LG Berlin - (526 OWi LG) 212 Js-OWi 1/20 (1/20), 526 OWiG LG 1/20: Difference between revisions

From GDPRhub
No edit summary
No edit summary
 
(11 intermediate revisions by 4 users not shown)
Line 7: Line 7:
|Court_With_Country=LG Berlin (Germany)
|Court_With_Country=LG Berlin (Germany)


|Case_Number_Name=Deutsche Wohnen SE
|Case_Number_Name=LG Berlin (526 OWi LG) 212 Js-OWi 1/20 (1/20), 526 OWiG LG 1/20
|ECLI=
|ECLI=ECLI:DE:LGBE:2021:0218.526OWI.LG212JS.OW.00


|Original_Source_Name_1=LG Berlin (26 große Strafkammer), Beschluss vom 18.02.2021 – (526 OWi LG) 212 Js-OWi 1/20 (1/20)
|Original_Source_Name_1=gesetze.berlin.de
|Original_Source_Link_1=
|Original_Source_Link_1=https://gesetze.berlin.de/perma?d=KORE209362021
|Original_Source_Language_1=German
|Original_Source_Language_1=German
|Original_Source_Language__Code_1=DE
|Original_Source_Language__Code_1=DE
Line 17: Line 17:
|Date_Decided=18.02.2021
|Date_Decided=18.02.2021
|Date_Published=23.02.2021
|Date_Published=23.02.2021
|Year=
|Year=2021


|GDPR_Article_1=Article 5(1)(b) GDPR
|GDPR_Article_1=Article 83(4) GDPR
|GDPR_Article_Link_1=Article 5 GDPR#1b
|GDPR_Article_Link_1=Article 83 GDPR#4
|GDPR_Article_2=Article 5(1)(e) GDPR
|GDPR_Article_2=Article 83(5) GDPR
|GDPR_Article_Link_2=Article 5 GDPR#1e
|GDPR_Article_Link_2=Article 83 GDPR#5
|GDPR_Article_3=Article 83(6) GDPR
|GDPR_Article_Link_3=Article 83 GDPR#6
|National_Law_Name_1=§ 41(1) BDSG
|National_Law_Link_1=http://www.gesetze-im-internet.de/englisch_bdsg/englisch_bdsg.html#p0335
|National_Law_Name_2=§ 30 OWiG
|National_Law_Link_2=https://www.gesetze-im-internet.de/englisch_owig/englisch_owig.html#p0156
|National_Law_Name_3=§ 130 OWiG
|National_Law_Link_3=https://www.gesetze-im-internet.de/englisch_owig/englisch_owig.html#p0774


 
|Party_Name_1=Deutsche Wohnen SE
 
|Party_Link_1=https://www.deutsche-wohnen.com/
|Party_Name_1=
|Party_Name_2=BlnBDI
|Party_Link_1=
|Party_Link_2=https://gdprhub.eu/index.php?title=BlnBDI_(Berlin)
|Party_Name_2=
|Party_Link_2=
|Party_Name_3=
|Party_Name_3=
|Party_Link_3=
|Party_Link_3=
Line 37: Line 43:
|Party_Link_5=
|Party_Link_5=


|Appeal_From_Body=
|Appeal_From_Body=BlnBDI (Berlin)
|Appeal_From_Case_Number_Name=
|Appeal_From_Case_Number_Name=711.412.1
|Appeal_From_Status=
|Appeal_From_Status=
|Appeal_From_Link=
|Appeal_From_Link=https://gdprhub.eu/index.php?title=BlnBDI_-_Deutsche_Wohnen_SE_decision
|Appeal_To_Body=
|Appeal_To_Body=KG Berlin
|Appeal_To_Case_Number_Name=
|Appeal_To_Case_Number_Name=3 Ws 250/21 - 161 AR 64/21
|Appeal_To_Status=Unknown
|Appeal_To_Status=
|Appeal_To_Link=
|Appeal_To_Link=


|Initial_Contributor=n/a
|Initial_Contributor=n/a
|
|}}
}}


The Regional Court Berlin (Landgericht Berlin - LG Berlin) stopped the fine proceeding against the company Deutsche Wohnen SE, which the Data Protection Authority of Berlin fined €14.500.000 for violating Art. 5(1)(c) and (e) GDPR.
The Regional Court Berlin (Landgericht Berlin - LG Berlin) overturned the decision of the DPA of Berlin, to fine Deutsche Wohnen SE €14,500,000 for violating [[Article 5 GDPR#1c|Article 5(1)(c)]] and [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]].


==English Summary==
==English Summary==


===Facts===
===Facts===
The Data Protection Authority of Berlin fined Deutsche Wohnen SE for violating Art. 5 (1) (c) and (e) GDPR. Regarding the DPA the company didn't delete old data of tenants in a sufficient way. The Deutsche Wohnen SE appealed against a fine of the DPA Berlin which was confirmed by the LG Berlin.
The DPA of Berlin fined Deutsche Wohnen SE for violating [[Article 5 GDPR#1c|Article 5(1)(c)]] and [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]], because the DPA found that the company did not delete old data of tenants in a sufficient way. Deutsche Wohnen SE processed personal data like proof of identity, work, salary and creditworthiness, as well as data about health insurance, social insurance and tax within the framework of business activities.


The Deutsche Wohnen SE processed data like proofs of identity, work, salary and creditworthiness as well as data about health insurance, social insurance and tax within the framework of business activities.
The Deutsche Wohnen SE did not agree with the DPA's decision and brought the action before court.


===Holding===
===Holding===
The LG Berlin held that the fine notice wasn't valid. The fine notice was enacted against the Deutsche Wohnen SE as a legal entity under private law which is reperesented by its management. But regarding the LG Berlin a legal entity can't be the subject of a fine procedure. According to the LG Berlin, only a natural person could commit an administrative offence in a reproachable way, while the legal entity just could be a secondary party, to which the actions of its representatives or board members are attributable. The DPA Berlin on the contrary held the opinion that a legal entity and a natural person can be treated in the same way in Administrative Offences Law.
The Court held that the fine notice was not valid. The fine notice was enacted against the Deutsche Wohnen SE as a legal entity under private law which is represented by its management. The Court, however, found that a legal entity can't be the subject of a fine procedure. According to the Court, only a natural person could commit an administrative offence in a reproachable way, while the legal entity just could be a secondary party, to which the actions of its representatives or board members are attributable. The DPA, on the contrary, held the opinion that a legal entity and a natural person can be treated in the same way in Administrative Offences Law.
Furthermore the fine notice neither didn't name the board member who committed or ommitted the relevant action nor made any information about time and scene of the administrative offence or on what the reproach is supported. Therefore the fine notice also can't be reinterpreted into a separate decision according to § 30 (4) OWiG without having to adjust the fine procedure.
 
Furthermore, the fine notice did not mention the board member who committed or omitted the relevant action by name, nor contained it information about time and scene of the administrative offence or on what the reproach is supported. Therefore, the fine notice also cannot be reinterpreted into a separate decision according to § 30 (4) OWiG without having to adjust the fine procedure.


