German watchdogs to adopt common GDPR fines policy

Out-Law News | 27 Sep 2019 | 8:32 am | 2 min. read

Germany's data protection authorities are expected to adopt a common approach to the issuing of fines under the General Data Protection Regulation (GDPR) in the coming days, a data protection law expert has said.

The Datenschutzkonferenz (DSK), or Conference of the German Data Protection Authorities, is a body that brings together the various federal and state data protection authorities that exist in Germany.

Data protection law expert Ruth Maria Bousonville of Pinsent Masons, the law firm behind Out-Law, said recent fines issued by the Berlin commissioner for data protection and freedom of information are in line with the approach likely to be advocated under the new common regulation on fines that the DSK is expected to adopt.

According to the Berlin authority, it issued fast food business Delivery Hero with fines totalling more than €195,000 for breaching data protection laws. The fines were imposed in two cases, though the company's actions in a number of other cases have also been considered by the regulator. Most of the cases concerned questions of compliance with the rights of data subjects, the Berlin commissioner said.

The watchdog said Delivery Hero had not deleted accounts of former customers who had not used its platform for years in ten separate cases – in one instance since 2008. It said eight former customers had also complained that they had received unsolicited promotional emails from the company. In one case, one former customer who had expressly objected against the use of their data for advertising purposes received a further 15 advertising emails, the Berlin authority said.

Delivery Hero also failed to meet data subjects' requests for access to their personal data in a further five cases, or did so only after the Berlin data protection commissioner had intervened, according to the watchdog.

Delivery Hero had argued that the breaches were a result of either technical errors or employee oversight, but the Berlin commissioner said that the high number of repeated violations pointed to there being more fundamental structural issues of compliance within the organisation. The regulator said that it had issued numerous warnings to the company over a long period of time in respect of respecting the rights of data subjects.

Delivery Hero's brands were acquired by the group earlier this year, and the proceedings against Delivery Hero gave the new owners an opportunity to review the company's data protection processes, the Berlin commissioner said.

In total, the Berlin commissioner has now issued 27 fines for breaches of data protection law since the GDPR took effect. The authority's first notable fine was issued against online bank N26 in March this year after it determined the bank had wrongly blacklisted the names of former customers for money laundering prevention purposes regardless of whether they were suspected of money laundering or not. N26 was issued with a fine of €50,000 in relation to the breach.

Bousonville of Pinsent Masons said: "These latest fines from Berlin come at a time where everyone is eagerly awaiting the pending adoption of a common fine scheme by the DSK. The new policy is expected to be discussed at the DSK's plenary sessions on 6 and 7 October after which we can expect details to be published."

"The Berlin decisions underscore that the German authorities first advise and foster improvement before issuing fines, and it is unlikely that there will be a turnaround from this current approach. Yet, this decision also makes it very clear that conscious non-compliance will be punished," she said.