12. Februar 2019 - Fact check on the General Data Protection Regulation

GDPR: fines & penalties


The “enormous fines” under GDPR are being talked about everywhere. Real facts, half-truths and nonsense rumours are mixing together to form a complete jumble. Here you will find the real answers to common questions.

Fakten-Check DSGVO zu den Geldbußen There are currently many questions arising regarding fines under GDPR. This fact check will help clear things up. (image: / NiroDesign)

A lot of uncertainty is arising in practice concerning fines under the General Data Protection Regulation (GDPR). There is often a lot of confusion, particularly in the areas set out in the following.

Sanctions under data protection legislation

Question: What sanctions for violations specifically apply under data protection legislation?

Answer: The key fines are those set out in Art. 83 Para. 4 and 5 GDPR. These two paragraphs set out the circumstances that could lead to a fine. However, it is only the respective supervisory authority that is able to impose such fines.

“Administrative fine” [German: “Geldbuße”] is the term used under Art. 83 GDPR. To avoid any misunderstandings, it should be used as precisely as possible.

Pecuniary penalties [German: “Geldstrafe”] can only be imposed if a criminal offence has been committed. “Data protection offences” are governed by Section 42 Para. 1 and 2 of the German Federal Data Protection Act (BDSG). These offences may be punishable by imprisonment or – as a milder punishment – a fine.

Section 42 BDSG exists because Art. 84 Para. 1 GDPR requires EU member states to provide for additional sanctions alongside those set out in Art. 83 GDPR.

GDPR and BDSG do not recognise regulatory fines [German: “Bußgeld”] for breaches of data protection. Section 43 Para. 1 BDSG does contain provisions regarding such fines.

However, technically these have nothing to do with data protection. They merely concern breaches of specific obligations associated with consumer loan contracts.

These obligations are governed by Section 30 Para. 1 and 2 BDSG. However, they do not relate to data protection.

Further sanctions

Question: Are there other regulations that provide for sanctions?

Answer: For specific areas, yes. Examples include the following:

  • A doctor that divulges patient data to their friends or family has breached the doctor’s duty of confidentiality (governed by Section 203 of the German Penal Code (StGB)).
  • An employee of an authority that discloses business data without authorisation may be subject to punishment on account of breach of official secrets (Section 353 StGB).

Such provisions are closely related to the protection of personal data. They apply alongside GDPR.

Possible addressees of GDPR fines

Question: Whom can fines be imposed upon under Art. 83 GDPR?

Answer: Only upon a “controller”. This term often causes some confusion.

What it means is the “data controller” as defined by Art. 4 No. 7 GDPR. In the case of a company, this is the company itself, not the individual employees. Fines against an individual employee are not possible under Art. 83 GDPR.

It is often argued that Art. 4 No. 7 GDPR expressly includes “natural persons” in the category of controllers. However, this does not mean that employees become the controllers themselves.

This refers more to the event that a natural person is the owner of a company. In this case, that person is, of course, also the controller.

Reporting of data breaches

Question: A company reports a breach of the protection of personal data to the supervisory authority as required (Art. 33 GDPR). Can the supervisory authority use this information to impose a fine?

Answer: The supervisory authority cannot use the information from such a report for this purpose; the only exception is when the person obligated to report agrees. This is set out in Section 42 Para. 3 GDPR. Viewed from this angle, reporting a breach of data protection does not seem to involve a risk of sanction.

But be careful: a report can represent cause for the supervisory authority to begin its own investigations. It may then summon employees or other people as witnesses, and the information that they provide may well be used. The statutory regulation does not say: if a controller reports a breach of data protection, the supervisory authority can no longer impose a fine.

As such, the following important advice should be taken into account in practice: if a company has to report a breach of data protection that could represent an offence under Art. 83 Para. 3 and 4, or even a crime, it must seek legal advice!

“Free pass” for the first violation?

Question: Is it true that the supervisory authorities cannot impose fines when a controller breaches GDPR accidentally for the first time (“free pass”)?

Answer: No, this rumour is incorrect. There is a lot of talk of such wishes in the political sphere and among associations. However, they do not reconcile with the wording of Art. 83 Para. 1 GDPR.

The regulation states that an effective fine shall be imposed “in each individual case”.

Contrary to the rumours, things are no different in Austria, either. Austria’s Federal Act concerning the Protection of Personal Data (DSG) contains the following provision in Section 11 Clause 2: “Particularly in the case of first-time violations, the data protection authority shall, in harmony with Art. 58 GDPR, make use of its corrective powers, in particular in the form of warnings.” This wording gives no indication of a “free pass”.

It is also expressly highlighted that Art. 58 GDPR (Powers) is not restricted by such.

Possible to refrain from fines?

Question: Can the data protection supervisory authority still refrain from imposing a fine in individual cases?

Answer: Yes, that is possible. It can be justified in two ways:

  • Either it is argued that the provision of Section 47 Para. 1 of the German Act on Regulatory Offences (OWiG) applies through Section 41 Para. 1 Clause 1 BDSG. This provision states that the supervisory authority may, at its discretion, elect to terminate proceedings relating to regulatory offences.
  • Or reference may be made directly to Art. 83 GDPR (General conditions for imposing administrative fines). This states that a fine must always be proportionate. There are plenty of conceivable cases in which any fine, no matter now small, would be disproportionate.

However, this has nothing to do with a “free pass” for first-time negligent violations.

Can fines come “out of the blue”?

Question: Is it true that notice of a fine can land in your mailbox “out of the blue”?

Answer: No, that is nonsense. Of course there is a formal written hearing before any notice is issued.

This is not only stipulated by the national legislator (Section 41 Para. 1 Clause 1 BDSG in conjunction with the corresponding provisions of OWiG). This obligation would be seen as covered by the principle of the right to a fair trial. It is secured by Art. 47 Para. 2 of the Charter of Fundamental Rights of the European Union.

No fines against authorities?

Question: Is it true that it is not possible for authorities to incur fines?

Answer: Yes, that is true. Art. 83 Para. 7 GDPR permits member states to form an exemption clause. Germany has made use of this in Section 43 Para. 3 BDSG.

But be careful: this exception does not apply if authorities are in competition with private businesses. For example, it does not apply to public hospitals. This is because they are competing with private hospitals.

Special courts for objections?

Question: Is it true that special courts decide on objections to notices of fines?

Answer: There is truth at the heart of this rumour.

Normally the district courts [“Amtsgericht”] are responsible for such proceedings (Section 41 Para. 1 Clause 1 BDSG in conjunction with Section 68 OWiG, supplemented by the provisions of the individual states). However, if a supervisory authority sets a fine of more than 100,000 euros, the responsible regional court [“Landgericht”] shall decide (as set out in Section 41 Para. 1 Clause 2 BDSG).

This differentiation is likely to be of more significance to specialist cases than to everyday business.

In Germany there are currently 638 district courts but just 117 regional courts. It is therefore usually much further to the responsible regional court.

Fines unlimited in amount?

Question: Why does the General Data Protection Regulation provide for fines in an amount that many find mind-boggling?

Counter-question: Would the fines act as a deterrent to international companies otherwise? Their turnover is often in the billions. The threat of possible fines must, therefore, be high.

It has nothing to do with “everyday fines”. Fines in the millions will remain rare individual cases.

Dr. Eugen Ehmann
Dr. Eugen Ehmann is the District President for Lower Franconia (Bavaria). For many years now he has been working intensively with matters of data protection within companies and authorities.