Privacy Litigation: Legal recourse and applicable procedural law in data protection matters in Germany

On the two-year anniversary of the General Data Protection Regulation (“GDPR”), the topic “Privacy Litigation” comes into focus in Germany. The German data protection authorities are increasingly exercising their powers to monitor and control the provisions of the GDPR, have already imposed the first fines (see „GDPR fines: enforcement practice of the European supervisory authorities“) and the civil courts are dealing with data protection issues as well. For privacy litigation in Germany, various scenarios are possible: Depending on the facts of the case, legal protection is available both before the administrative courts and before the courts of ordinary jurisdiction. Further, provisions concerning administrative, civil and/or criminal proceedings can be applicable.

Practical example: The controller does not answer the data subject’s access request. Upon complaint of the data subject, the German supervisory authority (i) orders to provide the requested information and (ii) imposes a fine. In this case, administrative legal action against the order (competent body: administrative court) and civil action against the fine (competent body: district or local court) are possible. These proceedings are independent and do not set a precedent for each other.

The relevant provision for determining the legal recourse and applicable procedural law is Art. 78 (1) GDPR. Accordingly, each natural or legal person has the right to an effective judicial remedy against the measure of a supervisory authority. The provision as such does not contain any further specification in this respect. Specific provisions are instead found in the German Federal Data Protection Act (“BDSG”), which concretizes the various German code of procedures.

A. Administrative recourse: measures of supervisory authorities

The supervisory authorities have different powers to ensure GDPR compliance (cf. Art. 58 GDPR). These include for example investigative powers in the context of an investigation (e.g. requesting information and/or documents) or corrective powers in the event of a violation (e.g. warning, order, ban on processing). The administrative legal recourse is available for judicial legal protection against such authority measures (cf. Art. 78 (1), (2) GDPR, Sec. 20 (1) Sentence 1 BDSG). The respective procedural law is governed by the Code of Administrative Court Procedure (Verwaltungsgerichtsordnung, “VwGO”). In this regard, the following particularities apply for data protection cases:

• No preliminary proceedings necessary, i.e. the general procedure whereby the authority reconsiders its measure before judicial proceedings take place does not apply (Sec. 20 (6) BDSG, Sec. 68 (1) Sentence 2 Clause 1 VwGO)
• The supervisory authority itself and not – as is usually the case its legal representative – is party to the proceedings (cf. 20 (5) No. 2 BDSG)
• Investigative measures of the authorities are contestable before the administrative courts (cf. 78 (1) GDPR, Recital 143 Sentence 5 GDPR). This is in deviation from the basic principle that procedural acts by authorities and the respective factual decision may only be appealed together (cf. Art. 44a VwGO).
• Class actions are admissible (cf. 80 GDPR). This constitutes a deviation from the generally applicable procedural provisions, which do not allow for such class actions. However, there is as of yet no supreme court ruling in Germany on the controversy whether this GDPR opening clause has been legally implemented in German law.

B. Ordinary jurisdiction: sanctions, damages and injunctive reliefs

1. Sanctions under data protection law

1.1 Fines and administrative offence proceedings

In addition to or instead of the above-mentioned corrective powers (not: investigative powers), the supervisory authority may impose fines (cf. Art. 58 (2) lit. i), Art. 83 GDPR). For the respective procedure, the provisions of the Act on Regulatory Offences (Ordnungswidrigkeitengesetz, “OwiG”), the Code of Criminal Procedure (Strafprozessordnung, “StPO”) and the Court Constitution Act (Gerichtsverfassungsgesetz, “GVG”) apply (cf. Sec. 20 (1) Sentence 2, 41 (2) Sentence 1 BDSG). Here again, data protection specific peculiarities apply:

• In case a valid appeal is lodged against the fine, the supervisory authority can either withdraw the regulatory fining notice or forward the files to the public prosecution office. The latter decides on its own whether to stop the proceedings or submit the files to the court which then decides. In deviation from this general procedure, under German data protection law the public prosecutor’s office may only stop the proceedings with the approval of the supervisory authority (cf. 41 (2) BDSG; Art. 69 (4) sentence 2 OWiG).
• The district courts decide if a fine exceeds 100,000 Euros. This is in deviation from the basic rule that the local courts are responsible for administrative offence proceedings (cf. 41 (1) BDSG).
• Data breach notifications and communications according to 33, 34 GDPR may not be used in administrative offence proceedings without the consent of the reporting person (cf. Sec. 43 (4) BDSG).

1.2 Penalties and criminal proceedings

Each Member State defines the rules on sanctions for infringements of the GDPR independently (cf. Art. 84 (1) GDPR). Accordingly, the German legislator has ordered that serious data protection violations, especially in connection with the commercial trade of personal data, are punishable under criminal law (cf. Sec. 43 (1) (2) BDSG). These offences can only prosecuted if a complaint has been filed (cf. Sec. 42 (3) BDGS). The applicable procedural law is based on the provisions of the Code of Criminal Procedure. The local courts are the competent bodies (cf. Sec. 24 (1) GVG). The ban on the use of data breach notifications and communications applies to criminal proceedings as well (cf. Sec. 42 (4) BDSG).+

2. Damages according to art. 82 DSGVO

The civil courts are competent for claims concerning damages due to a GDPR-breach. Depending on the amount of the claimed damages, the district court or the local court is the competent body. The applicable data protection rules provide for a special place of jurisdiction at the place of habitual residence of the person concerned (cf. Art. 82 (6), 79 (2) GDPR, Sec. 44 (1) BDSG).

3. Injunctive relief (GDPR as market conduct rule under German law?)

The breach of statutory provisions intending to regulate the market conduct may lead to claims for elimination and injunctive reliefs under the German act against unfair competition (Gesetz gegen den unlauteren Wettbewerb, “UWG”). The district courts are the competent bodies (cf. Sec. 13 (1) UWG, Sec. 95 (1 no. 5) GVG). However, it has not yet been clarified by a Supreme Court ruling whether the GDPR even constitutes such a market conduct rule. The German courts of instance have so far made inconsistent decisions in this regard.

C. Preliminary ruling procedure

In case the interpretation of a provision of the GDPR is in question in one of the above court proceedings, it is possible to request that the German court brings the matter before the Court of Justice of the European Union (cf. Art. 267 of the Treaty on the Functioning of the European Union).

D. Constitutional complaint as an extraordinary legal remedy

After exhaustion of national remedies, there is still the possibility to lodge a constitutional complaint before the Federal Constitutional Court.