceeding. The imposition of a fine on a legal person is conclusively regulated in Section 30 OWiG, which also applies to violations under Article 83(4) to (6) of the GDPR via Section 41(1) BDSG. According to this provision, a fine could either be imposed on the legal person in a uniform procedure if fine proceedings were conducted against the member of the executive body or the representative, i.e. the natural person, or in an independent procedure pursuant to Section 30 (4) OWiG. In the case of § 30 (4) OWiG, however, the prerequisite is that proceedings are not initiated against the member of the executive body or the representative of the legal person or that proceedings that have been initiated are discontinued. However, because the legal person cannot commit a misdemeanour, a reproachable misdemeanour of a member of the legal person's executive body must also be established in independent proceedings. The direct corporate liability codified in Article 83 of the GDPR violates the principle of culpability enshrined in German law and can therefore not be applied.

Paragraph6

    II. The immediate appeal of the Berlin public prosecutor's office is directed against this. Prior to a (final) decision on this appeal, it is necessary to stay the proceedings and to obtain a preliminary ruling from the Court of Justice of the European Union pursuant to Article 267(3) TFEU on the questions posed in the decision formula, which concern the interpretation of secondary Union law applicable in the case. There is no established case law in this respect. The decision on the merits depends directly on whether question 1 is answered in the affirmative. If this is the case, Question 2 is of decisive importance for the further fine proceedings. The wording of the relevant national provisions - §§ 9, 30 OWiG, 41 BDSG - can be found in the Annex to this decision.

Paragraph 7

    The immediate appeal of the Berlin Public Prosecutor's Office would be successful if there were no procedural obstacle. This would be the case against the background of § 66 (1) OWiG if the penalty notice formed a sufficient basis for the penalty proceedings. According to this provision, the administrative order imposing a fine must contain "the name of the offence with which the person concerned is charged, the time and place of its commission, the legal characteristics of the administrative offence and the provisions on fines applied". According to established understanding, the administrative order imposing a fine must formally and factually delimit the offence (delimitation function) and sufficiently inform the person concerned about the offence (information function) (cf. BGHSt 23, 336; Senat Verkehrsrecht aktuell 2019, 123 [full text at juris]; OLG Celle ZfSch 2015, 649). The administrative order imposing a fine could fail to meet these requirements if, under the application of section 30 OWiG, fine proceedings could not be conducted directly against an enterprise and the imposition of a fine on an enterprise that was only "involved in the proceedings" or "incidentally involved" under section 30(1) OWiG depended on the fact that a natural person, as a so-called representative, had committed the "incidental offence" - which may have to be specifically described in the administrative order imposing a fine - in a manner attributable to an offence.

Paragraph 8

    (1) According to traditional national law, fines imposed by associations for administrative offences can only be imposed in accordance with § 30 OWiG. According to this provision, certain administrative offences can (only) be attributed to their leaders (representatives). Accordingly, § 30 OWiG requires a connecting act committed by a (natural) person. It stands to reason that in order to fulfil the information and delimitation function, the inducement offence must be designated in the penalty notice. The subsequent imposition of an association fine can only be considered under the application of section 30 OWiG if it can be established that the management person has factually, unlawfully and culpably violated a norm subject to a fine. If this is the case, the association's fine may be imposed under section 30 (1) OWiG in the uniform proceedings conducted against the manager or, after the association has been ordered to participate in the proceedings, in the independent proceedings conducted with the manager as a party to the proceedings or as a secondary party (section 30 (4) OWiG). The possibility of sanctioning the association behind the leader via section 30 OWiG appears as an accessory annex or reflex of the fully criminal act of the natural person. Their act is attributed to the enterprise.

