The General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (FDPA) have come into force since 25 May 2018. In the meantime, all German federal states have also adapted their data protection acts (LDSG) to the General Data Protection Regulation. Every company should already have implemented the data protection provisions. In the event of a breach of data protection law, sensitive fines of up to EUR 20,000,000 or, in the case of a company, of up to 4 percent of its total annual worldwide turnover in the previous financial year could be imposed, whichever is the higher. These fines have a punitive nature and are intended to ensure strict compliance with data protection regulations. Public-sector undertakings are also subject to the threat of a fine, aren’t they?
1 No exemption from fines for public companies competing in the market in the case of data breach!
Public enterprises can be managed in various forms. First of all they can be run as municipal enterprises. However, the public sector can also make use of the permissible company forms of private law. Public-sector undertakings fulfil a public purpose and pursue the principle of economic efficiency.
They operate with public funds and are therefore subject to a special responsibility, whereby they must observe special accounting and control regulations. Such companies can be found in many sectors, for example business development and construction of housing, public transport nursing homes, clinics as well as banks and public utilities for general public services. At the same time they are subject to stricter legal standards than companies in the private sector.
By founding municipal companies, certain objectives are pursued in a corporate form combined with the classic objectives of an enterprise, such as profit making, liquidity and growth provision.
The question is whether those entities are subject to the threat of a fine. Regardless the corporate form, a municipal company remains a part of the administration after all.
2 Are authorities and public bodies subject to the threat of a fine?
The first glance into the law codes and the relevant provisions offers little clarity and contributes even less to a understanding of the matter: The GDPR initially leaves open whether and to what extent fines can be imposed on authorities and public bodies. Rather, the opening clause of Art. 83 (7) GDPR allows national legislators to regulate whether and to what extent fines can be imposed on authorities and public bodies.
The German legislator made use of this so-called opening clause and stipulates in Section 43 (3) German FDPA that no fines shall be imposed on authorities and other public bodies within the meaning of Section 2 (1) German FDPA. So far so good. But in which cases is the German FDPA even applicable to municipal companies?
It is worth taking a closer look at the relevant provisions. There is no doubt that the German FDPA is applicable to federal authorities. But the German FDPA only applies to state authorities, where the particular field of data protection law is not governed by state law. Consequently, the federal authorities are largely subject to the provisions of state data protection law, so attention must also be paid to the respective state data protection act.
For example: On October 4, 2017, the Bavarian State Government passed a bill to amend the Bavarian Data Protection Act (BayDSG). The BayDSG, applies to all authorities and other public bodies of the Free State of Bavaria, municipalities, associations of municipalities and other legal entities under public law. In addition, the amended BayDSG stipulates that public bodies shall be regarded as private bodies if they compete in the market as enterprises governed by public law. If so, they will be treated as non-public bodies.
Art. 22 BayDSG also repeats and clarifies that fines are imposed on Bavarian public bodies only to the extent that they compete in market as undertakings.
While there is no quick answer whether a respective undertaking compete in the market and every undertaking must be checked on a case by case basis, as a rule, however, public sector companies do compete in the market which is why the data protection provisions must not be underestimated.
3 So it becomes quite clear that the companies of the public sector are very well subject to the threat of fines.
The fact that public-sector undertakings are not exempt from the threat of a fine also coincides with the concept of undertakings under European law: According to recital 150 to the GDPR, the possible addressees of the fines referred to above are ‘undertakings’ and ‘persons who are not undertakings’. The definition of undertaking results from Articles 101 and 102 TFEU.
According to this, the definition of an undertaking is understood in the settled case-law of the European Court of Justice to mean
“any entity engaged in an economic activity, irrespective of its legal form and the way in which it is financed”.
Public undertakings cannot lean back and regard themselves as a public body without being subject to any threat of fines at all. Instead, public companies urgently must take appropriate measures to comply with the new data protection requirements. These include among others: Ensuring awareness among employees for the right handling of personal data and checking, reconsidering and/or creating of corporate processes from the point of view of data protection. After all, sensible data management can help to get the General data protection under control.
Lana Dachlauer-Baron is Attorney specialised in Data Protection Law with Rödl & Partner GbR.