GDPR Enforcement in Germany

Trend: Have the national data protection authorities in Germany focused on certain types of non-compliance with data protection law so far or have the authorities announced that they will investigate certain types of non-compliance more closely in the future (e.g. incorrect use of cookie banners, monitoring of employees - possibly also due to - Covid related home office, etc.)? Do you see a focus on certain industries/sectors? If so, which ones?

It cannot be clearly stated whether German data protection authorities deliberately focus on certain types of violations. However, it can be observed that the majority of all German fines have been issued either due to insufficient legal bases for data processing (Art. 5, 6 GDPR) or due to deficiencies in information security (Art. 32 GDPR).

The fines imposed in Germany so far cover a fairly balanced range of sectors, in particular the health sector, the finance, insurance and consulting sector, the individuals and private associations sector and the processing of employee data. Looking only at the amounts of fines, it can be observed that two of the three largest German fines (those issued against H&M and notebooksbilliger.de, see below) have been imposed in connection with the processing of employee data.

Overall, what was the most significant fine in Germany to date (please specify recipient, amount, type of violation, sector, brief summary)? Has the fine been challenged in court? If yes: With success or what is the status of the proceedings?

The highest GDPR fine in Germany to date was imposed on H&M Hennes & Mauritz Online Shop A.B. & Co. KG on 1 October 2020 in the amount of EUR 35.26 million due to insufficient legal basis for data processing (ETid-405). It was revealed that H&M – a fashion company based in Hamburg – operated a service centre in Nuremberg, where private information on employees, including special categories of personal data (e.g. symptoms of illness and diagnoses –obtained through channels including from "welcome back!" conversations) had been comprehensively recorded and stored on a network storage system since at least 2014. In addition, according to the Hamburg data protection authority, some supervisors also recorded knowledge about employees, for example about family problems and religious beliefs learned from casual workplace conversations. The information stored on the network storage system was accessible to up to 50 managers at the company and was used to evaluate work performance and make promotion decisions, among other things.

The second highest fine (ETid-519) was also related to the processing of employee data.

How is the data protection authority organised in Germany? In particular: What is the annual budget? How many staff are employed? Is the authority assigned to a specific ministry? If so, which one?

Germany has a two-level data protection system with a federal authority (BfDI) for public entities and telecoms, and separate state authorities for the private sector.

• 16 independent data protection authorities in the 16 German federal states. Responsible for enforcement of the GDPR and the German Federal Data Protection Act towards private entities and public entities in the respective state.
• The Federal Commissioner for Data Protection and Freedom of Information (BfDI), as an independent watchdog, elected by Federal Government, around 300 employees. Responsible for enforcement of the GDPR and the German Federal Data Protection Act against federal public entities and telecommunication providers.

How does a fine procedure work in Germany? In particular: can the authority itself impose fines? How does the procedure work (e.g., notification as to the opening of proceedings (public/addressed to the company alone?), notification as to the intention to impose a fine (public/addressed to companies alone?), formal penalty notice)? What legal remedies are possible against an imposed fine?

• Fines can be directly imposed by the respective federal or state authority as part of administrative proceedings.
• Companies can appeal against penalty notices to the competent (criminal) courts.
• Administrative proceedings are governed by (essentially similar) state or federal law or by uniform federal law in the case of administrative fine proceedings.
• Proceedings usually start with a formal notification to the respective company on the opening of administrative fine proceedings (frequently as a consequence of ongoing general administrative fine proceedings where the DPA has asked for and obtained information from the controller/processor). The respective company has the option to provide its views on factual and legal aspects of the case before the authority issues the penalty notice (Bußgeldbescheid).

When fines are imposed by the data protection authority: Where does the money go? (e.g., the state treasury, the authority's budget)?

Fines are allocated to the respective state or federal treasury.

Is there a common, official calculation methodology for fines in Germany (such as the fining models in the Netherlands or Germany)?

There is no common, official calculation methodology for fines. However, the German data protection conference (Datenschutzkonferenz – "DSK") published a concept for the calculation of fines even before the EDPB proposal in 2022. The current 'German concept' no longer appears to be considered in practice in view of the EDPB concept and previous court rulings questioning the previous DSK concept.

Can public authorities be fined in Germany? If they can: Where does this money go?

No fines will be imposed on public authorities and other public bodies (Section 43 (3) German Federal Data Protection Act (Bundesdatenschutzgesetz – "BDSG"). However, there are a few exceptions, e.g. to the extent public bodies compete in the market as public-sector companies. Also, individual employees of public authorities may be fined in cases when they violate data protection laws while acting in their private capacity.

In Germany, does the data protection authority publish information on cases involving individual fines, including fines imposed or other procedural steps (e.g. on its website or in its annual report)? Are the affected companies identifiable in such publications?

There is no comprehensive publication of fines. Data protection authorities are not required to publish every fine. Remarkable fines are often published in press releases and activity reports. Fined entities are usually not anonymised in the press releases.

If no information on individual fine cases is published: does the data protection authority provide aggregated information on the total number of cases and/or the total amount of fines?

The respective data protection authorities of the federal states generally publish the number and total amount of fines imposed in their annual reports.

Does Germany have model declaratory proceedings/class actions in data protection law, i.e., are several data subjects able to join forces and take legal action together against the data controller?

The German legal system has different collective redress mechanisms:

• Model declaratory action (Musterfeststellungsklage)
• Collective action for redress (Abhilfeklage)
• Action for injunction (Unterlassungsklage)

In 2023, the German Bundestag passed the Act implementing the EU Representative Actions Directive (Verbandsklagenrichtlinieumsetzungsgesetz – "VRUG"). This law not only introduced the Consumer Rights Enforcement Act (Verbraucherrechtedurchsetzungsgesetz – "VDuG") but also significantly expanded the options for collective consumer redress in Germany. Previously, the model declaratory action, introduced in 2018, allowed consumer organisations to clarify legal questions affecting a group of consumers. The VRUG now complements this with the collective action for redress, which empowers these organisations to directly seek compensation for consumers within the VDuG framework.

The model declaratory action allows qualified entities, like consumer organisations, to file lawsuits on behalf of groups of consumers. While it does not award individual damages, it obtains a declaratory judgment on common legal issues. This judgment simplifies enforcement of individual claims for consumers who join the proceedings. The provisions for this action are set out in Section 41 VDuG.

The collective action for redress allows consumer organisations to take legal action against companies on behalf of groups of consumers (at least 50) who have suffered harm in similar ways and to claim remedies such as compensation of damages. This is a significant change for Germany as it strengthens consumer rights and allows for more efficient resolution of disputes.

The German Law on Injunctions for Consumer Rights and Other Violations (Unterlassungsklagengesetz – "UKlaG") allows for class actions under very limited circumstances in case of infringements of consumer rights. According to Section 2 UKlaG, in relation to data protection rights, "consumer rights" include provisions setting out under which circumstances consumers' personal data may be collected or processed for the purposes of advertising, market or opinion research, the operation of a credit agency, profiling, data trading or for comparable commercial purposes. However, any such claims are limited to injunctive relief and elimination of the violation (no claim for damages). As with the model declaratory proceedings and the collective action for redress, only certain entities may pursue such class actions.

What is more relevant in Germany: fines from authorities or court proceedings such as claims for damages or injunctions? Can a trend be discerned for the coming years?

As of now, fines of data protection authorities are more relevant than private litigation regarding data protection infringements, which are still relatively rare. Most likely, this is due to the high litigation costs paired with low damages awarded. However, the introduction of the new collective action for redress could lead to an increase in private legal disputes in the near future. Additionally, we have observed an increase in the enforcement of data subjects' rights, which is likely to result in more litigation.