==Comment==
==Comment==
Line 67: Line 73:


==Further Resources==
==Further Resources==
''Share blogs or news articles here!''
[https://www.deutsche-wohnen.com/ueber-uns/presse-news/pressemitteilungen/landgericht-berlin-stellt-bussgeldverfahren-gegen-deutsche-wohnen-ein/ Press release by deutsche-wohnen.com (in DE)]
 
[https://www.datenschutz-berlin.de/fileadmin/user_upload/pdf/pressemitteilungen/2021/20210303-PM-Deutsche_Wohnen.pdf Press release by BlnBDI concerning the appeal (in DE)]


==English Machine Translation of the Decision==
==English Machine Translation of the Decision==
Line 73: Line 81:


<pre>
<pre>
Guiding principle
When imposing a fine for infringements under Article 83(4) to (6) of the GDPR on a legal person, Section 30 OWiG applies via Section 41(1) BDSG.
Tenor
(1) The proceedings are discontinued.
(2) The state treasury shall bear the costs of the proceedings and the necessary expenses of ... shall be borne by the state treasury.
Reasons
I.
1 The affected party is a listed real estate company with its registered office in Berlin. It indirectly holds 162,700 residential units and 3,000 commercial units through shareholdings under company law. The owners of these units are subsidiaries of the affected party, so-called holding companies, which run the operative business and form a group with the affected party. The business activities of the affected parties are focused on higher-level management, such as management, human resources or finance and accounting. The ownership companies rent out the residential and commercial units, and the management of the units is also carried out by group companies, the so-called service companies.
2 In the course of their business activities, the data subject and the aforementioned group companies also process, among other things, personal data of tenants of the residential and commercial units. This occurs in the context of the new letting of a property, the ongoing management of an existing tenancy or also when acquiring properties that have already been let and taking over the tenancies associated with them. This data includes proof of identity (e.g. copies of identity cards), proof of creditworthiness (e.g. bank statements), salary statements, proof of employment, tax, social security and health insurance data as well as information on previous tenancies.
3 On 23 June 2017, the Berlin Commissioner for Data Protection ("BlnBDI" or "Authority") pointed out to the data subject in the context of a so-called on-site inspection pursuant to Section 38 (4) of the Federal Data Protection Act (Bundesdatenschutzgesetz a.F.) that, in its opinion, group companies of the data subject were storing personal data of tenants in an electronic archiving system for which it was not possible to check whether a storage that had taken place was permissible or necessary and for which data that was no longer required could not be deleted, although this had to be done in accordance with the applicable data protection provisions. In view of this circumstance, the authority requested the data subject in a letter dated 8 September 2017 to delete a large number of offending documents from the electronic archiving system by the end of 2017. In a letter dated 22 September 2017, the person concerned informed the authority that the requested deletion of the objectionable documents was not possible for technical and legal reasons. In particular, deleting the documents would first require the old archive data to be transferred to a new archive system, which in turn would have to comply with the statutory retention obligations under commercial and tax law. At the request of the party concerned, a meeting was held on 1 November 2017 between representatives of the authority and the party concerned to discuss these objections, in which the authority expressed the opinion that there were technical solutions on the market that would allow the requested deletions to be implemented. After the party concerned had once again explained in writing on 30 November 2017 that the deletions could not be carried out within the set deadline, the authority requested the party concerned in a letter dated 20 December 2017 to explain in writing the reasons opposing the deletion, in particular any disproportionate effort. The data subject responded to this request with an email dated 3 January 2018 and a letter dated 26 January 2018 and reported on the planned construction of a new storage system to replace the previous objectionable system.
4 On 5 March 2020, the BlnBDI then carried out an audit at the corporate headquarters of the data subject, during which a total of 16 random samples were taken from the data stock of the data subject and the data subject informed the authority that the offending archive system had been decommissioned as of 13 February 2020 and that the migration of the data to the new system was imminent. This meeting was followed by further correspondence between the data subject and the authority, in particular the authority requested numerous pieces of information from the data subject, which the data subject provided in several letters.
5 By letter dated 30 August 2020, delivered on 2 September 2020, the authority heard the ... as the person concerned for an administrative offence and informed her that it had initiated administrative offence proceedings against her. With the hearing, the authority requested information on the persons authorised to represent the person concerned, to which the person concerned replied by letter of 12 September 2020. After the party concerned had submitted its comments in a letter dated 30 September 2020, the BlnBDI then issued the penalty notice against the party concerned on 30 October 2020, which was served on the party concerned on 31 October 2020. In the penalty notice of 30 October 2020, the authority imposed a fine of EUR 14,549,503.50 on the data subject for "intentional" violations of Article 25(1), Article 5(1)(a), (c) and (e) and Article 6(1) of the GDPR. The ... as the data subject, had thereafter failed, at least during the period of the offence between 25 May 2018 and 5 March 2019, to take the necessary measures to enable the regular deletion of tenants' data no longer required or otherwise wrongfully stored. The ... had also continued to store personal data of at least fifteen tenants named in more detail, although it had known that the storage was not or no longer necessary and had thus deliberately accepted to violate data protection principles. With regard to the allegations, the ... had acted intentionally.
6 In a letter from her legal representative dated 7 November 2020, the person concerned lodged an objection against the penalty notice, which the authority received by fax on the same day and which the person concerned substantiated in a written statement from her legal representative dated 14 August 2020. In addition to objections to the factual prerequisites and legal consequences of the allegedly violated fine provisions, she stated in particular that there was already a procedural impediment, as the penalty notice listed the ... as the person concerned, which is not provided for in the law on administrative offences.
7 For the further state of affairs, reference is made to the contents of the file.
II.
8 The proceedings were to be discontinued by order pursuant to § 206a of the Code of Criminal Procedure in conjunction with §§ 46, 71 of the Code of Administrative Offences, as there was an impediment to proceedings.
9 1. The penalty notice issued by the Berlin Commissioner for Data Protection and Freedom of Information on 30 October 2019 suffers from such serious deficiencies that it cannot form the basis of the proceedings.
10 a) The penalty notice was issued against ... thus against a European Company, a legal person under private law with its own legal personality within the meaning of section 1 (1) of the German Stock Corporation Act (AktG) in conjunction with sections 1 et seq. of the German Stock Corporation Act (SEAG) in conjunction with Article 1 (3) of Council Regulation (EC) No. 2157/2001 on the Statute for a European Company. SEAG in conjunction with Article 1(3) of Council Regulation (EC) No. 2157/2001 of 8 October 2001 on the Statute for a European company. The ... was treated by the BlnBDI as an affected party within the meaning of the Administrative Offences Act. She was accused of deliberately committing administrative offences in numerous places in the penalty notice. In the statement of the Berlin Commissioner for Data Protection and Freedom of Information of 28 October 2020 on the grounds for objection by the person concerned, the authority confirmed that the decision was directed solely against ..., represented by its management.
11 However, a legal person cannot be a party to administrative fine proceedings, including those under Article 83 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data, on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation or GDPR). This is because only a natural person can be accused of committing an administrative offence. The legal person can only be held responsible for the actions of its members or representatives (the natural persons). Therefore, it can only be a secondary party in the fine proceedings. The imposition of a fine on them is regulated in Section 30 OWiG, which also applies to infringements under Article 83(4) to (6) of the GDPR via Section 41(1) BDSG. According to this provision, a fine can either be imposed on the legal person in a uniform procedure if fine proceedings are conducted against the member of the executive body or representative, i.e. the natural person, because of the offence, or in an independent procedure pursuant to Section 30 (4) OWiG. The prerequisite is, of course, that proceedings are not initiated or are discontinued because of the offence committed by the member of the executive body or representative of the legal person. However, since the legal person itself cannot commit a misdemeanour, a reproachable misdemeanour committed by a member of the legal person's executive body must also be established in these so-called independent proceedings.
12 The penalty notice of 30 October 2019 that is the subject of the proceedings was obviously not issued as an independent notice pursuant to section 30(4) OWiG. The BlnBDI was not aware of the legal situation described and is of the opinion that a legal person can be treated like a natural person under administrative offences law. The penalty notice was therefore issued in a procedure that is not provided for in the Administrative Offences Act and is therefore not permissible. The notice is therefore invalid (cf. OLG Stuttgart, order of 1 February 1993 - 4 Ss 573/92, MDR 1993, 572).