Paragraph9

    This limited liability regime of domestic law contradicts the view represented in national case law (cf. LG Bonn K & R 2021, 133 <ECLI:DE:LGBN:2020:1111.29OWI1.20.00>) that Article 83 of the GDPR, as a primarily applicable Union law, overrides the traditional domestic regime of merely attributing the actions of management persons to legal consequences (§ 30 OWiG) with a rule of direct association liability. The opinion of the Regional Court of Bonn is also shared by the majority in the legal literature (cf. Bergt, DuD 2017, 555 [556, 558]; Boms, ZD 2019, 536 [537]; Brodowski/Nowak in BeckOK DatenschutzR 37. Ed., § 41 BDSG marginal no. 11.3; von dem Bussche, ZD 2021, 154 [160]; Cornelius in Forgó/Helfrich/Schneider, Betrieblicher Datenschutz 3rd ed., Part XIV marginal no. 88; Gassner in Gassner/Seith, OWiG 2nd ed., Einl. marginal no. 69; Gola/Heckmann/Ehmann, BDSG 13th ed, § 41 Rn. 19-21; Grözinger in Müller/Schlothauer/Knauer, Anwaltshandb. StV 3rd ed., § 50 Rn. 139; Kühling/Buchner/Bergt, DS-GVO 3rd ed, Art. 83 marginal no. 20; Qasim, ZD-Aktuell 2021, 05102; Zelger, EuR 2021, 478; Zitzelberger in Esser/Tsambikakis, PandemisstrafR, § 15 marginal no. 49 and many more. ), but also rejected by individual voices, predominantly authors providing legal advice and namely business lawyers (cf. Konrad, CR 2021, 389 [note on LG Bonn]; Kremer, NZWiSt 2021, 314; Moos, MMR Supplement 08, 27; ibid. DSRITP 2021, 161; Nolte/di Fabio, juris-PR-Compl 2/2021 note 2; Wybitul/Venn, ZD 2021, 343; Venn/Wybitul, NStZ 2021, 204 [note on LG Bonn]; Wybitul, ZD 2021, 177; Piltz, § 41 marginal no. 7 et seq.; but cf. also BMI, Evaluierung des Gesetzes zur Anpassung des Datenschutzrechts [Status October 2021] p. 61).

Paragraph10

    In the prevailing legal literature, it is argued that the primacy of application of Union law means that the supranational principles of corporate sanctioning intended and prescribed by Article 83 of the GDPR are normative. Finally, the GDPR was a regulation of the European Union adopted in the ordinary legislative procedure. As secondary law of the Union, it had general application; it was binding in its entirety and directly applicable in every Member State (Article 288 TFEU). This primacy already argues that the attribution of infringements to associations is based on the recognised standards of Union law and not on traditional national attribution principles (in this case: § 30 OWiG) (cf. Brodowski/Nowak in BeckOK DatenschutzR 37th ed., § 41 BDSG marginal no. 11; Bergt in Kühling/Buchner, DS-GVO BDSG 3rd ed. 2020, § 41 BDSG marginal no. 7).

Recital 11

    Accordingly, the Member States are in principle not permitted to weaken the data protection laid down by the Regulation by means of national regulations. European law, historically grown through concerns of undistorted competition and a functioning internal market pursuant to Article 26 (1) TFEU, points out that the data protection provisions of the Regulation may not be weakened by national regulations. TFEU (cf. Faust/Spittka/Wybitul ZD 2016, 120) and founded in EU banking law (Art. 132 and Regulation (EC) No. 25532/98) as well as in EU antitrust law (Art. 101, 102 TFEU and Regulation (EC) No. 1/2003), has completely different structures for punishing infringements compared to German law (cf. Holländer in BeckOK DatenschutzR 37th ed., Art. 83 DS-GVO marginal no. 8.1). According to the established case law of the ECJ, the concept of an undertaking within the meaning of Articles 101 and 102 TFEU is a functional one (cf. only ECJ NJW 1991, 289; NZBau 2007, 190; Emmerich in: Immenga/Mestmäcker, EU-WettbewerbsR 5th ed., Art. 101 TFEU marginal no. 8). The decisive factor was not who was directly active, but rather the concrete active participation of an economic entity in economic life by offering (or demanding) goods or services on a certain market (cf. ECJ EuZW 1999, 93). In order to secure this objective, it was expedient to base regulation not on the legal form or the individual legal entity, but on the economic unit in which the undesirable, e.g. anti-competitive, market conduct had arisen. This functional concept of an enterprise is accompanied by the functional entity principle, which is in contradiction to the German legal entity principle (§§ 9, 30 OWiG) (see Holländer, loc. cit. marginal no. 9; Monopolies Commission BT-Drs. 18/7508, 11 m. f.). N.). The essence of the function bearer principle was that the "material liability for sanctions" was assigned to the enterprise (as an economic unit broadly understood according to practical needs), so that the acts of all employees acting legitimately for an enterprise were also attributable to the enterprise under the law on fines. It was not even necessary to designate the employee and his or her specific act causing the offence (cf. ECJ GRUR Int 2004, 45; Bergt, DuD 2017, 555 ([556]); Holländer, loc. cit. para. 11). This concept entails that the national liability rules are irrelevant (cf. Holländer, loc. cit. marginal no. 10), rather they are superseded. Therefore, § 30 OWiG with its model of accessoriness to the fully criminal act of a management person was also not applicable.

