The GDPR: Sanctions without culpability?

Wednesday 28 September 2022

Back to Diversity and Equality Law Committee publications

Hans Georg Laimer
ZFZ Zeiler Rechtsanwälte, Vienna
hans.laimer@zeilerfloydzad.com

Melina Peer
ZFZ Zeiler Rechtsanwälte, Vienna
melina.peer@zeilerfloydzad.com

Introduction

With the General Data Protection Regulation (GDPR), a uniform data protection law was created at European Union (EU) level in May 2018. Since the GDPR came into force, data protection law has experienced a considerably increased prominence. This is due to the GDPR’s high level of sanctions in the event of a violation. Sanctions that have already been imposed by authorities throughout the EU have attracted public attention. The extent of the sanctions imposed is quite spectacular and represents a serious threat for companies. Recently, the Austrian Data Protection Authority imposed a €9.5m fine on the Austrian Post.

Despite the record fines already imposed on companies across the EU, some of the most fundamental issues surrounding the sanction process remain highly controversial.

One of these issues could soon be clarified. The European Court of Justice (ECJ) is currently dealing with the question whether imposing sanctions actually requires a managing director’s culpability in violating the GDPR or whether a sanctions can be imposed directly on a company as soon as a violation has taken place.

The current pending case

The proceedings before the ECJ are based on a €14.5m sanction imposed by Berlin’s data protection commissioner directly against a real estate company without specifying any culpable behaviour of a natural person.

In Austrian law, the Austrian Data Protection Act clearly stipulates that the so-called ‘legal entity principle’ applies. According to this principle, the imposition of sanctions on a company requires that either the managing director of the company violates data protection law themselves, or that the managing director enables another person to violate data protection law through lack of supervision or control.

The imposition of a sanctions therefore requires company managing directors to act culpably. This must also be proven by the competent data protection authority and can make the managing director liable for compensation. However, an objective violation of data protection law is generally insufficient.

The GDPR does not stipulate clearly whether sanctions can be imposed directly on a company or whether culpable action by a natural person, especially by managing directors, is required.

In Germany, where the ‘legal entity principle’ is also stipulated in national law, this has already led to inconsistent case law. The Regional Court of Bonn, for example, argued in its decision that rather than the ‘legal entity principle’ the so-called ‘functionary principle’ is applicable when sanctions are imposed on companies based on the GDPR. This would lead to an objective data protection violation being sufficient cause to impose sanctions on a company regardless of the offender. A culpable violation or a lack of control by managing directors would not be required. According to the Regional Court of Bonn, the principle of effectiveness of EU law would be undermined if national liability rules, such as the ‘legal entity principle’ were to restrict possible sanctions under EU law. It would then no longer be guaranteed that the same rules apply throughout the EU, which would be contrary to the regulatory nature of the GDPR.

The Court of Appeals in Berlin, which was called on in appeal proceedings, decided to refer the question of whether sanctions imposed by the Berlin Data Protection Commissioner was effective due to lack of showing culpable misconduct by a managing director to the ECJ. It is therefore up to the ECJ to provide clarity.

Outlook

An ECJ decision is probably not to be expected before 2023. Several pending GDPR sanction proceedings in Austria have been suspended until the ECJ decision.

If the ECJ holds the ‘functionary principle’ applicable in sanction proceedings under the GDPR, it would be sufficient for the authority to establish a violation of data protection law by any natural person in order to impose sanctions. The competent data protection authority would no longer need to determine and prove any culpable behaviour by a managing director. As the latter requirement is in general significantly more difficult, the application of the ‘functionary principle’ would presumably lead to more sanctions being imposed.

A reversal from the previous practice of Austrian data protection authorities in sanctioning companies would in particular raise the question of what company management can do at all to avoid such penalties. The ECJ decision might therefore have a significant impact on internal compliance and data protection risk management.

Nevertheless, it is already crucial to ensure that all employees are comprehensively trained and alerted to data protection law regulations in order to avoid any violations. If a well-organised data protection compliance system can be demonstrated to the competent authority, it is more likely that a reduction in the level of fines can be achieved.

Note

Austrian Data Protection Act, s 30.