Administrative Court Karlsruhe: Likely GDPR shortfalls do not justify administrative fines
29 September 2017
In Germany, a first decision regarding the EU General Data Protection Regulation (GDPR) has been rendered by the Administrative Court of Karlsruhe on 6 July 2017 (10 K 7698/16).
The state data protection commissioner of Baden-Württemberg had issued an order against a credit information agency based on the grounds that future violations against the GDPR were already foreseeable. The commissioner argued that according to Section 38 para.2 sentence 1 of the Federal Data Protection Act (BDSG) the supervisory authority can take necessary measures to ensure compliance with data protection provisions in terms of collection, processing and utilization of personal data.
The court did not follow this line of argumentation. The court confirms that in case of particularly sensitive data the data protection authority may render order even before the unlawful processing operation if the breach in clearly anticipated (e.g Upper Administartive Court Schleswig-Holstein, 12 January 2011 - 4 MB 56/10). However, such situation were not at hand.
In addition, according to the Administrative Court of Karlsruhe, the data protection authorities are not entitled to render decision based on the GDPR before it applies effectively from 25 May 2018. The GDPR is missing an authorization that allows authorities at an early stage to ensure that the new provisions of data protection will be implemented. Such an authorization can be neither found in the current law (BDSG) nor in a regulation by means of a pre-effect.
The decision underlines that entities still have effectively eight months to transform their business operations and organization to GDPR compliance until 25 May 2018. At the same time, the decision shows that companies should not rely on the assumption that data protection authorities will grant an additional grace period thereafter before enforcing the GDPR provisions.
Jan-Peter Ohrtmann (Germany Legal)