Paragraph 12

    For the understanding of the adoption of the European sanction regime, different arguments are put forward by the LG Bonn and the prevailing literature opinion. In detail:

Paragraph13

    a) The wording of Article 83 of the GDPR already argues in favour of the over-forming of § 30 OWiG by European cartel sanction law. Paragraphs 4 to 6 state that the fine "in the case of an undertaking" is calculated according to its annual turnover. In the provisions on fines, only controllers and processors (Article 4(7) and (8) of the GDPR) as well as the certification body in the case of Article 83(4b) of the GDPR and the supervisory authority in the case of Article 83(4c) of the GDPR are named as addressees, whereby the ECJ has already clarified that a company such as 'Facebook Ireland' is a controller within the meaning of Article 4(7) of the GDPR. Although the decision of the ECJ had been rendered on Art. 2 lit d of Directive 95/46/EC (definition of 'controller'), it was to be used for the interpretation of Art. 4 No. 7 of the GDPR, which is almost identical in content (ECJ, Judgment of 29 July 2019 - C-40/17, juris - FashionId <ECLI:EU:C:2019:629>). The imposition of a fine is thus precisely not linked to a culpable act of the organs or management persons of legal persons or associations of persons (cf. LG Bonn K & R 2021, 133 <ECLI:DE:LGBN:2020:1111.29OWI1.20.00>).

Paragraph14

    Against this interpretation, it is objected that Article 83 (4) to (6) of the GDPR only regulates the amount of the fine, but cannot "extend the group of possible addressees of the fine" (cf. Moos, MMR Supplement 08, 27 [30]).

Paragraph15

    b) The Bonn Regional Court and the (independent) legal literature derive the fact that the GDPR incorporates EU antitrust law not only from the wording of the provision, but also from recital 150 to the GDPR. This states: "Where fines are imposed on undertakings, the term 'undertaking' should be understood for this purpose in the sense of Articles 101 and 102 TFEU." The designated standards of the TFEU use the EU antitrust concept of undertaking ("undertaking"). In the English version of the Regulation, this understanding is already apparent from the use of the same term ("undertaking" as opposed to "enterprise"), which expresses that the function bearer principle is to be applied as a European sanction model, i.e. that the constituent element "undertaking" in Art. 83 GDPR does not refer to the legal subject, but rather functionally to the economic unit (cf. in detail. Zelger, EuR 2021, 478 (481 et seq.); Holländer, loc. cit. marginal no. 13.3).

Recital16

    c) Further recitals to the GDPR also demonstrate the intention of the European legislator to implement European antitrust sanctions law for the purposes of harmonisation and strengthening/effectivisation of data protection law. Recital 9 (Different standards of protection under Directive 95/46/EC), for example, states the objective of ending the "differences in the transposition and application of the Directive", the "different level of protection" and the "legal uncertainty" of the previous data protection law. This recital formulates the objectives of harmonisation and strengthening of European data protection law pursued by the GDPR. Recital 10 (equivalent level of protection despite national leeway) also concerned the objectives of harmonisation and the strengthening of data protection law. Recital 11 (Equal powers and sanctions) argues with particular clarity that the European legislator is also striving for a uniform legal consequences regime. It formulates, among other things, the goal of "equal sanctions" in the event of a "breach" of the GDPR provisions. Recital 13 (consideration of micro-enterprises ...) also formulates the objective of "equivalent sanctions in all Member States". Recital 129 (tasks and powers of supervisory authorities in relation to the Regulation) emphasises the need for "consistent supervision and enforcement of the Regulation". Finally, recital 148 (sanctions) also shows the legislator's desire to "impose sanctions" for infringements "in the interest of more consistent enforcement of the provisions of the Regulation". With regard to the procedure, the text refers to "the general principles of Union law ..." (see in detail LG Bonn K & R 2021, 133 <ECLI:DE:LGBN:2020:1111.29OWI1.20.00>).

Paragraph17

    d) According to the prevailing opinion in the literature, a push-back of the law of the Member States and their liability-limiting attribution rules also results from the degree of harmonisation sought by the GDPR.

