German data protection authorities establish unified fine procedures

German data protection supervisory authorities announced on June 16, 2025, the establishment of model guidelines designed to create uniform procedures for imposing fines under the General Data Protection Regulation. The Conference of Independent Federal and State Data Protection Supervisory Authorities (DSK) agreed on these comprehensive procedures to achieve consistency in enforcement actions across all German jurisdictions.

The model guidelines, known as MRiDaVG (Model guidelines for the procedure for fines imposed by data protection supervisory authorities), represent a significant step toward harmonizing data protection enforcement in Germany. According to the DSK determination, heads of federal and state data protection supervisory authorities responsible for the non-public sector intend to implement these guidelines as administrative regulations within their respective jurisdictions.

Summary

Who: The Conference of Independent Federal and State Data Protection Supervisory Authorities (DSK) in Germany, comprising heads of federal and state data protection supervisory authorities responsible for the non-public sector.

What: Agreement on model guidelines (MRiDaVG) establishing standardized procedures for imposing fines under the General Data Protection Regulation across German jurisdictions. The guidelines cover procedural principles, responsibility frameworks, investigation procedures, discretionary decision-making, evidence handling, and public communications.

When: June 16, 2025, when the DSK formally agreed on the model guidelines, with authorities intending to implement them as administrative regulations within their respective jurisdictions.

Where: Germany, affecting all federal and state data protection supervisory authorities responsible for enforcing GDPR in the non-public sector, with particular relevance for cross-border processing cases involving Article 60 and Article 65 GDPR procedures.

Why: To achieve uniformity in data protection supervisory authority procedures on fines within and across authorities, addressing disparities in enforcement approaches and ensuring consistent implementation of GDPR requirements while maintaining compliance with European Union law primacy and effectiveness principles.

Standardizing enforcement across jurisdictions

The guidelines establish fundamental procedural principles that must guide all fine proceedings. These principles emphasize the primacy of Union law over conflicting German provisions, ensuring that GDPR requirements take precedence in enforcement actions. The equivalence requirement mandates that Union law enforcement must not be disadvantaged compared to German law enforcement.

The DSK guidelines address multiple areas of procedural complexity. The principle of effectiveness requires that all provisions be interpreted to implement GDPR requirements with practical effect. German law must be interpreted in conformity with EU law, while decision-making operates under the opportunity principle, allowing supervisory authorities discretion in initiating or discontinuing proceedings while observing GDPR-specified discretionary factors.

Administrative proceedings on other remedial measures can run parallel with fine proceedings under the principle of parallelism. In cross-border cases under Article 60 GDPR, the principle of synchronicity requires that draft decisions on administrative procedures and fine proceedings be submitted simultaneously to concerned supervisory authorities, unless other legal principles conflict with this approach.

Direct liability framework

The guidelines establish a direct liability framework for controllers, processors, certification bodies, and monitoring bodies under the GDPR. These entities face direct liability for fine-subject infringements regardless of their legal form, whether violations were committed by their bodies, representatives, employees, or other persons acting in their business activities.

This approach treats these entities as affected parties rather than uninvolved parties under procedural law, where relevant procedural provisions apply by their nature. The guidelines specify that in proceedings against legal entities and partnerships, communications must address the entity directly, with business names stated first in address lines and business addresses taken from current commercial registers.

Investigation and information procedures

The guidelines detail investigation procedures, including information requests to public and non-public bodies. For public bodies, data protection supervisory authorities may request file access as the authority for fines, with general powers of fact clarification taking precedence over administrative assistance provisions where information requests under criminal procedure codes suffice.

Non-public bodies must submit evidence including data stored on data carriers upon request, although they lack obligation to provide information under criminal procedure codes. Natural persons not affected by fine proceedings serve as witnesses under applicable criminal procedure provisions.

In particularly complex cases involving cooperation and consistency procedures under Union law, investigation reports should be prepared in addition to final reports if necessary to ensure intended decisions can be understood by concerned supervisory authorities.

Discretionary decision-making

The guidelines interpret "dutiful discretion" under German regulatory offense law within GDPR scope to mean that discretionary grounds listed in Article 83(2) sentence 2 GDPR must be considered. If fine units conclude no fine should be imposed but warnings under Article 58(2)(b) GDPR should be issued in administrative procedures, they must inform responsible organizational units and cease pursuing fine proceedings.

In cooperation and consistency proceedings, draft discontinuation orders must meet requirements of draft decisions under Article 64(1) GDPR. When proceedings are discontinued for opportunity reasons, relevant discretionary considerations under Article 83(2) sentence 2 GDPR leading to decisions must be outlined in draft decisions for concerned supervisory authorities.

Decision content requirements

Procedural requirements under German regulatory offense law must be interpreted to ensure decision content on fines aligns with EU law requirements of GDPR substantive provisions for fine imposition. The term "person of the person concerned" applies to entities under direct liability as defined in the guidelines when proceedings are directly against them.

