GDPR Enforcement in Germany

Trend: Have the national data protection authorities in Germany focused on certain types of non-compliance with data protection law so far or have the authorities announced that they will investigate certain types of non-compliance more closely in the future (e.g. incorrect use of cookie banners, monitoring of employees - possibly also due to - Covid related home office, etc.)? Do you see a focus on certain industries/sectors? If so, which ones?

It cannot be clearly stated whether German data protection authorities deliberately focus on certain types of violations. However, it can be observed that the majority of all German fines have been issued either due to insufficient legal bases for data processing (Art. 5, 6 GDPR) or due to deficiencies in information security (Art. 32 GDPR).

The fines imposed in Germany so far cover a fairly balanced range of sectors, in particular the health sector, the finance, insurance and consulting sector, the individuals and private associations sector and the processing of employee data. Looking only at the amount of fines, it can be observed that two of the three largest German fines (H&M and notebooksbilliger.de, see below) have been imposed in connection with the processing of employee data.

Overall, what was the most significant fine in Germany to date (please specify recipient, amount, type of violation, sector, brief summary)? Has the fine been challenged in court? If yes: With success or what is the status of the proceedings?

The highest GDPR fine in Germany to date has been imposed on H&M Hennes & Mauritz Online Shop A.B. & Co. KG on 01 October 2020 in the amount of EUR 35,26m due to insufficient legal basis for data processing (ETid-405). It was revealed that H&M - a fashion company based in Hamburg - operated a service centre in Nuremberg, where private information on employees, including special categories of personal data (e.g. symptoms of illness and diagnoses – inter alia obtained from "welcome back!"-conversations) had been comprehensively recorded and stored on a network storage since at least 2014. In addition, according to the Hamburg data protection authority, some supervisors also obtained knowledge about employees, for example about family problems and religious beliefs from casual workplace conversations. The information stored on the network storage was accessible to up to 50 managers at the company and was used, among other things, to evaluate work performance and make promotion decisions.

The second highest fine (ETid-519) was also related to the processing of employee data.

How is the data protection authority organised in Germany? In particular: What is the annual budget? How many staff are employed? Is the authority assigned to a specific ministry? If so, which one?

Germany has a two-level data protection system with a federal authority (BfDI) for public entities and telecoms, and separate state authorities for the private sector.

• 16 independent data protection authorities in the 16 German federal states. Responsible for enforcement of the GDPR and the German Federal Data Protection Act towards private entities and public entities in the respective state.
• The Federal Commissioner for Data Protection and Freedom of Information (BfDI), as an independent watchdog, elected by Federal Government, 301 employees (as of December 2022).  Responsible for enforcement of the GDPR and the German Federal Data Protection Act towards federal public entities and telecommunication providers.

How does a fine procedure work in Germany? In particular: can the authority itself impose fines? How does the procedure work (e.g., notification as to the opening of proceedings (public/addressed to the company alone?), notification as to the intention to impose a fine (public/addressed to companies alone?), formal penalty notice)? What legal remedies are possible against an imposed fine?

• Fines can be directly imposed by the respective federal or state authority as part of administrative proceedings.
• Administrative proceedings are governed by (essentially similar) state or federal law as well as – in case of fine procedures – under a uniform federal law.
• Proceedings usually start with a formal notification to the respective company on the opening of a fining procedure (frequently as consequence of an ongoing general administrative proceeding where the DPA has asked for and obtained information from the controller/processor). The respective company has the option to provide its views on factual and legal aspects of the case, before the authority issues the penalty notice (Bußgeldbescheid).
• Companies can appeal against penalty notices to the competent (criminal) courts.

When fines are imposed by the data protection authority: Where does the money go? (e.g., the state treasury, the authority's budget)?

Fines are allocated to the respective state or federal treasury.

Is there a common, official calculation methodology for fines in Germany (such as the fining models in the Netherlands or Germany)?

