Hig­her Admi­nis­tra­ti­ve Court of Schleswig-Holstein rules on the right to refu­se to pro­vi­de infor­ma­ti­on to data pro­tec­tion authorities

In an Order of 25 May 2021 (Case No. 4 MB 14/21) (only in Ger­man), the Hig­her Admi­nis­tra­ti­ve Court of Schleswig-Holstein (only in Ger­man) ruled on the right of com­pa­nies to refu­se to ans­wer ques­ti­ons from the data pro­tec­tion aut­ho­ri­ties in con­nec­tion with data pro­tec­tion audits (§ 58(1)(b) of the GDPR). What fol­lows is our sum­ma­ry and ana­ly­sis of this brand-new decis­i­on, which is high­ly rele­vant for com­pa­nies, e.g. in light of the recent ques­ti­on­n­aire on “Schrems II” and third-country trans­fers.

Facts of the case

The Order invol­ved a dis­pu­te bet­ween an online mail order com­pa­ny (the peti­tio­ner) and the com­pe­tent data pro­tec­tion aut­ho­ri­ty (the respon­dent) con­cer­ning a request for infor­ma­ti­on about the pro­ces­sing of per­so­nal data. In respon­se to seve­ral com­plaints alle­ging that the com­pa­ny was enga­ging in per­so­na­li­zed mar­ke­ting to data sub­jects, the aut­ho­ri­ty orde­red the com­pa­ny to ans­wer five ques­ti­ons and threa­ten­ed to fine the com­pa­ny for each ques­ti­on it fai­led to ans­wer. It also made refe­rence to a pos­si­ble right to refu­se to pro­vi­de infor­ma­ti­on in accordance with § 40(4) Sen­tence 2 of the Fede­ral Data Pro­tec­tion Act. The peti­tio­ner refu­sed to ans­wer and filed an action befo­re the Admi­nis­tra­ti­ve Court to set asi­de the fine, as well as a moti­on for sus­pen­si­ve effect, which the Admi­nis­tra­ti­ve Court dismissed.

Con­tent of the decision

The Hig­her Admi­nis­tra­ti­ve Court found that the com­plaint was par­ti­al­ly well-founded and enga­ged in an exten­si­ve exami­na­ti­on of the ques­ti­on as to whe­ther the com­pa­ny had a right to refu­se to pro­vi­de infor­ma­ti­on. The Hig­her Admi­nis­tra­ti­ve Court took the view that § 40(4) Sen­tence 2 of the Fede­ral Data Pro­tec­tion Act only entit­les com­pa­nies to refu­se to ans­wer ques­ti­ons in cases whe­re ans­we­ring would crea­te the risk of cri­mi­nal pro­se­cu­ti­on or the risk of pro­cee­dings in accordance with the Act on Admi­nis­tra­ti­ve Offen­ses, which would requi­re a spe­ci­fic threat.

The request for infor­ma­ti­on in the pre­sent case was made in con­nec­tion with a data pro­tec­tion audit (Artic­le 58(1)(b) of the GDPR), and the court sta­ted that a distinc­tion should be made bet­ween the indi­vi­du­al ques­ti­ons and the risk asso­cia­ted with each question.

Rough­ly spea­king, the indi­vi­du­al ques­ti­ons can be sum­ma­ri­zed as follows:

  • Which con­trol­lers and pro­ces­sors coll­ect per­so­nal data and pro­cess it for mar­ke­ting purposes?
  • Which per­so­nal data is collected?
  • Were the requi­re­ments in Artic­le 24 and Artic­le 32 of the GDPR adhe­red to?
  • How many data sub­jects are there?
  • Were the noti­fi­ca­ti­on requi­re­ments in Artic­le 14(1) and (2) of the GDPR adhe­red to?

The Hig­her Admi­nis­tra­ti­ve Court con­cluded, based on its assess­ment, that pro­vi­ding ans­wers to Ques­ti­ons 1, 2 and 4 can­not sup­port the con­clu­si­on of unlawful pro­ces­sing in the absence of addi­tio­nal cir­cum­s­tances, such as the fail­ure to obtain con­sent. Accor­din­gly, a thre­at does not exist in this case and the com­pa­ny does not have the right to refu­se to ans­wer. Ques­ti­ons 3 and 5, on the other hand, are direc­ted towards pro­cee­dings in accordance with the Act on Admi­nis­tra­ti­ve Offen­ses, sin­ce vio­la­ti­ons of the spe­ci­fied requi­re­ments could result in fines in accordance with Artic­le 83 of the GDPR, and the peti­tio­ner the­r­e­fo­re has a right to refu­se to pro­vi­de this infor­ma­ti­on.

