While fines for data protection violations by private sector entities are on everyone’s lips, fines against public bodies remain the exception in Germany. The sociopolitical reasons for this seem plausible at first glance, as fines in the public sector often simply result in a “re-potting” of taxpayers’ money and can have tangible consequences for citizens, especially at the lowest levels of the administrative hierarchy, if, for example, funds for the construction of a new playground are lacking because the municipality has failed to comply with its data protection obligations limitations and alternatives.
Legal framework for (no) fines against public bodies limitations and alternatives
With Article 83 (7) GDPR, the European legislator created a discretionary clause. Allows member states to completely waive fines against public bodies or to limit their scope. The German legislator has made almost full use of this provision and stipulat. BDSG that no fines can be imposed on federal public bodies. The federal states have also followed suit and includ. Clauses in their respective state data protection laws that are structurally very different . Identical in terms of effectiveness (see, for example, usa business fax list Schleswig-Holstein and Hamburg ( Section 2 (3) HmbDSG )).
A constitutional justification for the exclusion of fines against public bodies is not clearly discernible. A possible explanation is provided by the Bavarian legislature in its explanatory memorandum to the BayDSG , which sees neither a necessity nor an appropriateness for a fine against a public body and emphasizes that this type of sanction is foreign to German constitutional law anyway.
Where the fine exception does not apply
At least one exception to the exclusion of fines can be derived from Section 2 Paragraph 5 of the Federal Data Protection Act (BDSG) if public bodies participate in competition as public-law enterprises. The requirement is limited to the constantly updating functionality for competitive status with private. Cmpanies and not to factors such as profit-making intent or the intensity of competition. Typical examples are activities of public-law credit institutions or state hospitals in the areas of, including customer and staff acquisition.
Alternatives to fines
Due to this limited scope of application, there is often talk of an unfair “two-tier system” when comparing public and private bodies when it comes to imposing fines. So, do public bodies largely enjoy carte blanche when it comes to handling personal data?
In a very worthwhile (farewell) interview on netzpolitik.org, the aforementioned former Baden-Württemberg State Director-General Dr. Brink questions the (alleged) lack of alternatives to the fine mechanism and suggests other options: While on the one hand the threat and imposition of fines is enormously important in terms of deterrence, on the other hand the procedures are very complex and personnel-intensive, albania business directory so that they often lead to financial “losses” for the supervisory authorities. This is particularly problematic for public bodies because the tax expenditures are incurred on both sides – the fine itself and the procedural costs of imposing the fine. Dr. Brink therefore advocates alternative approaches.
A brief look at other European countries using the example of the Netherlands
Drawing a comparison with fines against public bodies in other European countries is not easy. This is due to the lack (or unfindable) of statistical surveys in this explicit context. In principle, fines against state institutions are possible but not in France or Austria. The title of “European fine champion” in connection with sanctions against public bodies, however, probably goes to the Netherlands: