Hig­her Admi­nis­tra­ti­ve Court of Schleswig-Holstein rules on the right to refu­se to pro­vi­de infor­ma­ti­on to data pro­tec­tion authorities

In an Order of 25 May 2021 (Case No. 4 MB 14/21) (only in Ger­man), the Hig­her Admi­nis­tra­ti­ve Court of Schleswig-Holstein (only in Ger­man) ruled on the right of com­pa­nies to refu­se to ans­wer ques­ti­ons from the data pro­tec­tion aut­ho­ri­ties in con­nec­tion with data pro­tec­tion audits (§ 58(1)(b) of the GDPR). What fol­lows is our sum­ma­ry and ana­ly­sis of this brand-new decis­i­on, which is high­ly rele­vant for com­pa­nies, e.g. in light of the recent ques­ti­on­n­aire on “Schrems II” and third-country trans­fers.

Facts of the case

The Order invol­ved a dis­pu­te bet­ween an online mail order com­pa­ny (the peti­tio­ner) and the com­pe­tent data pro­tec­tion aut­ho­ri­ty (the respon­dent) con­cer­ning a request for infor­ma­ti­on about the pro­ces­sing of per­so­nal data. In respon­se to seve­ral com­plaints alle­ging that the com­pa­ny was enga­ging in per­so­na­li­zed mar­ke­ting to data sub­jects, the aut­ho­ri­ty orde­red the com­pa­ny to ans­wer five ques­ti­ons and threa­ten­ed to fine the com­pa­ny for each ques­ti­on it fai­led to ans­wer. It also made refe­rence to a pos­si­ble right to refu­se to pro­vi­de infor­ma­ti­on in accordance with § 40(4) Sen­tence 2 of the Fede­ral Data Pro­tec­tion Act. The peti­tio­ner refu­sed to ans­wer and filed an action befo­re the Admi­nis­tra­ti­ve Court to set asi­de the fine, as well as a moti­on for sus­pen­si­ve effect, which the Admi­nis­tra­ti­ve Court dismissed.

Con­tent of the decision

The Hig­her Admi­nis­tra­ti­ve Court found that the com­plaint was par­ti­al­ly well-founded and enga­ged in an exten­si­ve exami­na­ti­on of the ques­ti­on as to whe­ther the com­pa­ny had a right to refu­se to pro­vi­de infor­ma­ti­on. The Hig­her Admi­nis­tra­ti­ve Court took the view that § 40(4) Sen­tence 2 of the Fede­ral Data Pro­tec­tion Act only entit­les com­pa­nies to refu­se to ans­wer ques­ti­ons in cases whe­re ans­we­ring would crea­te the risk of cri­mi­nal pro­se­cu­ti­on or the risk of pro­cee­dings in accordance with the Act on Admi­nis­tra­ti­ve Offen­ses, which would requi­re a spe­ci­fic threat.

The request for infor­ma­ti­on in the pre­sent case was made in con­nec­tion with a data pro­tec­tion audit (Artic­le 58(1)(b) of the GDPR), and the court sta­ted that a distinc­tion should be made bet­ween the indi­vi­du­al ques­ti­ons and the risk asso­cia­ted with each question.

Rough­ly spea­king, the indi­vi­du­al ques­ti­ons can be sum­ma­ri­zed as follows:

• Which con­trol­lers and pro­ces­sors coll­ect per­so­nal data and pro­cess it for mar­ke­ting purposes?
• Which per­so­nal data is collected?
• Were the requi­re­ments in Artic­le 24 and Artic­le 32 of the GDPR adhe­red to?
• How many data sub­jects are there?
• Were the noti­fi­ca­ti­on requi­re­ments in Artic­le 14(1) and (2) of the GDPR adhe­red to?

The Hig­her Admi­nis­tra­ti­ve Court con­cluded, based on its assess­ment, that pro­vi­ding ans­wers to Ques­ti­ons 1, 2 and 4 can­not sup­port the con­clu­si­on of unlawful pro­ces­sing in the absence of addi­tio­nal cir­cum­s­tances, such as the fail­ure to obtain con­sent. Accor­din­gly, a thre­at does not exist in this case and the com­pa­ny does not have the right to refu­se to ans­wer. Ques­ti­ons 3 and 5, on the other hand, are direc­ted towards pro­cee­dings in accordance with the Act on Admi­nis­tra­ti­ve Offen­ses, sin­ce vio­la­ti­ons of the spe­ci­fied requi­re­ments could result in fines in accordance with Artic­le 83 of the GDPR, and the peti­tio­ner the­r­e­fo­re has a right to refu­se to pro­vi­de this infor­ma­ti­on.