The Hig­her Admi­nis­tra­ti­ve Court also ruled that rights to refu­se to pro­vi­de infor­ma­ti­on in admi­nis­tra­ti­ve law can be asser­ted in oppo­si­ti­on to requests for infor­ma­ti­on them­sel­ves, and not only against the enforce­ment of such requests. Inher­ent to this right is the prin­ci­ple of free­dom from self-incrimination; sin­ce this prin­ci­ple is deri­ved from the gene­ral right to pri­va­cy and is the­r­e­fo­re inten­ded for natu­ral per­sons, it appears ques­tionable whe­ther legal per­sons can invo­ke the right to refu­se to pro­vi­de infor­ma­ti­on. But in light of the fact that this prin­ci­ple is also deri­ved from the prin­ci­ple of rule of law (Artic­le 20(3) of the Basic Law, Artic­le 6(1) of the ECHR) this pos­si­bi­li­ty is not enti­re­ly out of the ques­ti­on, in the view of the Hig­her Admi­nis­tra­ti­ve Court.

The court also found as fol­lows: “A vio­la­ti­on of the free­dom from self-incrimination may be estab­lished by cal­ling upon a per­son to pro­vi­de self-incriminating infor­ma­ti­on by means of a legal­ly bin­ding admi­nis­tra­ti­ve act, as well as by the enforce­ment of such a request under thre­at of admi­nis­tra­ti­ve pen­al­ties. […] In light of the unre­sol­ved con­sti­tu­tio­nal ques­ti­ons men­tio­ned abo­ve, some of which are of a fun­da­men­tal cha­rac­ter, this court can­not find with the neces­sa­ry degree of cer­tain­ty that assess­ment of the fines was lawful, as the Admi­nis­tra­ti­ve Court found, based sole­ly on the con­side­ra­ti­on that the right to refu­se infor­ma­ti­on in accordance with § 40(4) Sen­tence 2 of the Fede­ral Data Pro­tec­tion Act can­not be asser­ted in enforce­ment pro­cee­dings as a means of appe­al­ing the under­ly­ing admi­nis­tra­ti­ve act (cf. § 248(2) of the Gene­ral Admi­nis­tra­ti­ve Act of the Sta­te of Schleswig-Holstein).”

Clas­si­fi­ca­ti­on of the decision

The rele­van­ce of this Order in prac­ti­ce is par­ti­cu­lar­ly gre­at in light of the coor­di­na­ted inves­ti­ga­ti­ons which have been laun­ched by the super­vi­so­ry aut­ho­ri­ties, by means of ques­ti­on­n­aires, based on the “Schrems II” decis­i­on by the Euro­pean Court of Jus­ti­ce (ECJ).  As sta­ted in this Order, com­pa­nies may assert rights to refu­se to pro­vi­de infor­ma­ti­on to the data pro­tec­tion aut­ho­ri­ties if they would other­wi­se expo­se them­sel­ves to the risk of fur­ther pro­cee­dings. But it should be kept in mind that this ruling by the Hig­her Admi­nis­tra­ti­ve Court of Schleswig-Holstein was issued in sum­ma­ry pro­cee­dings by way of a tem­po­ra­ry injunc­tion, and that the Hig­her Admi­nis­tra­ti­ve Court ulti­m­ate­ly had to weigh the inte­rests of both parties.

Prac­ti­cal notes

Based on our expe­ri­ence deal­ing with inves­ti­ga­ti­ons by the aut­ho­ri­ties, we gene­ral­ly advi­se affec­ted com­pa­nies as follows:

  • If the let­ter from the aut­ho­ri­ties does not con­tain ins­truc­tions as to legal reme­dies, it is mere­ly a request for infor­ma­ti­on. In this case, it is not an admi­nis­tra­ti­ve act and reci­pi­ents can­not be requi­red to respond under thre­at of penalties.
  • Requests for infor­ma­ti­on should be hand­led with care at all times in light of the pos­si­ble mea­su­res which could fol­low such a request.
  • Get help from an att­or­ney if you feel unsu­re about how to deal with the aut­ho­ri­ties and par­ti­cu­lar­ly if you plan to assert rights to refu­se to pro­vi­de infor­ma­ti­on, as the recent Order demons­tra­tes. We have exten­si­ve expe­ri­ence deal­ing with Ger­man and Euro­pean super­vi­so­ry aut­ho­ri­ties and are eager to pro­vi­de any assis­tance you may need.
  • Even com­pa­nies which have not yet been cont­ac­ted by the super­vi­so­ry aut­ho­ri­ties would be well-advised to imme­dia­te­ly exami­ne their exis­ting third-country trans­fers given the high level of risk at the moment.

If you recei­ve a request for infor­ma­ti­on from the aut­ho­ri­ties or if you need legal assis­tance in con­nec­tion with the eva­lua­ti­on of third-country trans­fers, plea­se cont­act the Co-Head of our Digi­tal Busi­ness Unit, Mr. Ste­fan Hes­sel.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.