Berlin Regional Court I Largely Overturns Multi-Million Euro GDPR Fine Against Latham Client

The Berlin Regional Court I today largely overturned a fine of approximately €14.5 million imposed in October 2019, reducing it to €900,000. Latham & Watkins has represented its client Deutsche Wohnen since the beginning of the proceedings. The decision concerns fundamental questions of data deletion and so-called privacy by design, i.e., data protection through technology design. The precedential value of the decision extends far beyond the individual case: the requirements of data protection authorities regarding data deletion and technical and organisational measures for data protection are also critical for the development, training, and deployment of AI systems.

€14.5 Million Fine for Archive Structures and Data Deletion

In 2019, the Berlin Data Protection Authority (Berlin DPA) objected to the structures for archiving and deleting tenant data in the years 2018 to 2019. As early as December 2023, Latham & Watkins achieved a landmark success in these proceedings before the CJEU (C-807/21), in which the Court ruled that GDPR fines against companies require fault, clearly rejecting the strict liability approach advocated by the Berlin DPA. Latham data law partner Tim Wybitul was the first lawyer to plead before the CJEU on GDPR fines.
Court Recognises Company’s Efforts to Implement the GDPR

The fine notice concerned possible violations by the company of deletion obligations and data protection by design under Art. 25(1) GDPR. Personal data must be deleted when it is no longer necessary for the purposes for which it was processed. Under Art. 25(1) GDPR, data controllers must implement appropriate technical and organisational measures to effectively implement data protection principles. In doing so, they should take into account the technological state of the art, the cost of implementation, and the risks associated with the processing.

The Berlin DPA required the company to have structures and processes guaranteeing comprehensive early deletion of documents. At the same time, tax authorities and auditors require the audit-proof and immutable retention of the same documents, which is a conflict of objectives that affects many companies.

The Regional Court acknowledged that the transition of existing archive systems demanded by the Berlin DPA was extremely complex, both technically and organisationally. The taking of evidence confirmed that the company had already invested over €4 million in the system transition demanded by the authority by the time the GDPR became applicable on 25 May 2018. The company had also already ceased the practice of copying identification and creditworthiness documents, which the authority had objected to, as early as 2017. There was no data breach and no unauthorised third-party access to tenant data. Personal data was not disclosed to third parties, shared with them, or misused. Data access had been severed or blocked, the data itself was heavily secured and, figuratively speaking, locked away in the company’s vault. The taking of evidence also refuted further assumptions made by the authority.

The court therefore overturned the fine to a substantial extent. However, it interpreted the provisions on the temporal application of the GDPR to mean that the IT project to implement data protection by design, which had already commenced in 2016, could have been completed even earlier.

Outlook

The proceedings concern complex data protection questions that have not yet been judicially resolved, including: “Under what conditions must companies delete personal data?” and “What technical and organisational measures and what systems are required for this purpose?” In the event of a possible appeal, these questions would ultimately have to be resolved by the CJEU. The Regional Court  noted that it is breaking new legal ground in the assessment of the transitional period, as it cannot rely on existing case law.

Significance for AI Applications and EU Digital Law

The CJEU’s landmark decision and the now first-instance ruling of the Berlin Regional Court I provide important guidance for fines under the GDPR and other EU digital legislation, such as the AI Act, the Digital Markets Act (DMA), and the Digital Services Act (DSA). The sanction systems of these legislative acts are largely modelled on the GDPR. The requirements for data deletion and data protection by design examined by the court are also of central importance for the training and deployment of AI systems.

Conclusion

Latham partner Tim Wybitul: “In these proceedings, the CJEU has already followed our arguments once and clearly rejected strict liability GDPR fines against companies. The Berlin Regional Court I has now confirmed this. As the first court of fact, it has ruled on the interpretation of the relevant GDPR requirements for data deletion and data protection by design. Moreover, the court has largely overturned the fine. This decision sets an important precedent for other areas of law, and the relevant data protection requirements are also critical for the training and deployment of AI systems. The proceedings clearly show that it is possible to successfully defend against GDPR fines and other regulatory measures under EU digital law with strong arguments”.

he Latham defence team was led by Frankfurt data law partner Tim Wybitul, with associates Isabelle Brams, Thies Schmitte, Timo Hager, and Jakob Hüger.