On the two-year anniversary of the General Data Protection Regulation (“GDPR”), the topic “Privacy Litigation” comes into focus in Germany. The German data protection authorities are increasingly exercising their powers to monitor and control the provisions of the GDPR, have already imposed the first fines (see „GDPR fines: enforcement practice of the European supervisory authorities“) and the civil courts are dealing with data protection issues as well. For privacy litigation in Germany, various scenarios are possible: Depending on the facts of the case, legal protection is available both before the administrative courts and before the courts of ordinary jurisdiction. Further, provisions concerning administrative, civil and/or criminal proceedings can be applicable.
Practical example: The controller does not answer the data subject’s access request. Upon complaint of the data subject, the German supervisory authority (i) orders to provide the requested information and (ii) imposes a fine. In this case, administrative legal action against the order (competent body: administrative court) and civil action against the fine (competent body: district or local court) are possible. These proceedings are independent and do not set a precedent for each other.
The relevant provision for determining the legal recourse and applicable procedural law is Art. 78 (1) GDPR. Accordingly, each natural or legal person has the right to an effective judicial remedy against the measure of a supervisory authority. The provision as such does not contain any further specification in this respect. Specific provisions are instead found in the German Federal Data Protection Act (“BDSG”), which concretizes the various German code of procedures.
The supervisory authorities have different powers to ensure GDPR compliance (cf. Art. 58 GDPR). These include for example investigative powers in the context of an investigation (e.g. requesting information and/or documents) or corrective powers in the event of a violation (e.g. warning, order, ban on processing). The administrative legal recourse is available for judicial legal protection against such authority measures (cf. Art. 78 (1), (2) GDPR, Sec. 20 (1) Sentence 1 BDSG). The respective procedural law is governed by the Code of Administrative Court Procedure (Verwaltungsgerichtsordnung, “VwGO”). In this regard, the following particularities apply for data protection cases:
In addition to or instead of the above-mentioned corrective powers (not: investigative powers), the supervisory authority may impose fines (cf. Art. 58 (2) lit. i), Art. 83 GDPR). For the respective procedure, the provisions of the Act on Regulatory Offences (Ordnungswidrigkeitengesetz, “OwiG”), the Code of Criminal Procedure (Strafprozessordnung, “StPO”) and the Court Constitution Act (Gerichtsverfassungsgesetz, “GVG”) apply (cf. Sec. 20 (1) Sentence 2, 41 (2) Sentence 1 BDSG). Here again, data protection specific peculiarities apply:
Each Member State defines the rules on sanctions for infringements of the GDPR independently (cf. Art. 84 (1) GDPR). Accordingly, the German legislator has ordered that serious data protection violations, especially in connection with the commercial trade of personal data, are punishable under criminal law (cf. Sec. 43 (1) (2) BDSG). These offences can only prosecuted if a complaint has been filed (cf. Sec. 42 (3) BDGS). The applicable procedural law is based on the provisions of the Code of Criminal Procedure. The local courts are the competent bodies (cf. Sec. 24 (1) GVG). The ban on the use of data breach notifications and communications applies to criminal proceedings as well (cf. Sec. 42 (4) BDSG).+
The civil courts are competent for claims concerning damages due to a GDPR-breach. Depending on the amount of the claimed damages, the district court or the local court is the competent body. The applicable data protection rules provide for a special place of jurisdiction at the place of habitual residence of the person concerned (cf. Art. 82 (6), 79 (2) GDPR, Sec. 44 (1) BDSG).
The breach of statutory provisions intending to regulate the market conduct may lead to claims for elimination and injunctive reliefs under the German act against unfair competition (Gesetz gegen den unlauteren Wettbewerb, “UWG”). The district courts are the competent bodies (cf. Sec. 13 (1) UWG, Sec. 95 (1 no. 5) GVG). However, it has not yet been clarified by a Supreme Court ruling whether the GDPR even constitutes such a market conduct rule. The German courts of instance have so far made inconsistent decisions in this regard.
In case the interpretation of a provision of the GDPR is in question in one of the above court proceedings, it is possible to request that the German court brings the matter before the Court of Justice of the European Union (cf. Art. 267 of the Treaty on the Functioning of the European Union).
After exhaustion of national remedies, there is still the possibility to lodge a constitutional complaint before the Federal Constitutional Court.