The Hig­her Admi­nis­tra­ti­ve Court also ruled that rights to refu­se to pro­vi­de infor­ma­ti­on in admi­nis­tra­ti­ve law can be asser­ted in oppo­si­ti­on to requests for infor­ma­ti­on them­sel­ves, and not only against the enforce­ment of such requests. Inher­ent to this right is the prin­ci­ple of free­dom from self-incrimination; sin­ce this prin­ci­ple is deri­ved from the gene­ral right to pri­va­cy and is the­r­e­fo­re inten­ded for natu­ral per­sons, it appears ques­tionable whe­ther legal per­sons can invo­ke the right to refu­se to pro­vi­de infor­ma­ti­on. But in light of the fact that this prin­ci­ple is also deri­ved from the prin­ci­ple of rule of law (Artic­le 20(3) of the Basic Law, Artic­le 6(1) of the ECHR) this pos­si­bi­li­ty is not enti­re­ly out of the ques­ti­on, in the view of the Hig­her Admi­nis­tra­ti­ve Court.

The court also found as fol­lows: “A vio­la­ti­on of the free­dom from self-incrimination may be estab­lished by cal­ling upon a per­son to pro­vi­de self-incriminating infor­ma­ti­on by means of a legal­ly bin­ding admi­nis­tra­ti­ve act, as well as by the enforce­ment of such a request under thre­at of admi­nis­tra­ti­ve pen­al­ties. […] In light of the unre­sol­ved con­sti­tu­tio­nal ques­ti­ons men­tio­ned abo­ve, some of which are of a fun­da­men­tal cha­rac­ter, this court can­not find with the neces­sa­ry degree of cer­tain­ty that assess­ment of the fines was lawful, as the Admi­nis­tra­ti­ve Court found, based sole­ly on the con­side­ra­ti­on that the right to refu­se infor­ma­ti­on in accordance with § 40(4) Sen­tence 2 of the Fede­ral Data Pro­tec­tion Act can­not be asser­ted in enforce­ment pro­cee­dings as a means of appe­al­ing the under­ly­ing admi­nis­tra­ti­ve act (cf. § 248(2) of the Gene­ral Admi­nis­tra­ti­ve Act of the Sta­te of Schleswig-Holstein).”

Clas­si­fi­ca­ti­on of the decision

The rele­van­ce of this Order in prac­ti­ce is par­ti­cu­lar­ly gre­at in light of the coor­di­na­ted inves­ti­ga­ti­ons which have been laun­ched by the super­vi­so­ry aut­ho­ri­ties, by means of ques­ti­on­n­aires, based on the “Schrems II” decis­i­on by the Euro­pean Court of Jus­ti­ce (ECJ).  As sta­ted in this Order, com­pa­nies may assert rights to refu­se to pro­vi­de infor­ma­ti­on to the data pro­tec­tion aut­ho­ri­ties if they would other­wi­se expo­se them­sel­ves to the risk of fur­ther pro­cee­dings. But it should be kept in mind that this ruling by the Hig­her Admi­nis­tra­ti­ve Court of Schleswig-Holstein was issued in sum­ma­ry pro­cee­dings by way of a tem­po­ra­ry injunc­tion, and that the Hig­her Admi­nis­tra­ti­ve Court ulti­m­ate­ly had to weigh the inte­rests of both parties.

Prac­ti­cal notes

Based on our expe­ri­ence deal­ing with inves­ti­ga­ti­ons by the aut­ho­ri­ties, we gene­ral­ly advi­se affec­ted com­pa­nies as follows:

• If the let­ter from the aut­ho­ri­ties does not con­tain ins­truc­tions as to legal reme­dies, it is mere­ly a request for infor­ma­ti­on. In this case, it is not an admi­nis­tra­ti­ve act and reci­pi­ents can­not be requi­red to respond under thre­at of penalties.
• Requests for infor­ma­ti­on should be hand­led with care at all times in light of the pos­si­ble mea­su­res which could fol­low such a request.
• Get help from an att­or­ney if you feel unsu­re about how to deal with the aut­ho­ri­ties and par­ti­cu­lar­ly if you plan to assert rights to refu­se to pro­vi­de infor­ma­ti­on, as the recent Order demons­tra­tes. We have exten­si­ve expe­ri­ence deal­ing with Ger­man and Euro­pean super­vi­so­ry aut­ho­ri­ties and are eager to pro­vi­de any assis­tance you may need.
• Even com­pa­nies which have not yet been cont­ac­ted by the super­vi­so­ry aut­ho­ri­ties would be well-advised to imme­dia­te­ly exami­ne their exis­ting third-country trans­fers given the high level of risk at the moment.

If you recei­ve a request for infor­ma­ti­on from the aut­ho­ri­ties or if you need legal assis­tance in con­nec­tion with the eva­lua­ti­on of third-country trans­fers, plea­se cont­act the Co-Head of our Digi­tal Busi­ness Unit, Mr. Ste­fan Hes­sel.