LG Berlin overturns fine for GDPR violation
In a remarkable ruling from February 18, 2021, the Landgericht (LG) Berlin – the Regional Court of Berlin – declared a million-euro fine imposed in response to a breach of the General Data Protection Regulation (GDPR) invalid.
We at the commercial law firm MTR Rechtsanwälte note that the extent to which companies or legal persons can be issued with a fine for data protection breaches is a contentious legal issue. The Landgericht Berlin has now taken a position on the matter in a judgment from February 18, 2021, making it clear that fines cannot be imposed on legal persons, Az.: (526 OWi LG) 212 Js-OWi 1/20 (1/20).
At the heart of this judgment is a fine of 14.5 million euros that was imposed by Berlin’s Commissioner for Data Protection and Freedom of Information on a real estate company for violating the provisions of the GDPR in the fall of 2019, with the Commissioner citing inadequate data protection standards regarding the retention of tenants’ personal data.
The LG Berlin subsequently overturned this fine, ruling that a legal person cannot be the subject of fine proceedings. This includes cases involving violations of GDPR provisions. The court held that only natural persons can be charged for committing an infringement, and the person in question must be a governing body within the company, a shareholder authorized to represent the company, or some other person in a managerial role, with only the conduct of the legal person’s officers and representatives capable of being attributed to the legal person.
This means that it is necessary to produce evidence proving that the infringement was committed by a person in a position of responsibility within the business before a fine can be imposed against the company for breaching the provisions of the GDPR. The court held that the data protection authority had failed to provide evidence proving that a person in a position of responsibility was in fact personally responsible and to conduct appropriate investigations. Accordingly, the fine was found to be invalid.
The ruling is not yet final. Berlin’s Commissioner for Data Protection and Freedom of Information has since lodged an appeal, arguing that the decision is not consistent with European law. It remains to be seen how the appeal court will rule on the matter.
Businesses ought to prepare themselves for data protection authorities increasingly looking into the personal misconduct of persons in positions of responsibility going forward. Experienced lawyers can advise on data protection issues.