13 aa) In doing so, the Chamber does not overlook the fact that in the legal literature and by the Regional Court of Bonn (judgment of 11 November 2020 - 29 OWi 1/20, BeckRS 2020, 35663) it is argued that Article 83 of the GDPR alone is a sufficient legal basis for a so-called direct association liability of legal persons (cf. for example: BeckOK DatenschutzR/Holländer DS-GVO Art. 83 marginal no. 9; Kühling/Buchner/Bergt, DS-GVO BDSG, DSGVO Art. 83 marginal no. 20; BeckOK DatenschutzR/Brodowski/Nowak, § 41 BDSG marginal no. 11). According to this view, the General Data Protection Regulation has priority of application over national provisions, as otherwise there could be undesirable distortions of competition in the member states of the European Union with regard to the enforcement of the data protection rules under European law. National provisions such as Section 41(1) BDSG in conjunction with Sections 30, 130 OWiG must be interpreted on the basis of the principle of practical effectiveness (effet utile) in such a way that their application cannot lead to enforcement deficits - and where this is not possible, they must not be applied at all. Finally, the recitals of the General Data Protection Regulation indicate that the European legislator intended to emulate the sanctions regime of European antitrust law, which is based on direct liability of associations. Accordingly, it is not necessary to establish an act by a natural person, which would have to be attributed to the association (so-called linking act). Rather, the legal person itself was the perpetrator and, according to the directly applicable Union law, also liable.
14 bb) However, the Board is unable to agree with this view.
15 Pursuant to Article 83 GDPR in conjunction with Article 4 No. 7 and 8 GDPR, fines for violations of the GDPR pursuant to Article 83(4) to (6) GDPR are not only to be imposed on natural persons, but also on legal persons as "controller" within the meaning of Article 4 No. 7 GDPR or "processor" within the meaning of Article 4 No. 8 GDPR. However, the Regulation does not contain more detailed provisions on the criminal liability of legal persons for infringements of the GDPR committed by natural persons attributable to them.
16 However, pursuant to Section 41 of the BDSG, the Administrative Offences Act applies to the administrative offence proceedings conducted by the BlnBDI for the imposition of a fine pursuant to Article 83(4-6) of the GDPR. The standard serves - in addition to the general implementation obligation of European law from Articles 197(3) sentence 1, 291(1) of the Treaty on European Union and the Treaty on the Functioning of the European Union (TFEU) - to implement the specific regulatory mandate from Article 83(8) DS-GVO. Accordingly, Member States shall provide for adequate procedural safeguards, including effective judicial remedies and due process, for the exercise of the powers under Article 83 GDPR by the competent supervisory authority. § Section 41(1) of the BDSG therefore declares the application of the Administrative Offences Act applicable to the infringements under Article 83(4) to (6) of the GDPR and thus to the "whether" an offence has been committed, with the exception of Sections 17, 35, 36 of the OWiG. § Section 41(2) BDSG regulates the same for proceedings for a violation of Article 83(4) to (6) DS-GVO. The regulation is necessary because the Administrative Offences Act, according to its Section 2(2) sentence 2, only applies to federal and state law. The non-application order for Sections 17, 35, 36 OWiG follows from the fact that in the regulatory matter underlying these norms, namely the amount of the fine and the competence of the supervisory authority, the General Data Protection Regulation has made conclusive provisions (cf. BT-Drs. 18/11325, p. 108 on Section 41). However, this is not the case with regard to the attribution of culpable conduct, which is why Sections 30, 130 OWiG also remain applicable in the context of infringements under Article 83(4) to (6) of the GDPR (cf. Gola, Datenschutzgrundverordnung, Art. 83, para. 11; Sydow/Popp DS-GVO Art. 83 para. 5, Art. 84 para. 3; Piltz, BDSG Praxiskommentar für die Wirtschaft, § 41 para. 7 et seq.; Schantz/Wolff, Das neue Datenschutzrecht, Rn. 1128, 1132-1135; on the comparable legal situation in Austria: ÖVwGH, Erkenntnis vom 12.5.2020 - Ro 2019/04/0229, ZD 2020, 463; BVwG, Spruch vom 19. August 2019 - W211 2217629-1/10E Rn. 29 et seq.; Spruch vom 23. Oktober 2019 - W258 2227269-1/114E, sub. 3.11).
17 The regulation of the imputation of offences committed by natural persons is necessary because the legal person itself does not act, its organs and representatives do so for it. An administrative offence, however, is an unlawful and reproachable act that constitutes an offence under a law that allows it to be punished with a fine (cf. section 1(1) OWiG). In this respect, the determination of a reproachable conduct of a natural person is the necessary basic prerequisite for the establishment of liability of the legal entity that may be liable.
18 The wording of Section 41(1) sentence 1 BDSG, which provides for the "mutatis mutandis" application of the provisions of the German Administrative Offences Act for infringements under Article 83(4) to (6) of the GDPR, does not - contrary to the opinion of the authority - provide any indication that the provisions of the German Administrative Offences Act would be "restricted" or even selectively not applicable at all. Rather, this reference is a common reference to provisions outside the original text. For this purpose, the legislator has various forms of reference at its disposal. One of them is the so-called reference by analogy, which is connected with the word "mutatis mutandis" or "mutatis mutandis" in a legally correct manner. This is intended to determine that the reference text - in this case the Administrative Offences Act - is not applied literally, but only mutatis mutandis, which is always indicated when the reference text does not fit literally. However, this does not include a restriction of the content to the effect that certain norms of the reference text do not apply at all. In principle, the reference text becomes part of the referring provision (on the whole: Handbuch der Rechtsförmlichkeit, BAnz. No. 160a of 22 September 2008, margin no. 218 ff, 232 ff). Accordingly, it can in no way be deduced from the reference by analogy to the provisions of the Code of Administrative Offences that Sections 30, 130 OWiG would not be applicable or would be applicable in a restricted manner to the facts of the case here.
19 It does not lead to any other result that § 41 paragraph 1 sentence 1 BDSG contains the restrictive phrase "unless this Act provides otherwise". Contrary to the authority's opinion, the term "this Act" does not mean the GDPR. Not only would the GDPR have been incorrectly designated as a "law" in legal terms. The referring law - in this case the Federal Data Protection Act - is always referred to as "this law" (cf. Handbuch der Rechtsförmlichkeit, BAnz. No. 160a of 22 September 2008, margin no. 275 f., 310).
20 The historical legislator of the Federal Data Protection Act apparently assumed the applicability of Sections 30, 130 OWiG in the case of a violation of the GDPR. While the first draft bill on the adaptation of data protection law to Regulation (EU) 2016/679 and the implementation of Directive (EU) 2016/680 (Data Protection Adaptation and Implementation Act EU) in Section 39(1) sentence 2 BDSG-RefE still expressly provided for the non-application of Sections 30, 130 OWiG, this normative command has been deleted in the provision of Section 41(1) sentence 2 BDSG, which has become law and is otherwise identical in wording, and has not been amended by the last amendment of the Federal Data Protection Act, by the second Act on the Adaptation of Data Protection Law of 20 November 2019. November 2019. In doing so, the legislator was aware of the consequences of its decision at least through the resolution of the 97th Conference of the Independent Data Protection Authorities of the Federation and the Länder of 3 April 2019, which advocates a "clarifying" addition to Section 41(1) sentence 2 BDSG and the non-application of Sections 30, 130 OWiG.
21 The legislature's decision, which is unambiguous in this respect, finds a good reason in the limits of the constitutional order. For the background to the requirement of a link to the act of a natural person is the principle of guilt that follows from the principle of the rule of law in Article 20(3) of the Basic Law (GG), from Article 103(2) GG, from the general freedom of action in Article 2(1) GG and from human dignity in Article 1(1) GG. Without a link to a culpable act, a state pronouncement of punishment is not possible. Whereby every punishment, not only the punishment for criminal, but also the punishment-like sanction for other wrongdoing, which contains elements of repression and retribution, which imposes an evil because of unlawful conduct, is subject to the principle of guilt (BVerfG, decision of 25. October 1966 - 2 BvR 506/63, NJW 1967, 195; judgment of 30 June 1976 - 2 BvR 435/76, NJW 1976, 1883; order of 14 July 1981 - 1 BvR 575/80). This therefore also applies in the law on administrative offences. However, the culpable act of the individual presupposes his or her own responsibility and the freedom of will to decide in favour of right or wrong. The legal person is not able to make this decision, which is why the link to the act of a natural person is always required in this respect. It is in line with this if the current legislative procedure for an association sanctions law in the draft version of § 3 VerSanG-E (cf. BT-Drcks. Drucksache 19/23568, p. 11) also focuses on the commission of a criminal offence by a management person or the violation of a supervisory duty and insofar adheres to the existing concept of the necessity of the responsibility of a natural person.
22 The reference to the fact that the European legislator intended to model the sanctions regime of European antitrust law with the General Data Protection Regulation, which is why - as there - direct association liability comes into consideration, is also not convincing.
