Judgment on fines for infringements of data protection requirements
Fines significantly reduced
By judgement of 11 November 2020, the Regional Court of Bonn (LG Bonn, file no. 29 OWi 1/20 LG) significantly reduced fines that the Federal Commissioner for Data Protection and Freedom of Information (BfDI) had imposed on the telecommunications service provider 1&1 at the end of last year.
This is the first judgement in Germany in which a court has taken a position on substantial fines of several million Euro which a data protection authority imposed on a company under the EU General Data Protection Regulation (GDPR) as well as on other controversial issues concerning the application of the GDPR.
The GDPR has been directly applicable in the EU Member States since May 2018. Since then, numerous fining decisions have been issued against companies in Germany; the fines imposed on Deutsche Wohnen and – most recently – H&M have attracted particular attention. With regard to the German data protection authorities’ fining calculation principles, the authorities published a fines concept in 2019 which has been criticised since it became known.
According to a recent press release issued in the 1&1 case by the Regional Court of Bonn, the court chamber in charge confirmed the decision of the BfDI in principle, but significantly reduced the fines imposed, namely from EUR 9.55 million to EUR 900,000. The reasons for the ruling have not yet been published and the ruling is not yet final (as of 13 NOV 2020). However, the underlying facts of the case as well as the main reasons for the court decision can already be derived from publicly available information:
The proceedings against 1&1 were triggered by criminal charges pressed by a 1&1 customer for stalking: The ex-partner of that 1&1 customer had learned the customer's new telephone number from the 1&1 call centre after she had pretended to be his wife and had only been required the customer's name and date of birth for authentication purposes. The new telephone number was "personal data" in the sense of the GDPR, which the ex-partner then used for harassing phone calls to the customer. On this factual basis, the BfDI had imposed a fine on 1&1 for a grossly negligent breach of Article 32(1) GDPR on account of the flawed authentication procedure used for the data set in question. According to the BfDI, the company had breached its obligation to take appropriate technical and organisational measures (so-called TOMs) to systematically protect the processing of personal data.
In the objection proceedings before the Regional Court of Bonn, the appropriateness of the amount of the fine was of particular topicality. However, this topic was preceded by the preliminary issues of whether, firstly, the disclosure of the telephone number constituted a significant breach of data protection law at all in the first place and whether, secondly, imposing an administrative fine would have required an infringement by a manager, as opposed to lower ranking staff. The Regional Court of Bonn answered the first question in the affirmative, even though it classified the infringement as minor. It considered that the company's mistake as to the appropriateness of its authentication procedure, which it had used for years, could have been avoided. With regard to the second question, the court answered in the negative: When applying EU law, the imposition of a fine would not depend on the pertinent infringement being committed by a manager.
However, the court considered the negligence of the company to be minor. Therefore, it significantly reduced the fine - by more than 90 per cent. The court therefore distanced itself from the BfDI’s calculation of the actual fine, which, as provided for in the authorities' current fining concept, had largely taken into account the consolidated turnover of the undertaking .
Chatham Partners is a law firm specialising on complex issues of EU regulatory law, which includes extensive advice on applicable GDPR requirements. Please feel free to contact us to find out how we can support you if necessary.