The General Data Protection Regulation (“GDPR”) will become applicable 25 May 2018. Even though the GDPR entered into force 24 May 2016, its provisions will be binding and enforceable only from 25 May 2018. In advance of the applicability of the GDPR, the German Administrative Court Karlsruhe (“AC Karlsruhe”) already had to decide on it (Judgment of 6 July 2017, docket no. 10 K 7698/16).
On 25 November 2016, the Data Protection Authority of the state of Baden-Württemberg (“DPA”) imposed an administrative order on a credit agency, concerning an infringement of the GDPR.
The credit agency stored personal identifiable data, such as claims and related information, in compliance with Section 35 (2) sentence 2 no. 4 of the currently valid German Federal Data Protection Act (“FDPA”). The provision contains precise deadlines for the examination for the erasure of data.
The DPA referred to future violations of the GDPR that the DPA expected to occur after 24 May 2018, as the legal framework will change. Under Recital 39 of the GDPR, controllers are obligated to establish time limits for erasure or for a periodic review. According to the order issued by the DPA, the credit agency must erase the stored data, after 24 May 2018, after the expiry of three years at the latest, beginning with the due date of the claim, except for the insolvency or unwillingness of the data subject to pay. In the opinion of the DPA, the declaration of the credit agency to implement the GDPR provisions to its data erasure system by 25 May 2018, was not sufficient.
The DPA indicated to rely on Section 38 (5) sentence 1 of the FDPA, arguing that measures can be issued from the date that future violations of data protection laws can be inferred.
Decision by AC Karlsruhe
On 6 July 2017, the AC Karlsruhe held that there was no legal basis for the administrative order by the DPA. Both the GDPR and the current FDPA do not empower authorities to issue an order based on future violations of the GDPR before the GDPR applies. The FDPA cannot provide for a legal basis to enforce provisions of the GDPR since they do not apply yet. Regarding the GDPR, the AC Karlsruhe argued that its provisions, including the provisions on powers of authorities, do not have a “pre-effect”.
The judgment did not come as a big surprise, since Article 99 of the GDPR differentiates explicitly between the entry into force in 2016 and the applicability of the GDPR in 2018. Therefore, authorities may not enforce provisions of the GDPR yet. However, authorities are already identifying areas that could cause compliance issues. The judgment shows the importance for organisations to get ready for the GDPR. Fewer than nine months are left until 25 May 2018.