23 First of all, European antitrust law is characterised by the fact that, pursuant to Article 4 of Council Regulation (EC) No 1/2003 of 16 December 2002 on the implementation of the rules on competition laid down in Articles 81 and 82 of the Treaty (Cartel Regulation), it is in principle implemented by the European Commission by virtue of its own competence, whereas the GDPR is to be enforced by national supervisory authorities. Although Article 5 of the Cartel Regulation establishes the competence of national competition authorities to apply EU competition law, the scope of these authorities' powers is still governed by national law. Accordingly, national authorities can only prosecute infringements of European law to the extent permitted by national provisions. This also applies in particular to the liability of an undertaking under the law on fines in the sense of the broad concept of an undertaking according to European case law (on this: ECJ, Judgment of 10 September 2009 - C-97/08 - EuZW 2009, 816, 821 [Akzo Nobel and others v. Commission], para. 54 et seq.; ECJ, Judgment of 14 December 2006 - T-259/02, BeckRS 2006, 140069, para. 21). For German law, the national legislator has opted for the legal entity principle, as expressed for example in § 30 OWiG. Accordingly, the imposition of a general corporate fine by German cartel authorities without linking it to the act of a representative is out of the question (cf. BGH, Order of 16 December 2014 - KRB 47/13, NZKart 2015, 272, 275 et seq. [Silostellgebühren III]; decision of 10 August 2011 - KRB 55/10, NJW 2012,164, 165 [Versicherungsfusion]; OLG Düsseldorf, judgment of 17 December 2012 - V-1 Kart 7/12 (OWi)- NZKart 2013, 166, 167 et seq. [silo storage fees II]). National cartel fine law does not contain any exception to this legal principle even after the latest amendment of the Act against Restraints of Competition (GWB). According to Sections 81 et seq. GWB, a company can only be fined if the offence was committed by a manager himself or by another person, but the manager is guilty of a deliberate or negligent breach of his supervisory duties (Section 130 OWiG). This also applies in particular with regard to the provisions of Sections 81a to 81c ARC. Insofar as a fine to be imposed on an undertaking or an association of undertakings is at issue under these provisions, it is - as was already the case under the predecessor provision of Section 81 (4) sentence 2 GWB - in particular about the assessment of the fine, without the limitation provided for in Section 30 OWiG on the punishment of an offence committed by an organ against the legal person whose organ committed the offence being thereby abolished (cf. BGH, order of 10 August 2011 - KRB 55/10, NJW 2012, 164, 166 [Versicherungsfusion]).
24 In this respect, the reference to recital 150 of the GDPR does not justify the assumption that the European legislator of the GDPR intended the adoption of the entire supranational antitrust sanctions regime. Recital 150 (third sentence) of the GDPR only concerns the assessment of a possible fine. It thus relates to the legal consequence of an infringement and not at all - as, for example, Article 23 of the Cartel Regulation, which empowers the European Commission - to its preconditions. Sentence 3 of the recital reads: "Where fines are imposed on undertakings, the term 'undertaking' should be understood for this purpose in the sense of Articles 101 and 102 TFEU." The wording first presupposes that a fine is imposed on an "undertaking" at all. On the question of how the amount of this fine is to be assessed, recital 150 clearly refers to Article 83(4) to (6) of the GDPR and thus aims to ensure that in the case of a fine being imposed on an "undertaking", the annual turnover of the (directly) affected legal entity is not the sole basis for assessment, but rather - in the sense of Article 101 f. TFEU - the annual turnover of the (directly) affected legal entity. Rather, the turnover of the acting economic unit is taken as the basis for assessment - in the sense of Article 101 et seq. TFEU and the broad concept of an undertaking under antitrust law (cf. Immenga/Mestmäcker/Zimmer, Wettbewerbsrecht, Art. 101 (1) TFEU, margin no. 9 et seq.). This interpretation is systematically supported by sentence 4 of the recital, which deals with the calculation of the amount of the fine - and this alone - for natural persons.
25 In the Chamber's view, moreover, the principle of legality of Article 103(2) of the Basic Law does not allow the question of the liability of a legal person in the context of a state sanction order to be manifested by the recitals accompanying a European regulation, which, moreover, are recognisably not part of the regulation itself.
26 Finally, it is also not recognisable to the Chamber that an obligation to adopt the Union law model of association liability should result from the Union law requirement of effectiveness (Art. 197 TFEU). This is because the latter leaves the Member States a margin of discretion in the design of the sanction regime, which is to be filled in a manner that is in conformity with the constitution, in this case in particular in compliance with the principle of culpability (cf. on antitrust law: Böse, ZStW 126 (2014), 132, 155).
27 It is true that it is rightly pointed out that in order to effectively enforce the regulatory objectives of the GDPR, it is necessary that national law allows for effective and sufficiently dissuasive sanctions, which is likely to be accompanied by the duty of national courts to interpret national law in such a way that effective sanctions can be imposed in the event of an infringement of the GDPR. However, the duty to interpret in conformity with Union law finds its limits in the general principles of law, in particular in the principle of legal certainty, insofar as it may not serve as a basis for an interpretation of national law contra legem, i.e. contrary to the methods of judicial determination of the law permissible under national law (cf. ECJ, Judgment of 16 July 2009 - C 12/08, BeckRS 2009, 70805, marginal no. 61 [Mono Car Styling]; BGH, Judgment of 26 November 2008 - VIII ZR 200/0, BGHZ 179, 27 marginal no. 19 et seqq. with further references). These principles are particularly valid for provisions in the field of criminal or administrative offences law (ECJ, Judgment of 16 June 2005 - C-105/03, NJW 2005, 2839 marginal no. 47 [M. Pupino]; KK-OWiG/Rogall, § 3 marginal no. 83 with further references). ), in the interpretation of which the principle of legality enshrined in German and also European constitutional law (Article 103(2) of the Basic Law, Article 49 of the Charter of Fundamental Rights of the European Union [2007/C 303/01]; Article 7 of the Convention for the Protection of Human Rights and Fundamental Freedoms) and thus also the literal meaning limit is of particular importance. Accordingly, criminal liability not provided for by law cannot be based on an interpretation in conformity with Union law even if the national regulation at issue could otherwise prove to be contrary to Union law (ECJ, Judgment of 28 June 2012 - C-7/11, BeckRS 2012, 81321 [Caronna]; BGH, Order of 16 December 2014 - KRB 47/13 - Silostellgebühren III, NZKart 2015, 272, 274).
28 The provisions applicable here in §§ 30, 130 OWiG in conjunction with. § Section 41 BDSG preclude recourse to the data subjects under the law on fines on the basis of the notice that is the subject matter of the proceedings. According to their wording, a culpable act by one of its representatives is required for the liability of the legal person. This requirement cannot be dispensed with by interpreting the provision or by assuming a "sui generis" liability of the association without exceeding the limit of the wording and thus constituting a violation of the prohibition of analogy under Article 103.2 of the Basic Law (see BVerfG, judgment of 11 November 1986 - 1 BvR 713/83, BeckRS 1986, 50, marginal no. 65).
29 Moreover, it has only been stated in a general way that the proof of the commission of an administrative offence is made more difficult by the requirement to prove an act of an executive body in breach of its duties within the meaning of §§ 30, 130 OWiG. However, it has not been shown that this would make it impossible for the acting supervisory authorities. In this case, it is particularly surprising that the violations of data protection laws that are the subject of the proceedings were already identified by the authority in 2017 - and thus before the entry into force of the GDPR -, various on-site meetings took place, information was requested, for example about technical details of data processing, and the data subject also provided corresponding information, but that the authority did not conduct sufficient investigations into the internal responsibilities for the violations complained of. In this case, it is likely that disclosure of the organisational structure in the company of the data subject would have led to an identification of the persons responsible for the data processing operations and thus possibly a breach of supervisory duties could have been demonstrated. Against this background, it is not apparent that effective and dissuasive sanctions cannot be imposed in compliance with Sections 30, 130 OWiG.
30 b) Even if the decision were to be reinterpreted as an independent penalty notice pursuant to § 30.4 OWiG, it would not meet the requirements that would have to be imposed on such a notice as a procedural basis.
31 The administrative order imposing a fine, which takes the place of the indictment in the court proceedings, limits the subject matter of the proceedings in terms of person and matter. The actual and legally specified accusation must result from it (cf. § 66 OWiG). A prerequisite for the imposition of a fine on a legal person in independent proceedings pursuant to section 30 (4) OWiG is, as already explained, that one of its organs has committed an administrative offence that is attributable to the legal person.
32 The penalty notice of 30 October 2019 does not fulfil this delimitation function. The charge is not specific. For example, it does not specify the time and place of the offence or the member of the executive body who culpably and imputably failed to set up an IT system that met the requirements of data protection law or failed to delete relevant data in a timely manner. In view of the authority's legal opinion, the decision does not contain any other information on the specific offence itself or its omission. It cannot be inferred on what basis an accusation is based that the requirements of data protection law were not complied with. This would be all the more necessary, however, since, as can be seen from the file, the authority had conducted investigations into the allegations at the company concerned and had been in contact with it over a longer period of time about the allegations in question, for example, in writing and in personal conversations with employees of the company. In this respect, it would have been possible and necessary to explain the circumstances from which the authority would like to derive a responsibility of the person concerned. Nevertheless, the penalty notice does not contain a concrete accusation against an organ of the legal person. This defect can also no longer be remedied pursuant to §§ 71 paragraph 1 OWiG, 265 StPO (Code of Criminal Procedure) by a reference by the court. Even if the administrative order imposing the fine were to be reinterpreted as an independent administrative order pursuant to section 30 (4) OWiG, the proceedings would therefore have to be discontinued due to a procedural impediment.


