In this update, we provide you with a brief summary of two recent developments in relation to sanctions imposed under the General Data Protection Regulation ("GDPR").
- Firstly, the Berlin Data Protection Authority ("Berlin DPA") recently announced its willingness to impose multimillion-euro fines for breaches of the GDPR. This shows that also in Germany significant fines can no longer be ruled out. It appears that Berlin DPA is following in the footsteps of the French Data Protection Authority ("CNIL") and the UK Information Commissioner's Office ("ICO") which have both previously imposed fines in the millions.
- Secondly, for the first time a court has awarded immaterial damages compensation for a GDPR breach in Austria.
We take a look at what this means for companies and the developments that have been made since the implementation of the GDPR.
Should Germany anticipate so-called 'mega-fines'?
A development that can cause expensive consequences: On 13 August 2019, the Berlin DPA announced that the authority is no longer averse to imposing fines in the double-digit millions for violations of the GDPR. However, the company likely to be affected has not been named. There is also no information available which provisions of the GDPR were infringed. If the Berlin DPA now also imposes fines in the millions, this means a prompt change for Germany, since the last fines to enforce the GDPR in Germany were comparatively low, i.e. listed at a maximum of an average of EUR 29,000 in each case. The Berlin DPA has already begun to raise the rate: it has filed two fines, each in the amount of EUR 200,000, however, the company still has the right to appeal.
According to publicly available information, the Berlin DPA calculated the fine on the basis of the new model for calculating GDPR fines agreed by the Conference of the German "Independent Data Protection Supervisory Authorities of the Federal Government and the States" (Datenschutzkonferenz – "DSK") on 25 June 2019. The DSK is the joint coordination body of the German data protection authorities. The basis for calculating the new fine model is the aggregate global revenue of the undertaking. On this basis, a so-called "daily rate" is determined. The daily rate will then be multiplied by a factor to be determined depending on the gravity of the infringement and the nature of the offence and its consequences. The result will then be further adjusted on the basis of the rules of Article 83 para. 2 of the GDPR. Finally, the authority assesses whether there are further aggravating or mitigating circumstances which would result in a further adjustment of the fine calculated.
At the beginning of 2019, CNIL already laid down a milestone: it imposed a fine of EUR 50 million on Google. A few months later, the ICO followed suit: it announced in a letter of intent that it envisaged imposing fines of over EUR 200 million in one case and EUR 110 million in another.
Dr. Simone Ziegler, data protection specialist in our Frankfurt office, says, "this does not imply that companies should panic, but should simply be well prepared. We expect that data protection authorities across Europe are tightening fines for incompliance with GDPR and that some organisations should therefore carefully consider and review their current approach to GDPR risk."
GDPR compensation for immaterial damages caused by unlawful processing of data in Austria
After collecting and storing data about "political affinities" of around 2.2 million Austrians and selling data to parties for election campaigns, the Austrian Post has been sentenced by the Austrian Regional Court Feldkirch for immaterial damages amounting to EUR 800 in one particular case. Although the judgment is not yet final, this could trigger an avalanche of claims with far-reaching consequences for the Austrian Post and it is to be pointed out that due to the high sensitivity of the data (political affinities, marital status etc.) it is the first time that a court has decided to award compensation for immaterial damages.
The Austrian Regional Court Feldkirch stated the following:
"The fact that the defendant has identified and recorded party affinities of the claimant without his consent and information justifies non-material damages. In view of the fact that, on the one hand, the political opinion of a person is particularly sensitive data worthy of protection and, on the other hand, the party affinities of the claimant recorded by the defendant have not been disclosed to third parties, an amount of EUR 800 seems appropriate as compensation for the immaterial inconvenience suffered by the claimant."
Article 82 of the GDPR indicates that any person who has suffered material or immaterial damage as a result of the infringement of the GDPR, is entitled to receive compensation.
However, not every infringement leads to compensation for immaterial damages. The German Regional Court of Karlsruhe dismissed a claim for damages and stated that the infringement requires a precise violation of the right of personality. This precise violation must imply an "embarrassing exposure" of a person as a result of the illegal exposure of personal data and not be a mere minor damage. German courts have been cautious with awarding compensation for illegal damages since the courts assessed the damages as mere immaterial minor damages. Nevertheless, it is not unlikely that German courts will in future agree with the view of the Feldkirch court and make similar judgments. This is another example of where companies should be cautious.