4 February 2021
Administrative questionnaires on data processing, notice of a hearing in administrative fine proceedings or fines already imposed by a data protection authority: In all these cases, your next steps should be carefully considered. If you have been contacted by a data protection supervisory authority, the following tips on how to proceed can provide guidance.
Upon becoming aware of an (alleged) data protection breach, the data protection authority will request the company concerned for a statement as a first step. This often takes the form of an administrative questionnaire. The following should be noted:
It is advisable to request access to the case file (according to the provisions of administrative law). The case file may contain internal notes drafted by the authority, which are often helpful to understand the background of the administrative proceedings.
It is often recommendable to cooperate and provide information. Otherwise, the authority can take action itself and, for example, carry out on-site inspections at the company premises.
Caution: Any submitted statement can be used by the authorities in (additional) fine proceedings. The alleged data protection breach, including all measures taken by the company, must therefore be fully clarified internally before a statement is made.
After clarifying the alleged data protection breach, the authority will often conclude the procedure with a so-called corrective measure. This can take the form of a warning, a reprimandor even a ban of further data processing. It is possible to take legal action against all of these measures.
Data protection violations can be punished with up to 4% of the total annual turnover achieved worldwide. A fine can be issued by the authority in addition (!) to the above-mentioned corrective powers.
The procedure to impose fines is a formalised process that is governed by the provisions of the law on administrative offences and the Code of Criminal Procedure. For this reason, special procedural principles apply in favour of the company concerned. These include the presumption of innocence and the principle that no one is forced to incriminate himself. The accused must be given the right to be heard before a fining notice is issued. Fining proceedings therefore begin with a notice of hearing from the authorities. The following points are important:
Upon receiving a notice of hearing, access to the case file should always be requested (this is governed by the provisions of criminal procedure). The authority is obliged to grant access to the complete investigation file. This also includes complaints by third parties about the alleged data protection breach, on the basis of which the authority started the investigation in the first place.
The defence strategy depends on the specific alleged offence. Different strategies are possible, ranging from a refusal to provide information on the one hand to a full confession after a previously negotiated maximum fine with the authority (so-called settlement procedure) on the other. You should always consider that the issuance of a fine by an authority can result in negative publicity for the company. This damage to the company’s image is difficult to recover once a fine has been imposed for the first time.
Legal action is possible both against administrative measures (e.g. a ban on continuing to process data) and against the imposition of fines.
The fines in the H&M case (35.3 million Euros; Hamburg Commissioner for Data Protection and Information Security) and notebooksbilliger.de (10.4 million Euros, Niedersachsen Commissioner for Data Protection) show that the authorities are now outdoing themselves in imposing record fines. However, the fact that such hefty fining notices do not necessarily stand up to judicial scrutiny was recently shown by the ruling of the Regional Court of Bonn in the 1&1 case. Here, the fine of 9.55 million Euros originally imposed by the authorities was reduced by the court to 900,000 Euros. Among other things, the following aspects can be contested in court:
Even if the prospects of success in court are promising, the media attention (once again) increased by a court case can be a dissuasive factor. While the press reports extensively on an (alleged) data protection breach, the coverage of a court case that is ultimately won is often minimal. Therefore, any possible judicial success should be carefully considered against the consequences of negative reporting in the decision on how to proceed.
Administrative measures and orders
Legal action can be taken against an administrative measure or order. The procedure can be outlined as follows:
When taking legal action against a fine, one should not expect fast results. Fundamental (data protection) legal questions can often only be clarified satisfactorily in the second instance:
Are you looking for legal advice concerning a data protection case? Click here to download the article as PDF file and contact our experts.