There is no common, official calculation methodology for fines. However, the German data protection conference (Datenschutzkonferenz – "DSK") published a concept for the calculation of fines even before the EDPB proposal in 2022. The current 'German concept' appears to be no longer considered in practice in view of the EDPB concept and previous court rulings questioning the previous DSK concept.

Can public authorities be fined in Germany? If they can: Where does this money go?

No fines shall be imposed on public authorities and other public bodies (Section 43 (3) German Federal Data Protection Act (Bundesdatenschutzgesetz). However, there are a few exceptions, e.g. to the extent public bodies compete in the market as public-sector companies. Also, individual employees of public authorities may be fined in case they violate data protection laws when they act in their private capacity.

In Germany, does the data protection authority publish information on cases involving individual fines, including fines imposed or other procedural steps (e.g. on its website or in its annual report)? Are the affected companies identifiable in such publications?

There is no comprehensive publication of fines. Data protection authorities are not obliged to publish every fine. Remarkable fines are often published in press releases and activity reports. Fined entities are usually not anonymised in the press releases.

If no information on individual fine cases is published: does the data protection authority provide aggregated information on the total number of cases and/or the total amount of fines?

The respective data protection authorities of the federal states generally publish the number and total amount of fines imposed in their annual reports.

Does Germany have model declaratory proceedings/class actions in data protection law, i.e., are several data subjects able to join forces and take legal action together against the data controller?

The German legal system has different collective redress mechanisms:

• Model declaratory action (Musterfeststellungsklage)
• Collective action for redress (Abhilfeklage)
• Action for injunction (Unterlassungsklage)

On July 7, 2023, the German Bundestag passed the Act implementing the EU Representative Actions Directive (Verbandsklagenrichtlinieumsetzungsgesetz - "VRUG"). This law not only introduced the Consumer Rights Enforcement Act (Verbraucherrechtedurchsetzungsgesetz - "VDuG") but also significantly expanded the options for collective consumer redress in Germany. Previously, the model declaratory action, introduced in 2018, allowed consumer organisations to clarify legal questions affecting a group of consumers. The VRUG now complements this with the collective action for redress, which empowers these organisations to directly seek compensation for consumers within the VDuG framework.

The model declaratory action allows qualified entities, like consumer organisations, to file lawsuits on behalf of groups of consumers. While it does not award individual damages, it obtains a declaratory judgement on common legal issues. This judgement simplifies enforcement of individual claims for consumers who join the proceedings. The provisions for this action are set out in Section 41 VDuG.

The collective action for redress allows consumer organisations to take legal action against companies on behalf of groups of consumers (at least 50) who have suffered harm in similar ways and to claim remedies such as compensation of damages. This is a significant change for Germany as it strengthens consumer rights and allows for more efficient resolution of disputes.

The German Law on Injunctions for Consumer Rights and Other Violations (Unterlassungsklagengesetz, UKlaG) allows for class actions under very limited circumstances in case of infringements of consumer rights. According to § 2 UKlaG, in relation to data protection rights, "consumer rights" includes provisions setting out under which circumstances consumers' personal data may be collected or processed for the purposes of advertising, market or opinion research, the operation of a credit agency, profiling, data trading or for comparable commercial purposes. However, any such claims are limited to injunctive relief and elimination of the violation (no claim for damages). As with the model declaratory proceedings and the collective action for redress, only certain entities may pursue such class actions.

What is more relevant in Germany: fines from authorities or court proceedings such as claims for damages or injunctions? Can a trend be discerned for the coming years?

As of now, fines of data protection authorities are much more relevant than private litigation regarding data protection infringements, which are relatively rare. Most likely, this is due to the high litigation costs paired with low claims for damages. However, the introduction of the new collective action for redress could lead to an increase in private legal disputes in the near future. Additionally, we have observed an increase in the enforcement of data subjects' rights, which is likely to result in more litigation.