Different data protection authorities in each Federal State have the power to investigate complaints and cases, and to order the suspension of processing and/or transfer of data, as well as the destruction of data and other similar actions; these orders can be appealed to the courts.
Individuals can file complaints with data state protection authorities, and can seek a judicial remedy for violations of the law. Warning letters by data subjects, asking the violating party to sign a cease-and-desist declaration. The violating party has to refund the costs for such letters, including attorney’s fees, which may well add up to approximately €1,500 in each individual case. Where the violating party is an enterprise, warning letters may also be sent by competitors, consumer protection organizations and special interest organizations. Consumer protection bodies may issue cease-and-desist letters and also start court proceedings where data protection provisions are to be part of general terms and conditions from a consumer’s point of view. In the future these rights are likely to be extended; they may then cover any breach of data protection provisions. Claims for injunctive relief in case the violating party does not sign a cease-and-desist declaration. The violating party may also have to refund the additional costs, which would probably range at around €2,500 in each individual case. Compensation claims for damages suffered by data subjects and/or competitors and related claims regarding the disclosure of information required to calculate such damages. In most cases, however, it would already be difficult to prove the existence of damages. Claims for profit: If the same type of violation was committed intentionally in a number of cases, the violating party’s profits may be skimmed off and deferred to the state budget. However, this sanction is rarely applied in practice.
Fines of generally up to €300,000 (may be exceeded if the infringement led to higher profits) and up to 2 years imprisonment.
Works councils can file for preliminary injunctions against employers preventing them from putting into operation data processing systems. An employee, manager, director or other individual might also incur liability in tort.
Selected Enforcement Actions / General Comments
Some examples of recent enforcement action in Germany include:
- In 2008, Deutsche Telekom was fined €1.4 million for illegally checking on connection data of phone calls of managers, board members, and others suspected of leaking company confidential information.
- In 2010, Lidl AG, a grocery chain that had allegedly illegally spied on employees with cameras during work hours and that had failed to appoint a DPO, was fined with an overall amount of €1.46 million.
- In a similar case of illegal CCTV surveillance of employees, in 2008 a fine of only €80,000 was levied on Tönnies, one of Europe’s largest butcheries.
- In October 2009, Deutsche Bahn AG accepted a fine in the amount of €1.1 million for screening employee data and comparing it to supplier data in an effort to combat corruption, but without specific suspicions related to individual employees. Also, the CEO was forced to step down, amongst other things for poorly handling this data protection incident.
- In May 2010, the Data Protection Authority of the German state of North Rhine-Westphalia levied a fine of €120,000 on Deutsche Postbank AG for allegedly having granted read access to customer accounts to self-employed agents for sales purposes, who thus gained visibility regarding the then-current financial situation of the customers.
- In a similar case, in November 2010, the Data Protection Authority of Hamburg levied a fine of €200,000 on Hamburger Sparkasse (Haspa) for allegedly having granted read access to customer accounts to self-employed agents for sales purposes, who thus gained permanent visibility regarding the then-current financial situation of the customers.
- In 2011, the financial-services provider “Easycash” was fined €60.000 by the North Rhine-Westphalian Data Protection Authority for transferring customer data regarding debit cards to a subsidiary and eventually to a third party that statistically analyzed these data.
- In June 2013 a fine (amount not made public) was levied upon a trade enterprise by the Bavarian Data Protection Authority for disclosing a large number of e-mail addresses to each of the recipients of the respective e-mail by sending the email via “Cc” instead of “Bcc”.
- In 2013 and 2014, Frankfurt and Berlin courts decided that certain terms and conditions (including data protection provisions) of certain tech companies were invalid and issued injunctions accordingly.
- In its activity report for 2013/2014, the Bavarian Data Protection Authority states that it has imposed administrative fines in the amount of total €200,000 in 117 fine proceedings in 2013 and 2014. According to their report for 2014, the Data Protection authority of the German state of Berlin levied administrative fines in the amount of total €88.205. Note that this is only one out of 16 data protection authorities in Germany.
- In 2014, the Data Protection Authority of the German state of North Rhine-Westphalia imposed a fine of €64,000 on a petrol station operator with nationwide subsidiaries due to unlawful video-monitoring of customers and employees.In 2014, a German relief organization for mentally ill people was fined €18,000 by the Data Protection Authority of the German state of Schleswig-Holstein because of insufficient access protection concerning sensitive patient data.
- In December 2014, the regional German data protection authority (DPA) of Rhineland-Palatinate imposed a record fine of EUR 1.3 million on an insurance company. The sales staff allegedly sought address data of administration customers’ employees in order to offer them insurance products. Also, the public prosecutor initiated investigations against five employees because of an alleged incitement of civil servants to violate secrecy obligations and data protection laws by disclosing details on other officials in order for the insurance company to market services to them. The German Federal Financial Supervisory Authority (BaFin) conducted an investigation and required various improvements of the company’s data protection organisation.