Under direct association liability, decisions on fines need not name natural persons, including representatives or organs. In European cooperation and consistency proceedings, draft decisions on fines must generally also meet draft decision requirements, containing justification for fine amounts for concerned supervisory authorities beyond standard German requirements.

The guidelines establish clear cooperation protocols with public prosecutor's offices, emphasizing close and trusting cooperation. When files are sent to district or regional courts via public prosecutor's offices, special provisions must be communicated in cover letters or file notes. For fines exceeding ten thousand euros, public prosecutor's offices should be asked to attend main hearings.

Evidence and disclosure protocols

Evidence object return procedures require documentation of all decisions. When concrete indications suggest misuse risks or imminent unlawful reuse of evidence objects, supervisory authorities may initiate seizures under police law with security authorities for permanent confiscation, particularly when public interest or protection needs exist for affected data subjects.

In cooperation with competent organizational units, considerations should be made to order processing restrictions or deletion of contained data under Article 58(2)(f) and (g) GDPR. The guidelines permit transmission of personal data of supervised subjects for cross-procedural purposes when special circumstances require transmission, particularly when offenses by nature raise reliability or suitability doubts.

Notification requirements

The guidelines establish specific notification protocols for various stakeholders. For natural persons subject to special supervision under official, state, federal, or professional law, transmission of personal data is permitted when special circumstances require it, particularly when violations suggest reliability or suitability concerns through systematic, repeated, or intentional violations.

Supervisory authorities must notify the Central Trade Register at the Federal Office of Justice in Bonn of legally binding fine decisions meeting specific requirements within one month of decisions becoming final. Electronic notifications or official forms should be used. For serious violations involving systematic, repeated, or intentional violations, authorities may inform trade supervisory authorities to implement measures under trade law.

Public communications framework

The guidelines address public communications about fine proceedings as part of authorities' public relations work. Questions from press and media representatives regarding specific matters must be answered truthfully and objectively, with discretion in how information duties are fulfilled. Communications to the public about fine proceedings are permitted and must be factually and substantively correct.

Public information should not jeopardize investigation purposes or impair concerned persons' right to fair trials. Mentioning names or company names of affected persons is permissible in individual cases, particularly when public reporting has already occurred about affected persons by name or company name. Generally, the public should only be informed about fine decisions after decisions have been served or otherwise published.

The establishment of these guidelines reflects ongoing European efforts to strengthen data protection enforcement. Recent enforcement data shows significant disparities in GDPR enforcement across European authorities, with only 1.3% of cases resulting in fines between 2018-2023. The German guidelines aim to address such inconsistencies within national jurisdiction while maintaining compliance with European standards.

Impact on marketing sector

These standardized procedures carry particular significance for the marketing community, where data protection violations have resulted in substantial fines across Europe. Cookie consent violations and unlawful tracking practices have faced increasing scrutiny from supervisory authorities, with fines ranging from thousands to hundreds of thousands of euros.

The marketing sector faces heightened enforcement risks due to widespread use of tracking technologies, third-party data sharing, and cross-border data transfers. Recent cases involving Meta Pixel implementation have resulted in multi-million euro fines when companies failed to implement adequate safeguards for data transfers to the United States.

Email marketing violations continue to generate enforcement actions, with German authorities imposing fines for campaigns conducted without proper consent. The standardized German procedures will likely result in more consistent enforcement against marketing violations, potentially increasing compliance pressure on companies operating across multiple German states.

The guidelines' emphasis on cross-border cooperation could affect international marketing operations, particularly those involving data transfers to non-EU jurisdictions. Major fines against companies like Uber for inadequate data transfer safeguards demonstrate the financial risks facing marketing operations that rely on global data flows.

With total GDPR fines reaching €4.2 billion across the EU since 2018, these standardized German procedures represent part of broader regulatory maturation in data protection enforcement. Marketing professionals must anticipate more predictable but potentially stricter enforcement outcomes as German authorities implement uniform fine procedures across federal and state levels.

Timeline

June 16, 2025: Conference of Independent Federal and State Data Protection Supervisory Authorities agrees on model guidelines for fine procedures under GDPR

2018-2023: European authorities impose only 1.3% fine rates across GDPR cases, showing enforcement disparities

July 25, 2024: European Commission reports €4.2 billion in total GDPR finessince 2018 implementation

December 26, 2024: Dutch DPA fines Coolblue €40,000 for cookie consent violations

Three days ago: Hesse authority fines IT company €10,000 for email marketing without consent

September 8, 2024: Swedish DPA fines pharmacy chains 45 million SEK for Meta Pixel data transfers

August 26, 2024: Dutch DPA fines Uber €290 million for unlawful US data transfers

August 26, 2024: Belgian DPA fines telecom company €100,000 for delayed data access response