33 2. The decision on costs is based on §§ 71 OWiG, 467 paragraph 1, paragraph 3 StPO. It does not appear unreasonable to order the state treasury to pay the necessary expenses of ... since the procedural impediment existed from the outset.
</pre>
</pre>

Latest revision as of 13:09, 21 January 2022

LG Berlin - LG Berlin (526 OWi LG) 212 Js-OWi 1/20 (1/20), 526 OWiG LG 1/20
Courts logo1.png
Court: LG Berlin (Germany)
Jurisdiction: Germany
Relevant Law: Article 83(4) GDPR
Article 83(5) GDPR
Article 83(6) GDPR
§ 41(1) BDSG
§ 30 OWiG
§ 130 OWiG
Decided: 18.02.2021
Published: 23.02.2021
Parties: Deutsche Wohnen SE
BlnBDI
National Case Number/Name: LG Berlin (526 OWi LG) 212 Js-OWi 1/20 (1/20), 526 OWiG LG 1/20
European Case Law Identifier: ECLI:DE:LGBE:2021:0218.526OWI.LG212JS.OW.00
Appeal from: BlnBDI (Berlin)
711.412.1
Appeal to:
Original Language(s): German
Original Source: gesetze.berlin.de (in German)
Initial Contributor: n/a

The Regional Court Berlin (Landgericht Berlin - LG Berlin) overturned the decision of the DPA of Berlin, to fine Deutsche Wohnen SE €14,500,000 for violating Article 5(1)(c) and Article 5(1)(e) GDPR.

English Summary

Facts

The DPA of Berlin fined Deutsche Wohnen SE for violating Article 5(1)(c) and Article 5(1)(e) GDPR, because the DPA found that the company did not delete old data of tenants in a sufficient way. Deutsche Wohnen SE processed personal data like proof of identity, work, salary and creditworthiness, as well as data about health insurance, social insurance and tax within the framework of business activities.

The Deutsche Wohnen SE did not agree with the DPA's decision and brought the action before court.

Holding

The Court held that the fine notice was not valid. The fine notice was enacted against the Deutsche Wohnen SE as a legal entity under private law which is represented by its management. The Court, however, found that a legal entity can't be the subject of a fine procedure. According to the Court, only a natural person could commit an administrative offence in a reproachable way, while the legal entity just could be a secondary party, to which the actions of its representatives or board members are attributable. The DPA, on the contrary, held the opinion that a legal entity and a natural person can be treated in the same way in Administrative Offences Law.

Furthermore, the fine notice did not mention the board member who committed or omitted the relevant action by name, nor contained it information about time and scene of the administrative offence or on what the reproach is supported. Therefore, the fine notice also cannot be reinterpreted into a separate decision according to § 30 (4) OWiG without having to adjust the fine procedure.

Comment

Share your comments here!

Further Resources

Press release by deutsche-wohnen.com (in DE)

Press release by BlnBDI concerning the appeal (in DE)

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

Guiding principle

When imposing a fine for infringements under Article 83(4) to (6) of the GDPR on a legal person, Section 30 OWiG applies via Section 41(1) BDSG.

Tenor

(1) The proceedings are discontinued.

(2) The state treasury shall bear the costs of the proceedings and the necessary expenses of ... shall be borne by the state treasury.

Reasons

I.
1 The affected party is a listed real estate company with its registered office in Berlin. It indirectly holds 162,700 residential units and 3,000 commercial units through shareholdings under company law. The owners of these units are subsidiaries of the affected party, so-called holding companies, which run the operative business and form a group with the affected party. The business activities of the affected parties are focused on higher-level management, such as management, human resources or finance and accounting. The ownership companies rent out the residential and commercial units, and the management of the units is also carried out by group companies, the so-called service companies.

2 In the course of their business activities, the data subject and the aforementioned group companies also process, among other things, personal data of tenants of the residential and commercial units. This occurs in the context of the new letting of a property, the ongoing management of an existing tenancy or also when acquiring properties that have already been let and taking over the tenancies associated with them. This data includes proof of identity (e.g. copies of identity cards), proof of creditworthiness (e.g. bank statements), salary statements, proof of employment, tax, social security and health insurance data as well as information on previous tenancies.

3 On 23 June 2017, the Berlin Commissioner for Data Protection ("BlnBDI" or "Authority") pointed out to the data subject in the context of a so-called on-site inspection pursuant to Section 38 (4) of the Federal Data Protection Act (Bundesdatenschutzgesetz a.F.) that, in its opinion, group companies of the data subject were storing personal data of tenants in an electronic archiving system for which it was not possible to check whether a storage that had taken place was permissible or necessary and for which data that was no longer required could not be deleted, although this had to be done in accordance with the applicable data protection provisions. In view of this circumstance, the authority requested the data subject in a letter dated 8 September 2017 to delete a large number of offending documents from the electronic archiving system by the end of 2017. In a letter dated 22 September 2017, the person concerned informed the authority that the requested deletion of the objectionable documents was not possible for technical and legal reasons. In particular, deleting the documents would first require the old archive data to be transferred to a new archive system, which in turn would have to comply with the statutory retention obligations under commercial and tax law. At the request of the party concerned, a meeting was held on 1 November 2017 between representatives of the authority and the party concerned to discuss these objections, in which the authority expressed the opinion that there were technical solutions on the market that would allow the requested deletions to be implemented. After the party concerned had once again explained in writing on 30 November 2017 that the deletions could not be carried out within the set deadline, the authority requested the party concerned in a letter dated 20 December 2017 to explain in writing the reasons opposing the deletion, in particular any disproportionate effort. The data subject responded to this request with an email dated 3 January 2018 and a letter dated 26 January 2018 and reported on the planned construction of a new storage system to replace the previous objectionable system.