Recital18

    aa) Since the sanctioning of breaches of order by associations in the EU is based on different legal traditions, the linking of Art. 83(4) to (6) GDPR with national liability and attribution rules would have the consequence that the sanctioning of undertakings would also be highly inconsistent. This would not only affect the substantive scope of companies' liability for fines, but also the effectiveness of the procedures. The uniform and effective sanctioning of data protection violations intended by the GDPR could obviously not be achieved under the application of Section 30 OWiG (cf. Brodowski/Nowak in BeckOK-DatenschutzR 37th ed., Section 41 BDSG marginal no. 11; Brechtel/Hansen K&R 2021, 138). Rather, the application of § 30 OWiG and other limitations on attribution in the national legal systems is accompanied by a considerable complication of the enforcement of the law (cf. Nägele/Apel/Stolz/Pohl, DB 2021, 1928). In fact, the application of § 30 OWiG often precludes the imposition of corporate fines, and not only in the area of data protection, because the persons acting internally in a company cannot be identified or can only be identified with disproportionate (also intrusive) effort. It was precisely these disadvantages of the legal entity principle in the area of the protection of legal interests, which also promoted an unfair unequal treatment of companies, that had prompted the European legislator to adapt the fairer, more effective and simply more powerful model of the functional entity principle in the GDPR. The LG Bonn (K & R 2021, 133 <ECLI:DE:LGBN:2020:1111.29OWI1. 20.00>) succinctly stated in this regard: "A restriction and weakening of the liability model under Union law by provisions such as in Section 30 (1) OWiG is not covered by Article 83 (8) DS-GVO." In the literature, referring to the European law effet utile, it is formulated that the application of Section 30 OWiG "would ultimately let the fine provisions of the GDPR degenerate into a sword without a sharp blade" (Qasim, ZD-Aktuell 2021, 05102).

Recital19

    bb) Even if the GDPR does not contain an explicit statement on the desired degree of harmonisation (cf. Nietsch/Osmanovic, BB 2021, 1858 with further references), a historical-systematic overall view shows that not a minimum, but a desired full or maximum harmonisation is to be assumed. Already for the Data Protection Directive (Directive 95/46/EC) and, in particular, also for its sanctions regime, the ECJ had assumed a full harmonising effect (see ECJ, EuZW 2012, 37 [para. 29]). There was nothing to suggest that the GDPR pursued a different approach. On the contrary, its regulations, which go into even more detail, confirm the legislature's efforts to harmonise data protection law as far as possible and, as a result, to reduce the Member States' legislative leeway (cf. Kingreen in Calliess/Ruffert, TFEU, TEU, 5th ed., Art. 16 TFEU, marginal no. 4). It is therefore difficult to imagine that such fundamental liability requirements as questions of attribution should be placed in the hands of the Member States. The practical consequence of such a diffusion of competences would be, it is stated, "that equivalent material data protection infringements would be sanctioned in different ways in several Member States or would even remain completely without sanctions, although the GDPR is the authoritative and directly applicable set of rules across borders" (cf. von dem Bussche, ZD 2021, 154).

Paragraph20

    In the predominantly legal literature, it is replicated that the understanding of Art. 83 GDPR as a norm of direct corporate liability referring to European antitrust sanctions law violates binding national law and also supranationally recognised legal principles. Article 83 of the GDPR does not adapt European antitrust sanctions law. But even if this were the case, there would be no primacy of application of Union law. This would be limited by the constitutional principles declared to be "integration-proof" in Article 23 (1) sentence 3 in conjunction with Article 79 (3) of the Basic Law (reference: BVerfG NStZ 2016, 546). The protected goods of the constitutional identity laid down here, which are also protected against encroachments by public authority exercised supranationally, included the principles of Article 1 of the Basic Law, i.e. the obligation of all state authority to respect and protect human dignity (Article 1.1 sentence 2 of the Basic Law), consequently also the principle of guilt enshrined in Article 1.1 of the Basic Law (cf. BVerfG loc. cit.). In detail:

Paragraph21

    a) § 41.1 sentence 1 of the Federal Data Protection Act prohibits fine proceedings against legal persons. The provision states that the provisions of the OWiG apply mutatis mutandis to infringements under Article 83(4) to (6) of the GDPR "unless this Act provides otherwise". § Section 41 (1) sentence 2 BDSG expressly excludes sections 17, 35 and 36 OWiG from this. For procedural law, section 41(2) BDSG contains a corresponding provision, with sections 56 to 58, 87, 88, 99 and 100 OWiG being excluded.

Paragraph22

    From this, the legal literature concludes that administrative fine proceedings conducted in accordance with Article 83 of the GDPR must necessarily observe the attribution and procedural principles of Section 30 of the OWiG (cf. Kirschhöfer, BB 2021, 1043 [1044]; Konrad, CR 2021, 389 [note on LG Bonn]; Moos, MMR Supplement 08, 27; ibid. DSRITP 2021, 161; Wybitul/Venn, ZD 2021, 343; Venn/Wybitul NStZ 2021, 204 [note on LG Bonn]; Wybitul, ZD 2021, 177; Piltz, § 41 marginal no. 7 ff.).

