Germany

Main takeaways

Enforcement practice significantly shaped by 16 data protection authorities at the federal state level (plus one authority at the federal level with limited competence for the private sector).
Various DPA fining decisions successfully challenged in court, including high-level / landmark cases.
Incoherent publication practice by German DPAs re GDPR fining activities; only a fraction of cases is published.
No class action mechanism yet, but legislative process to implement the Representative Actions Directive into national law ongoing. Individual claims are relevant in some areas already (e.g., employment law), and third-party intermediaries initiated legal action for a variety of individual cases.

Fining practice

Trend: Have the national data protection authorities in Germany focused on certain types of non-compliance with data protection law so far or have the authorities announced that they will investigate certain types of non-compliance more closely in the future (e.g. incorrect use of cookie banners, monitoring of employees - possibly also due to - Covid related home office, etc.)? Do you see a focus on certain industries/sectors? If so, which ones?

It cannot be clearly stated whether German data protection authorities deliberately focus on certain types of violations. However, it can be observed that the majority of all German fines have been issued either due to insufficient legal bases for data processing (Art. 5, 6 GDPR) or due to deficiencies in information security (Art. 32 GDPR).
The fines imposed in Germany so far cover a fairly balanced range of sectors, in particular the real estate sector, the finance, insurance and consulting sectors and the processing of employee data. Looking solely at the amounts of the fines, it can be observed that two of the three largest German fines (H&M and notebooksbilliger.de, see below) have been imposed in connection with the processing of employee data.

Overall, what was the most significant fine in Germany to date (please specify recipient, amount, type of violation, sector, brief summary)? Has the fine been challenged in court? If yes: With success or what is the status of the proceedings?

The highest GDPR fine in Germany to date has been imposed on H&M Hennes & Mauritz Online Shop A.B. & Co. KG on 1 October 2020 in the amount of EUR 35,26m due to insufficient legal basis for data processing (ETid-405). It was revealed that H&M - a fashion company based in Hamburg - operated a service centre in Nuremberg, where private information on employees, including special categories of personal data (e.g. symptoms of illness and diagnoses – inter alia obtained from "welcome back!"-conversations) had been comprehensively recorded and stored on a network storage since at least 2014. In addition, according to the Hamburg data protection authority, some supervisors also obtained knowledge about employees, for example about family problems and religious beliefs from casual workplace conversations. The information stored on the network storage was accessible to up to 50 managers at the company and was used, among other things, to evaluate work performance and make decisions regarding promotions. The second highest fine (ETid-519) was also related to the processing of employee data.

Organization of authorities and course of fine proceedings

How is the data protection authority organized in Germany? In particular: What is the annual budget? What is the number of staff? Is the authority assigned to a specific ministry? If so, which one?

16 independent data protection authorities in the 16 German federal states. Responsible for enforcement of the GDPR and the German Federal Data Protection Act towards private entities and public entities in the respective state.
The Federal Commissioner for Data Protection and Freedom of Information (BfDI), as an independent watchdog, elected by Federal Government, 220 employees. Responsible for enforcement of the GDPR and the German Federal Data Protection Act towards federal public entities and telecommunication providers.

How does a fine procedure work in Germany? In particular: Can the authority itself impose fines? How does the procedure work (e.g. notification of the opening of proceedings (public/only towards company?), notification of the intention to impose a fine (public/only towards companies?), formal penalty notice)? What legal remedies are possible against an imposed fine?

Fines can be directly imposed by the respective federal or state authority as part of administrative proceedings.
Administrative proceedings are governed by (essentially similar) state or federal law as well as – in case of fine procedures – a uniform federal law.
Proceedings usually start with a formal notification to the respective company on the opening of a fining procedure (frequently as a consequence of an ongoing general administrative proceeding where the DPA has asked for and obtained information from the controller/processor). The respective company has the option to provide its views on the factual and legal aspects of the case before the authority issues the penalty notice (Bußgeldbescheid).
Companies may appeal against penalty notices to the competent (criminal) courts.

In Germany, does the data protection authority publish all imposed fines or other procedural steps (e.g. on its website)? Are the affected companies identifiable in such publication?

No comprehensive publication of fines. Data protection authorities are not obliged to publish each fine.
Publication of remarkable fines in press releases and activity reports.
Fined entities are usually not anonymized in press releases.

When fines are imposed by the data protection authority: Where does the money go? (e.g. the state treasury, the authority's budget)?

Fines are allocated to the respective state or federal treasury.

Is there a common, official calculation methodology of fines in Germany (such as the fining models in the Netherlands or Germany)?

There is no common, official calculation methodology for fines. However, the German data protection conference (Datenschutzkonferenz – "DSK") published a model for the calculation of fines even before the EDPB proposal in 2022. The current 'German model' appears to be no longer considered in practice in view of the EDPB model and previous court rulings questioning the previous DSK model.

Can public authorities be fined in Germany? If yes: Where does this money go?

No fines may be imposed on public authorities and other public bodies (Section 43 (3) German Federal Data Protection Act (Bundesdatenschutzgesetz). However, there are a few exceptions, e.g. to the extent public bodies compete in the market as public-sector companies. Also, individual employees of public authorities may be fined if they violate data protection laws when they act in their private capacity.

Other legal consequences of non-compliance

Does Germany have model declaratory proceedings / class actions in data protection law, i.e. the possibility for several data subjects to join forces and take legal action together against the data controller?

Model declaratory proceedings (Musterfeststellungsklage) pursuant to §§ 606 et seqq. of the German Code of Civil Procedure (Zivilprozessordnung) are also possible for violations of GDPR; with the model declaratory proceedings, it is possible to obtain a declaratory judgement. Such declaratory judgement makes enforcement of individual claims for damages significantly easier for claimants who join the model declaratory proceedings. However, only certain entities (e.g. consumer protection associations) are allowed to pursue such model declaratory proceedings and they may not raise such claims for profit-making purposes.
Additionally, the German Law on Injunctions for Consumer Rights and Other Violations (Unterlassungsklagengesetz, UKlaG) allows for class actions under very limited circumstances in case of infringements of consumer rights. According to § 2 UKlaG, in relation to data protection rights, "consumer rights" includes provisions setting out under which circumstances consumers' personal data may be collected or processed for the purposes of advertising, market or opinion research, the operation of a credit agency, profiling, data trading or for comparable commercial purposes. However, any such claims are limited to injunctive relief and elimination of the violation (no claim for damages). As with the model declaratory proceedings, only certain entities may pursue such class actions.
As of now, we are not aware of any such model declaratory proceedings or class actions in the context of data protection laws in Germany.

What is more relevant in Germany: Fines from authorities or court proceedings such as claims for damages or injunctions? Is there a trend here for the coming years?

As of now, fines of data protection authorities are much more relevant than private litigation regarding data protection infringements, which are relatively rare. Most likely, this is due to the high litigation costs paired with low claims for damages.
It remains to be seen if the ongoing implementation of the EU Representative Actions Directive into national law will lead to a relevant change. From a practical perspective, we consider it likely that established German consumer protection associations as well as new innovative approaches could lead to an increase in private litigation in the near future.
Nonetheless, we notice an increase in the enforcement of data subjects' rights which will likely bring more associated litigation in the near future.

Previous 15 / 29 Next