In a recent ruling, the Berlin Administrative Court strengthened the investigative powers of the data protection supervisory authorities. The plaintiff was a publishing house and art book mail order business suspected of unlawfully passing on personal data to third parties. The business challenged a request for information from the data protection authority in court, invoking its right to refuse to provide information, which the court denied.
It is nothing new that data protection authorities have comprehensive investigative powers to fulfill their role as supervisory bodies. This includes requesting information on the processing of personal data, inspecting data sets and technical systems, and reviewing a company’s organisational processes. If violations are found, the authority can take further measures, ranging from warnings to fines.
However, the Berlin Administrative Court has now clarified that legal entities do not have the right to refuse to provide information in relation to these far-reaching investigative powers. This is noteworthy because the right not to incriminate oneself normally also applies to proceedings involving administrative offences. This ensures that no one has to jeopardise themselves. The Berlin Administrative Court has now ruled, in line with the 1997 ruling of the Federal Constitutional Court, that this protection does not apply to legal entities, as the right against self-incrimination is linked to the principle human dignity and therefore only applies to natural persons. Legal entities must therefore provide all requested information, even if this could potentially incriminate them.
Precisely because the right against self-incrimination is increasingly also understood as part of the right to a fair proceeding, which undoubtedly also applies to legal entities, it remains questionable whether the decision will stand.
(Dr. Lukas Mezger, UNVERZAGT Rechtsanwälte)