Paragraph23

    Irrespective of the primacy of Union law to be discussed here, it is noticeable in this context that § 30 OWiG has not been excluded from the reference in § 41 BDSG, but by § 41 para. 2 sentence 2 BDSG the procedural provision of § 88 OWiG required for the procedural enforcement of § 30 OWiG has been. § Section 41 BDSG is therefore described as incoherent, dysfunctional and overall "misguided" (cf. Lamsfuß, NZWiSt 2021, 98; Nietsch/Osmanovic, BB 2021, 1858 ["contradictory"]; likewise Brodowski/Nowak in BeckOK-DatenschutzR, 37th ed., Section 41 BDSG marginal no. 11.3). Although the materials do not provide any information on the reason for this diffusion, a classic drafting error seems unlikely in view of the course of the legislative procedure (cf. Stürzl/Lachenmann in Koreng/Lachenmann, Formenhandbuch DatenschutzR 3rd edition, I. Note 19; Nietsch/Osmanovic, BB 2021, 1858 ["consequential error"]; Venn/Wybitul NStZ 2021, 204). It is conceivable, however, that the "removal" of section 30 OWiG was assessed as a politically (not yet) opportune anticipation of the Association Sanctions Act (similarly Nietsch/Osmanovic, BB 2021, 1858: "Existing basic concept should not ... be abandoned en passant").

Paragraph24

    b) As an argument against the adaptation of direct corporate liability, legal literature cites Article 83 (8) of the GDPR. In this provision, the European legislator (also) refers to the law of the Member States to ensure adequate procedural safeguards "including effective judicial remedies and due process".

Paragraph25

    It is objected to this that this provision concerns procedural law, whereas § 30 OWiG at issue - at least in the aspect that is central here - is an attribution provision and consequently a provision of substantive law (cf. LG Bonn K&R 2021, 133 <ECLI:DE:LGBN:2020:1111.29 OWI1.20.00>; Zelger, EuR 2021, 478).

Paragraph26

    c) It is further objected, in particular also by the contested discontinuation order, that a direct corporate responsibility under fine law violates the principle of guilt. The Berlin Regional Court is of the opinion that the state's award of a penalty always requires a link to the culpable act of a natural person. Guilt presupposes the freedom of will and responsibility of the individual to decide for right or wrong. This was lacking in the case of legal persons. Against the background of the principle of culpability, fine proceedings conducted under Article 83 of the GDPR also require a connecting act committed by a human being, which can (only) be attributed to the company under Section 30 OWiG (see Moos, MMR-Beil. 2021 Heft 08, 27; Wybitul/Venn, ZD 2021, 343; Venn/Wybitul, NStZ 2021, 204; Wybitul, ZD 2021, 177; weakened ["to be seen quite critically"] Stürz/Lachenmann in Koreng/Lachenmann, Formularhandbuch 3. Auflage, I. Note 19).

Paragraph27

    d) Furthermore, parts of the literature object that the adaptation of European antitrust law by the GDPR also violates other principles of the principle of legality, namely the requirement of certainty and the prohibition of analogy in Article 103 (2) of the German Constitution (cf. Nietsch/Osmanovic, BB 2021, 1858; Wybitul/Venn, ZD 2021, 343; probably also Lantwin, ZD 2019, 14). These concerns are based, inter alia, on the assessment that European sanctions law is so "fragmentary" (cf. Moos MMR Supplement 08, 27; DSRITP 2021, 161) that no consistent and generally observable model of an association fine can be derived from it.

Paragraph28

    III) If the answer to question 1 is in the affirmative, it is of central importance for the further proceedings according to which standards the "corporate debt" is to be determined. According to Article 23 of the Cartel Regulation referred to in Question 2, fines ("without a penalty-like character") can be imposed on "undertakings and associations of undertakings" if they have committed certain breaches of duty intentionally or negligently. However, with reference to Article 83 (2) (b) of the GDPR, it is argued that the forms of culpability referred to here are not preconditions for punishability in criminal law, but are purely assessment criteria. According to the "strict liability" principle, punishment only requires the establishment of an objective breach of duty (cf. Bergt, DuD 2017, 555; Boms, ZD 2019, 536; Kühling/Buchner/Bergt, DS-GVO 3rd ed., Art. 83 marginal no. 35; this. § 41 BDSG marginal no. 5; Ehmann/Selmayr/Nemitz, DS-GVO 2nd ed., Art. 83 marginal no. 17 f.). The ECJ has also already ruled that specific fault is not required beyond the objective realisation of the offence (ECJ, judgment of 7 June 1983 - C-100/80 - [juris], <ECLI:EU:C:1983:158>: "establishment of the infringement as such" is sufficient).