4 On 5 March 2020, the BlnBDI then carried out an audit at the corporate headquarters of the data subject, during which a total of 16 random samples were taken from the data stock of the data subject and the data subject informed the authority that the offending archive system had been decommissioned as of 13 February 2020 and that the migration of the data to the new system was imminent. This meeting was followed by further correspondence between the data subject and the authority, in particular the authority requested numerous pieces of information from the data subject, which the data subject provided in several letters.

5 By letter dated 30 August 2020, delivered on 2 September 2020, the authority heard the ... as the person concerned for an administrative offence and informed her that it had initiated administrative offence proceedings against her. With the hearing, the authority requested information on the persons authorised to represent the person concerned, to which the person concerned replied by letter of 12 September 2020. After the party concerned had submitted its comments in a letter dated 30 September 2020, the BlnBDI then issued the penalty notice against the party concerned on 30 October 2020, which was served on the party concerned on 31 October 2020. In the penalty notice of 30 October 2020, the authority imposed a fine of EUR 14,549,503.50 on the data subject for "intentional" violations of Article 25(1), Article 5(1)(a), (c) and (e) and Article 6(1) of the GDPR. The ... as the data subject, had thereafter failed, at least during the period of the offence between 25 May 2018 and 5 March 2019, to take the necessary measures to enable the regular deletion of tenants' data no longer required or otherwise wrongfully stored. The ... had also continued to store personal data of at least fifteen tenants named in more detail, although it had known that the storage was not or no longer necessary and had thus deliberately accepted to violate data protection principles. With regard to the allegations, the ... had acted intentionally.

6 In a letter from her legal representative dated 7 November 2020, the person concerned lodged an objection against the penalty notice, which the authority received by fax on the same day and which the person concerned substantiated in a written statement from her legal representative dated 14 August 2020. In addition to objections to the factual prerequisites and legal consequences of the allegedly violated fine provisions, she stated in particular that there was already a procedural impediment, as the penalty notice listed the ... as the person concerned, which is not provided for in the law on administrative offences.

7 For the further state of affairs, reference is made to the contents of the file.

II.
8 The proceedings were to be discontinued by order pursuant to § 206a of the Code of Criminal Procedure in conjunction with §§ 46, 71 of the Code of Administrative Offences, as there was an impediment to proceedings.

9 1. The penalty notice issued by the Berlin Commissioner for Data Protection and Freedom of Information on 30 October 2019 suffers from such serious deficiencies that it cannot form the basis of the proceedings.

10 a) The penalty notice was issued against ... thus against a European Company, a legal person under private law with its own legal personality within the meaning of section 1 (1) of the German Stock Corporation Act (AktG) in conjunction with sections 1 et seq. of the German Stock Corporation Act (SEAG) in conjunction with Article 1 (3) of Council Regulation (EC) No. 2157/2001 on the Statute for a European Company. SEAG in conjunction with Article 1(3) of Council Regulation (EC) No. 2157/2001 of 8 October 2001 on the Statute for a European company. The ... was treated by the BlnBDI as an affected party within the meaning of the Administrative Offences Act. She was accused of deliberately committing administrative offences in numerous places in the penalty notice. In the statement of the Berlin Commissioner for Data Protection and Freedom of Information of 28 October 2020 on the grounds for objection by the person concerned, the authority confirmed that the decision was directed solely against ..., represented by its management.

11 However, a legal person cannot be a party to administrative fine proceedings, including those under Article 83 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data, on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation or GDPR). This is because only a natural person can be accused of committing an administrative offence. The legal person can only be held responsible for the actions of its members or representatives (the natural persons). Therefore, it can only be a secondary party in the fine proceedings. The imposition of a fine on them is regulated in Section 30 OWiG, which also applies to infringements under Article 83(4) to (6) of the GDPR via Section 41(1) BDSG. According to this provision, a fine can either be imposed on the legal person in a uniform procedure if fine proceedings are conducted against the member of the executive body or representative, i.e. the natural person, because of the offence, or in an independent procedure pursuant to Section 30 (4) OWiG. The prerequisite is, of course, that proceedings are not initiated or are discontinued because of the offence committed by the member of the executive body or representative of the legal person. However, since the legal person itself cannot commit a misdemeanour, a reproachable misdemeanour committed by a member of the legal person's executive body must also be established in these so-called independent proceedings.

12 The penalty notice of 30 October 2019 that is the subject of the proceedings was obviously not issued as an independent notice pursuant to section 30(4) OWiG. The BlnBDI was not aware of the legal situation described and is of the opinion that a legal person can be treated like a natural person under administrative offences law. The penalty notice was therefore issued in a procedure that is not provided for in the Administrative Offences Act and is therefore not permissible. The notice is therefore invalid (cf. OLG Stuttgart, order of 1 February 1993 - 4 Ss 573/92, MDR 1993, 572).

13 aa) In doing so, the Chamber does not overlook the fact that in the legal literature and by the Regional Court of Bonn (judgment of 11 November 2020 - 29 OWi 1/20, BeckRS 2020, 35663) it is argued that Article 83 of the GDPR alone is a sufficient legal basis for a so-called direct association liability of legal persons (cf. for example: BeckOK DatenschutzR/Holländer DS-GVO Art. 83 marginal no. 9; Kühling/Buchner/Bergt, DS-GVO BDSG, DSGVO Art. 83 marginal no. 20; BeckOK DatenschutzR/Brodowski/Nowak, § 41 BDSG marginal no. 11). According to this view, the General Data Protection Regulation has priority of application over national provisions, as otherwise there could be undesirable distortions of competition in the member states of the European Union with regard to the enforcement of the data protection rules under European law. National provisions such as Section 41(1) BDSG in conjunction with Sections 30, 130 OWiG must be interpreted on the basis of the principle of practical effectiveness (effet utile) in such a way that their application cannot lead to enforcement deficits - and where this is not possible, they must not be applied at all. Finally, the recitals of the General Data Protection Regulation indicate that the European legislator intended to emulate the sanctions regime of European antitrust law, which is based on direct liability of associations. Accordingly, it is not necessary to establish an act by a natural person, which would have to be attributed to the association (so-called linking act). Rather, the legal person itself was the perpetrator and, according to the directly applicable Union law, also liable.

14 bb) However, the Board is unable to agree with this view.

15 Pursuant to Article 83 GDPR in conjunction with Article 4 No. 7 and 8 GDPR, fines for violations of the GDPR pursuant to Article 83(4) to (6) GDPR are not only to be imposed on natural persons, but also on legal persons as "controller" within the meaning of Article 4 No. 7 GDPR or "processor" within the meaning of Article 4 No. 8 GDPR. However, the Regulation does not contain more detailed provisions on the criminal liability of legal persons for infringements of the GDPR committed by natural persons attributable to them.

