GDPR Fines for Companies – Austrian Supreme Administrative Court decision


For GDPR fines against companies the Austrian Supreme Administrative Court requires specific accusations against natural persons

In its decision (Ro 2019/04/0229) of 12 May 2020, the Supreme Administrative Court (Verwaltungsgerichtshof, VwGH) clarified that for a fine against a legal entity based on a violation of the GDPR, the names of those natural persons whose violation is attributed to the legal entity must be mentioned both in the prosecution and in the verdict. Thus, the findings necessary for the determination of conduct which constitutes an offence and is unlawful and culpable must be made and all necessary elements for a punishment of the natural person must be included in the verdict, with the addition that the conduct of the natural person is attributed to the legal entity.

Some of the essential elements of the administrative penal procedure are briefly described at the end of this article.

Practical tip:

Any penalized legal entity should examine both the acts of prosecution (i.e., any official act directed by the authority against a particular person as an accused party, such as a request for justification, summons, questioning, etc.) and the criminal conviction, in order to determine whether the latter can be challenged.

Both the acting natural person and the legal entity (which may subsequently be fined) are subject to the procedural guarantees of the Administrative Penal Act (Verwaltungsstrafgesetz, VStG) and are thereby protected, for instance, from self-incrimination.

Clarifications of the VwGH on the position taken by the Austrian Data Protection Authority (DPA)

The DPA’s criminal finding in the proceedings did not identify any natural person whose conduct was to be attributed to the legal entity that had been convicted. The convicted legal entity lodged an appeal with the Federal Administrative Court, which overturned the conviction and discontinued the proceedings. In its appeal to the VwGH, the DPA relied on the ECJ’s case-law on competition law and the direct applicability of Art. 83 GDPR, which is why it did not apply s. 30 Data Protection Act (Datenschutzgesetz, DSG). The VwGH stated on this point:

Administrative Penal Act applies to the proceedings

Fines under the GDPR are administrative fines, meaning that the Administrative Penal Act applies to the proceedings, unless the GDPR provides for more specific regulations. There is no special administrative penal procedure law for legal entities. For the direct criminal liability of the legal person, s. 30 DSG takes into account the position of the acting natural person whose illegal and culpable conduct which constitutes an offence is attributed to the legal entity. Thus, s. 30 DSG enforces Art. 83 GDPR in Austrian national law because the VStG only regulates the procedure for the criminal liability of natural persons.

S. 30 (1) and (2) DSG does not contain rules of procedure, but rather rules of attribution

The DPA did not apply s. 30 (1) and (2) DSG due to the direct applicability of Art. 83 GDPR and for not being covered by Art. 83 (8) GDPR. In the view of the VwGH (paragraph 16), s. 30 (1) and (2) DSG does not contain rules of procedure, but rather rules of attribution for the imposition of fines on legal entities. “Insofar s. 30 DSG does not refer to Art. 83 (8) GDPR” (according to which appropriate procedural guarantees under Union and national law must be observed). This point seems contradictory, particularly with regard to the following section of the grounds of the decision.

Provisions of competition law are not comparable

The VwGH does not share the view of the DPA according to which the provisions of competition law on the imposition of fines are comparable and no specific designation of the acting persons within the legal entity is required. The VwGH refers to a decision of the ECJ (C-338/00 P, Volkswagen/Commission, paragraphs 96 and 98), according to which fines under competition law are not of a criminal law nature, whereas fines imposed by a supervisory authority for violations of the GDPR are criminal sanctions according to “Recital 150 of the GDPR“. The VwGH emphasizes (paragraph 23) that Art. 83 (8) GDPR also provides not only adequate procedural guarantees of Union law (such as the CFR), but also those of the law of the Member States with regard to the exercising of the power to impose sanctions.

Overview of proceedings against legal entities

An administrative penalty requires that someone unlawfully and culpably (s. 5 VStG) commits a sanctioned offence. Since a legal entity cannot act itself, its criminal liability under s. 30 DSG is a consequence of the illegal and culpable conduct which constitutes the element of an offence of a natural person attributable to the legal entity (member of management personnel). The penalty is based on the accusation that the member of management personnel named in s. 30 (1) DSG violated the obligations set out therein (paragraph 1) or, by lack of control or supervision, enabled an employee to commit an offence (paragraph 2).

Precise description of offence

Each act of prosecution ss. 31 and 32 VStG) must involve a specific administrative offence, so that it already refers to all essential elements of the facts underlying the subsequent punishment. Due to the dependence of the legal entity’s criminal liability on the infringement by the natural person attributable to it, the accusation against the natural person named therein is also included and must precisely describe the natural person’s offence.

Parties’ rights

Once a legal entity has been accused of an administrative offence in an act of prosecution, from then on it is an accused person in accordance with s. 32 (1) VStG and has all rights associated with this status. The acting natural person is also an accused in the proceedings against the legal person and has all the rights associated with this status. For example, an accused person has a right to be heard (s. 40 VStG), does not have to answer questions raised against him/her (s. 33 (2) VStG) and can have a criminal conviction reviewed by an administrative court after a public oral hearing (s. 44 Administrative Court Procedure Act (Verwaltungsgerichtsverfahrensgesetz, VwGVG)), in which he/she has rights to questions and information and can be represented (s. 46 VwGVG). These procedural guarantees comply with the right to a fair trial and thus also guarantee Art. 47 of the Charter of Fundamental Rights of the European Union for legal entities.

For further assistence please contact Mag. Ingo Braun.

Please subcribe to our newsletter for regular updates on legal developments: