First court in Germany in relation to GDPR

As initially reported by Technology Law Dispatch, Administrative Court of Karlsruhe reports Judgment of 6 July 2017, docket no. 10 K 7698/16.

What is GDPR?

General Data Protection Regulation (REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016) — is new Pan-European Data Privacy law, which becomes applicable 25th of May 2018. Since that time special personal data protection requirements are to be satisfied by all business entities (except few legal). In case of non-compliance company can be penalized up to 2% of global annual revenue or 20M Euro.


Situation of the Court of Karlsruhe

25 of November 2016 — Baden-Württemberg Data Protection Authority imposed an administrative order on a Credit Agency, concerning an infringement of the GDPR.

Credit agency stores identifiable personal data according to the currently active German Federal Law(BDSG, Bundesdatenschutzgesetz), precising the erasure examination deadline of these data.

DPA refers to future violation of the GDPR by the Credit Agency, after 24th of May 2018, and order Credit agency to erase by default personal data maximum 3 years since the claim. DPA was not satisfied with Credit Agency declaration of the GDPR provisions to be implemented on 25th of May 2015.


Court Decision

6 July 2017, the Administrative Court Karlsruhe held that there was no legal basis for the administrative order by the DPA. Court argued that GDPR provisions do not have a “pre-effect”. Authorities cannot be empowered to issue an order based on future violations of the GDPR before applicability date. The BDSG cannot provide for a legal basis to enforce provisions of the GDPR since they do not apply yet.