16 However, pursuant to Section 41 of the BDSG, the Administrative Offences Act applies to the administrative offence proceedings conducted by the BlnBDI for the imposition of a fine pursuant to Article 83(4-6) of the GDPR. The standard serves - in addition to the general implementation obligation of European law from Articles 197(3) sentence 1, 291(1) of the Treaty on European Union and the Treaty on the Functioning of the European Union (TFEU) - to implement the specific regulatory mandate from Article 83(8) DS-GVO. Accordingly, Member States shall provide for adequate procedural safeguards, including effective judicial remedies and due process, for the exercise of the powers under Article 83 GDPR by the competent supervisory authority. § Section 41(1) of the BDSG therefore declares the application of the Administrative Offences Act applicable to the infringements under Article 83(4) to (6) of the GDPR and thus to the "whether" an offence has been committed, with the exception of Sections 17, 35, 36 of the OWiG. § Section 41(2) BDSG regulates the same for proceedings for a violation of Article 83(4) to (6) DS-GVO. The regulation is necessary because the Administrative Offences Act, according to its Section 2(2) sentence 2, only applies to federal and state law. The non-application order for Sections 17, 35, 36 OWiG follows from the fact that in the regulatory matter underlying these norms, namely the amount of the fine and the competence of the supervisory authority, the General Data Protection Regulation has made conclusive provisions (cf. BT-Drs. 18/11325, p. 108 on Section 41). However, this is not the case with regard to the attribution of culpable conduct, which is why Sections 30, 130 OWiG also remain applicable in the context of infringements under Article 83(4) to (6) of the GDPR (cf. Gola, Datenschutzgrundverordnung, Art. 83, para. 11; Sydow/Popp DS-GVO Art. 83 para. 5, Art. 84 para. 3; Piltz, BDSG Praxiskommentar für die Wirtschaft, § 41 para. 7 et seq.; Schantz/Wolff, Das neue Datenschutzrecht, Rn. 1128, 1132-1135; on the comparable legal situation in Austria: ÖVwGH, Erkenntnis vom 12.5.2020 - Ro 2019/04/0229, ZD 2020, 463; BVwG, Spruch vom 19. August 2019 - W211 2217629-1/10E Rn. 29 et seq.; Spruch vom 23. Oktober 2019 - W258 2227269-1/114E, sub. 3.11).

17 The regulation of the imputation of offences committed by natural persons is necessary because the legal person itself does not act, its organs and representatives do so for it. An administrative offence, however, is an unlawful and reproachable act that constitutes an offence under a law that allows it to be punished with a fine (cf. section 1(1) OWiG). In this respect, the determination of a reproachable conduct of a natural person is the necessary basic prerequisite for the establishment of liability of the legal entity that may be liable.

18 The wording of Section 41(1) sentence 1 BDSG, which provides for the "mutatis mutandis" application of the provisions of the German Administrative Offences Act for infringements under Article 83(4) to (6) of the GDPR, does not - contrary to the opinion of the authority - provide any indication that the provisions of the German Administrative Offences Act would be "restricted" or even selectively not applicable at all. Rather, this reference is a common reference to provisions outside the original text. For this purpose, the legislator has various forms of reference at its disposal. One of them is the so-called reference by analogy, which is connected with the word "mutatis mutandis" or "mutatis mutandis" in a legally correct manner. This is intended to determine that the reference text - in this case the Administrative Offences Act - is not applied literally, but only mutatis mutandis, which is always indicated when the reference text does not fit literally. However, this does not include a restriction of the content to the effect that certain norms of the reference text do not apply at all. In principle, the reference text becomes part of the referring provision (on the whole: Handbuch der Rechtsförmlichkeit, BAnz. No. 160a of 22 September 2008, margin no. 218 ff, 232 ff). Accordingly, it can in no way be deduced from the reference by analogy to the provisions of the Code of Administrative Offences that Sections 30, 130 OWiG would not be applicable or would be applicable in a restricted manner to the facts of the case here.

19 It does not lead to any other result that § 41 paragraph 1 sentence 1 BDSG contains the restrictive phrase "unless this Act provides otherwise". Contrary to the authority's opinion, the term "this Act" does not mean the GDPR. Not only would the GDPR have been incorrectly designated as a "law" in legal terms. The referring law - in this case the Federal Data Protection Act - is always referred to as "this law" (cf. Handbuch der Rechtsförmlichkeit, BAnz. No. 160a of 22 September 2008, margin no. 275 f., 310).

20 The historical legislator of the Federal Data Protection Act apparently assumed the applicability of Sections 30, 130 OWiG in the case of a violation of the GDPR. While the first draft bill on the adaptation of data protection law to Regulation (EU) 2016/679 and the implementation of Directive (EU) 2016/680 (Data Protection Adaptation and Implementation Act EU) in Section 39(1) sentence 2 BDSG-RefE still expressly provided for the non-application of Sections 30, 130 OWiG, this normative command has been deleted in the provision of Section 41(1) sentence 2 BDSG, which has become law and is otherwise identical in wording, and has not been amended by the last amendment of the Federal Data Protection Act, by the second Act on the Adaptation of Data Protection Law of 20 November 2019. November 2019. In doing so, the legislator was aware of the consequences of its decision at least through the resolution of the 97th Conference of the Independent Data Protection Authorities of the Federation and the Länder of 3 April 2019, which advocates a "clarifying" addition to Section 41(1) sentence 2 BDSG and the non-application of Sections 30, 130 OWiG.

21 The legislature's decision, which is unambiguous in this respect, finds a good reason in the limits of the constitutional order. For the background to the requirement of a link to the act of a natural person is the principle of guilt that follows from the principle of the rule of law in Article 20(3) of the Basic Law (GG), from Article 103(2) GG, from the general freedom of action in Article 2(1) GG and from human dignity in Article 1(1) GG. Without a link to a culpable act, a state pronouncement of punishment is not possible. Whereby every punishment, not only the punishment for criminal, but also the punishment-like sanction for other wrongdoing, which contains elements of repression and retribution, which imposes an evil because of unlawful conduct, is subject to the principle of guilt (BVerfG, decision of 25. October 1966 - 2 BvR 506/63, NJW 1967, 195; judgment of 30 June 1976 - 2 BvR 435/76, NJW 1976, 1883; order of 14 July 1981 - 1 BvR 575/80). This therefore also applies in the law on administrative offences. However, the culpable act of the individual presupposes his or her own responsibility and the freedom of will to decide in favour of right or wrong. The legal person is not able to make this decision, which is why the link to the act of a natural person is always required in this respect. It is in line with this if the current legislative procedure for an association sanctions law in the draft version of § 3 VerSanG-E (cf. BT-Drcks. Drucksache 19/23568, p. 11) also focuses on the commission of a criminal offence by a management person or the violation of a supervisory duty and insofar adheres to the existing concept of the necessity of the responsibility of a natural person.

22 The reference to the fact that the European legislator intended to model the sanctions regime of European antitrust law with the General Data Protection Regulation, which is why - as there - direct association liability comes into consideration, is also not convincing.

23 First of all, European antitrust law is characterised by the fact that, pursuant to Article 4 of Council Regulation (EC) No 1/2003 of 16 December 2002 on the implementation of the rules on competition laid down in Articles 81 and 82 of the Treaty (Cartel Regulation), it is in principle implemented by the European Commission by virtue of its own competence, whereas the GDPR is to be enforced by national supervisory authorities. Although Article 5 of the Cartel Regulation establishes the competence of national competition authorities to apply EU competition law, the scope of these authorities' powers is still governed by national law. Accordingly, national authorities can only prosecute infringements of European law to the extent permitted by national provisions. This also applies in particular to the liability of an undertaking under the law on fines in the sense of the broad concept of an undertaking according to European case law (on this: ECJ, Judgment of 10 September 2009 - C-97/08 - EuZW 2009, 816, 821 [Akzo Nobel and others v. Commission], para. 54 et seq.; ECJ, Judgment of 14 December 2006 - T-259/02, BeckRS 2006, 140069, para. 21). For German law, the national legislator has opted for the legal entity principle, as expressed for example in § 30 OWiG. Accordingly, the imposition of a general corporate fine by German cartel authorities without linking it to the act of a representative is out of the question (cf. BGH, Order of 16 December 2014 - KRB 47/13, NZKart 2015, 272, 275 et seq. [Silostellgebühren III]; decision of 10 August 2011 - KRB 55/10, NJW 2012,164, 165 [Versicherungsfusion]; OLG Düsseldorf, judgment of 17 December 2012 - V-1 Kart 7/12 (OWi)- NZKart 2013, 166, 167 et seq. [silo storage fees II]). National cartel fine law does not contain any exception to this legal principle even after the latest amendment of the Act against Restraints of Competition (GWB). According to Sections 81 et seq. GWB, a company can only be fined if the offence was committed by a manager himself or by another person, but the manager is guilty of a deliberate or negligent breach of his supervisory duties (Section 130 OWiG). This also applies in particular with regard to the provisions of Sections 81a to 81c ARC. Insofar as a fine to be imposed on an undertaking or an association of undertakings is at issue under these provisions, it is - as was already the case under the predecessor provision of Section 81 (4) sentence 2 GWB - in particular about the assessment of the fine, without the limitation provided for in Section 30 OWiG on the punishment of an offence committed by an organ against the legal person whose organ committed the offence being thereby abolished (cf. BGH, order of 10 August 2011 - KRB 55/10, NJW 2012, 164, 166 [Versicherungsfusion]).

