Fine against 1&1 legally binding after verdict
Where did this begin?
At the end of 2019, the German data protection authority imposed the highest fine to date in Germany, amounting to almost 10 million Euro, on 1&1 Telecommunication SE. The reason for this was an individual unlawful disclosure of personal data to a third party by telephone.
The company then filed a lawsuit against the fine imposed. In November 2020, 1&1 was subsequently ordered to pay a fine of 900,000 Euro by the competent District Court in Bonn. We have already reported on this procedure in an earlier article: Fines for Data Protection Violations in the EU – What is the Way Forward?
Both sides agreed with the court that they would not appeal the decision any further, and the decision is legally binding.
How did the district court justify the reduction?
The judges confirmed the authority’s approach in its assessment of the facts and the legal justification for the fine.
However, the judges came to a different conclusion regarding the degree of culpability and the size of the fine. The court considered both to be much lower than the authority had, and therefore reduced the fine by more than 90% to 900,000 Euro.
The court has thus fundamentally called into question the Fines concept of the German Data Protection Conference (in German language), which had been adopted by all data protection authorities in Germany. A purely turnover-oriented concept of fines ignores essential aspects of an assessment. Although the turnover serves as an initial orientation, the severity of the violation, the type, the duration, the repetition, the reaction of the party responsible and the implementation of limitation measures, as well as other aspects, must also be taken into account for the assessment. In this respect, the court has given the data protection authorities concrete indications as to how it envisages a suitable basis for decision-making in the future.
You can find the memorandum of judgement here: https://openjur.de/u/2310641.html (in German language)
What consequences will this decision have?
The design of the fine concept currently applied leads to the supposition that further fines will be collected by competent courts in the future. The result of this is that companies affected by high fines will in many cases defend themselves against these decisions in court. Ultimately, the German data protection authorities will also have to revise their concept in order to be taken seriously with their decision-making practice in the future.
However, as the ruling has confirmed the violation of the provisions of the GDPR, it can also be assumed that the authorities will continue to be relentless in prosecuting data protection violations. This means that companies must continue to take special care when implementing the GDPR regulations.