24 In this respect, the reference to recital 150 of the GDPR does not justify the assumption that the European legislator of the GDPR intended the adoption of the entire supranational antitrust sanctions regime. Recital 150 (third sentence) of the GDPR only concerns the assessment of a possible fine. It thus relates to the legal consequence of an infringement and not at all - as, for example, Article 23 of the Cartel Regulation, which empowers the European Commission - to its preconditions. Sentence 3 of the recital reads: "Where fines are imposed on undertakings, the term 'undertaking' should be understood for this purpose in the sense of Articles 101 and 102 TFEU." The wording first presupposes that a fine is imposed on an "undertaking" at all. On the question of how the amount of this fine is to be assessed, recital 150 clearly refers to Article 83(4) to (6) of the GDPR and thus aims to ensure that in the case of a fine being imposed on an "undertaking", the annual turnover of the (directly) affected legal entity is not the sole basis for assessment, but rather - in the sense of Article 101 f. TFEU - the annual turnover of the (directly) affected legal entity. Rather, the turnover of the acting economic unit is taken as the basis for assessment - in the sense of Article 101 et seq. TFEU and the broad concept of an undertaking under antitrust law (cf. Immenga/Mestmäcker/Zimmer, Wettbewerbsrecht, Art. 101 (1) TFEU, margin no. 9 et seq.). This interpretation is systematically supported by sentence 4 of the recital, which deals with the calculation of the amount of the fine - and this alone - for natural persons.

25 In the Chamber's view, moreover, the principle of legality of Article 103(2) of the Basic Law does not allow the question of the liability of a legal person in the context of a state sanction order to be manifested by the recitals accompanying a European regulation, which, moreover, are recognisably not part of the regulation itself.

26 Finally, it is also not recognisable to the Chamber that an obligation to adopt the Union law model of association liability should result from the Union law requirement of effectiveness (Art. 197 TFEU). This is because the latter leaves the Member States a margin of discretion in the design of the sanction regime, which is to be filled in a manner that is in conformity with the constitution, in this case in particular in compliance with the principle of culpability (cf. on antitrust law: Böse, ZStW 126 (2014), 132, 155).

27 It is true that it is rightly pointed out that in order to effectively enforce the regulatory objectives of the GDPR, it is necessary that national law allows for effective and sufficiently dissuasive sanctions, which is likely to be accompanied by the duty of national courts to interpret national law in such a way that effective sanctions can be imposed in the event of an infringement of the GDPR. However, the duty to interpret in conformity with Union law finds its limits in the general principles of law, in particular in the principle of legal certainty, insofar as it may not serve as a basis for an interpretation of national law contra legem, i.e. contrary to the methods of judicial determination of the law permissible under national law (cf. ECJ, Judgment of 16 July 2009 - C 12/08, BeckRS 2009, 70805, marginal no. 61 [Mono Car Styling]; BGH, Judgment of 26 November 2008 - VIII ZR 200/0, BGHZ 179, 27 marginal no. 19 et seqq. with further references). These principles are particularly valid for provisions in the field of criminal or administrative offences law (ECJ, Judgment of 16 June 2005 - C-105/03, NJW 2005, 2839 marginal no. 47 [M. Pupino]; KK-OWiG/Rogall, § 3 marginal no. 83 with further references). ), in the interpretation of which the principle of legality enshrined in German and also European constitutional law (Article 103(2) of the Basic Law, Article 49 of the Charter of Fundamental Rights of the European Union [2007/C 303/01]; Article 7 of the Convention for the Protection of Human Rights and Fundamental Freedoms) and thus also the literal meaning limit is of particular importance. Accordingly, criminal liability not provided for by law cannot be based on an interpretation in conformity with Union law even if the national regulation at issue could otherwise prove to be contrary to Union law (ECJ, Judgment of 28 June 2012 - C-7/11, BeckRS 2012, 81321 [Caronna]; BGH, Order of 16 December 2014 - KRB 47/13 - Silostellgebühren III, NZKart 2015, 272, 274).

28 The provisions applicable here in §§ 30, 130 OWiG in conjunction with. § Section 41 BDSG preclude recourse to the data subjects under the law on fines on the basis of the notice that is the subject matter of the proceedings. According to their wording, a culpable act by one of its representatives is required for the liability of the legal person. This requirement cannot be dispensed with by interpreting the provision or by assuming a "sui generis" liability of the association without exceeding the limit of the wording and thus constituting a violation of the prohibition of analogy under Article 103.2 of the Basic Law (see BVerfG, judgment of 11 November 1986 - 1 BvR 713/83, BeckRS 1986, 50, marginal no. 65).

29 Moreover, it has only been stated in a general way that the proof of the commission of an administrative offence is made more difficult by the requirement to prove an act of an executive body in breach of its duties within the meaning of §§ 30, 130 OWiG. However, it has not been shown that this would make it impossible for the acting supervisory authorities. In this case, it is particularly surprising that the violations of data protection laws that are the subject of the proceedings were already identified by the authority in 2017 - and thus before the entry into force of the GDPR -, various on-site meetings took place, information was requested, for example about technical details of data processing, and the data subject also provided corresponding information, but that the authority did not conduct sufficient investigations into the internal responsibilities for the violations complained of. In this case, it is likely that disclosure of the organisational structure in the company of the data subject would have led to an identification of the persons responsible for the data processing operations and thus possibly a breach of supervisory duties could have been demonstrated. Against this background, it is not apparent that effective and dissuasive sanctions cannot be imposed in compliance with Sections 30, 130 OWiG.

30 b) Even if the decision were to be reinterpreted as an independent penalty notice pursuant to § 30.4 OWiG, it would not meet the requirements that would have to be imposed on such a notice as a procedural basis.

31 The administrative order imposing a fine, which takes the place of the indictment in the court proceedings, limits the subject matter of the proceedings in terms of person and matter. The actual and legally specified accusation must result from it (cf. § 66 OWiG). A prerequisite for the imposition of a fine on a legal person in independent proceedings pursuant to section 30 (4) OWiG is, as already explained, that one of its organs has committed an administrative offence that is attributable to the legal person.

32 The penalty notice of 30 October 2019 does not fulfil this delimitation function. The charge is not specific. For example, it does not specify the time and place of the offence or the member of the executive body who culpably and imputably failed to set up an IT system that met the requirements of data protection law or failed to delete relevant data in a timely manner. In view of the authority's legal opinion, the decision does not contain any other information on the specific offence itself or its omission. It cannot be inferred on what basis an accusation is based that the requirements of data protection law were not complied with. This would be all the more necessary, however, since, as can be seen from the file, the authority had conducted investigations into the allegations at the company concerned and had been in contact with it over a longer period of time about the allegations in question, for example, in writing and in personal conversations with employees of the company. In this respect, it would have been possible and necessary to explain the circumstances from which the authority would like to derive a responsibility of the person concerned. Nevertheless, the penalty notice does not contain a concrete accusation against an organ of the legal person. This defect can also no longer be remedied pursuant to §§ 71 paragraph 1 OWiG, 265 StPO (Code of Criminal Procedure) by a reference by the court. Even if the administrative order imposing the fine were to be reinterpreted as an independent administrative order pursuant to section 30 (4) OWiG, the proceedings would therefore have to be discontinued due to a procedural impediment.

33 2. The decision on costs is based on §§ 71 OWiG, 467 paragraph 1, paragraph 3 StPO. It does not appear unreasonable to order the state treasury to pay the necessary expenses of ... since the procedural impediment existed from the outset.