Insight - You have the right to remain silent - or perhaps not?

Administrative Court Berlin, Judgment of 9 October 2025, case no. VG 1 K 607/22

The Administrative Court Berlin (Verwaltungsgericht Berlin – “VG Berlin”) upheld an information-disclosure order issued by the Berlin Commissioner for Data Protection and Freedom of Information ("BlnBfDI") against a publishing house. The authority was entitled to request information on the extent to which the publisher had disclosed customer data to advertising partners in the context of the lettershop procedure. The court considered both the scope of the request and the reasoning underlying it to be lawful.
A central issue was whether the claimant, as a legal entity, could invoke the right to refuse to disclose information under Section 40(4)(2) German Data Protection Act (Bundesdatenschutzgesetz – “BDSG”). The court rejected this and referred to outdated case law of the German Federal Constitutional Court (Bundesverfassungsgericht – “BVerfG”), which had denied the applicability of the right not to incriminate oneself (“nemo tenetur principle”) to legal entities. The claim was dismissed in its entirety. (This Insight is based on a German language article published in the March issue of “Datenschutz-Berater”.) 

1. The case

The claimant operates a publishing house and leases customer data to advertising partners for postal marketing campaigns as part of the lettershop procedure. After numerous complaints of customers about unsolicited advertising, the BlnBfDI issued a reprimand in 2019 for the lack of consent. By not taking action the claimant allowed the reprimand to become final.

Despite the reprimand, the claimant neither adapted its business practice nor amended its privacy notice accordingly. The authority therefore heard the claimant in October 2020 regarding a suspected further infringement of data protection law and requested detailed information concerning the scope and recipients of the rented address datasets. The claimant did not respond within the set deadline, even though the authority had expressly threatened to issue a compulsory disclosure order in the event of non‑compliance.

The claimant eventually submitted a response in February 2021. However, this response was selective: while minor questions were answered, central issues – in particular, the number of data records transmitted and the identity of the respective advertising partners – remained unanswered. Repeated follow‑up inquiries by the authority were either ignored or rejected with the assertion that the matter had been "fully and finally clarified" and that the authority’s request was therefore deemed resolved.

In September 2022, the authority reiterated its request for information, this time imposing a three‑week deadline and again threatening a binding disclosure order in the event of non‑compliance. The claimant was required, in particular, to specify how many datasets it had transferred to which advertising partners during various quarters and years.

Once again, the claimant reacted only months later: it answered only two peripheral questions while maintaining its refusal to provide the requested core information. It also stated that it had provided "all necessary and conclusive information" and explicitly “requested” the authority to issue a formal disclosure order should it consider the response insufficient.

In November 2022, the authority issued the contested disclosure order. The claimant brought an action against it, arguing, inter alia, that it had a right to refuse disclosure and that it was being compelled to incriminate itself.

2. The court's reasons

The VG Berlin considered the information‑disclosure order to be lawful. The supervisory authority could rely on Article 58(1)(a) Regulation (EU) 2016/679 (General Data Protection Regulation – “GDPR”). Under this provision, the controller is required to provide all information necessary for the authority to perform its tasks under Article 57 GDPR. Legislators have granted supervisory authorities extensive investigative powers, which also encompass preventive or non‑incident‑based inspections.

In the court’s view, the requested breakdown of the rented dataset volumes was necessary for the authority. The information served both to assess the scope of an already criticised business model and to examine whether other controllers were involved. The information request was also sufficiently specific: the wording clearly indicated that the authority required the identity of the advertising partners to determine whether additional regulatory measures were necessary.

The claimant could not rely on Section 40(4)(2) BDSG. According to this provision, the party subject to an information request may refuse to answer individual questions if doing so would expose them to the risk of criminal or administrative‑offence proceedings. However, the court stated that this right, according to BVerfG case law, applies only to natural persons. Legal persons cannot invoke the right against self‑incrimination (nemo tenetur). The decisive factor is that the right to refuse disclosure serves the protection of human dignity, a concept applicable only to natural persons.

The claimant, the court held, was neither personally affected nor exposed to a risk of criminal or administrative‑offence prosecution. Therefore, it could not refuse to provide the information.

The court likewise rejected arguments that the right to remain silent derived from Article 20(3) German Constitution (Grundgesetz – “GG”) or from procedural guarantees enshrined Article 6 European Convention on Human Rights (“ECHR”) and Article 47 Charter of Fundamental Rights (“CFR”). These guarantees either do not apply to legal persons or do not establish a comprehensive right to silence in this context. No individual risk of criminal prosecution for managers or employees was apparent. A possible administrative fine imposed directly on the claimant did not constitute personal self‑incrimination.

3. Practical Implications

The decision raises important questions regarding supervisory authorities' information requests and the scope of the right to refuse disclosure. While the substantive scope of the request is relatively uncontroversial, VG Berlin's conclusions on the right to refuse disclosure touches upon highly relevant areas affecting regulatory cooperation, internal compliance structures, and defence strategies within organisations.

Scope of Supervisory Information Requests

The decision confirms that supervisory authorities may request extensive information under Article 58(1)(a) GDPR whenever this appears necessary to clarify a processing activity. This may include – as in the present case – details on the scope of data transfers to third parties. The claimant's prior reprimand in 2019 did not preclude further information requests.

Controllers should therefore expect authorities to request additional information even years after a data protection incident – particularly where previous responses were incomplete or absent. In this case, repeated failure to fully respond increased the likelihood of escalation from informal inquiries to formal measures.

The scope of data leasing, volume of affected datasets, and identity of involved advertising partners are typical parameters for administrative‑fine assessment under Article 83(2) GDPR. It was evident that the authority sought to clarify precisely these matters. Supervisory authorities are not bound by a strict division between administrative and administrative‑offence proceedings: any initial suspicion of an infringement can trigger a shift from a regulatory inquiry to a fine proceeding.

As a result, the risk of self‑incrimination arises not only in administrative‑offence proceedings but already during the administrative phase. This is precisely the situation the legislature sought to address through Section 40(4)(2) BDSG – a provision whose scope the VG Berlin then had to interpret..

(No) Right to Refuse Information for Legal Entities

The VG Berlin’s position requires closer scrutiny and ultimately falls short. It relies on outdated BVerfG reasoning from 1997, which derives the nemo tenetur principle from the general personality right under Article 2(1) in conjunction with Article 1(1) GG – rights attributed only to natural persons.

However, this reasoning is almost 30 years old and no longer reflects the current doctrine. The BVerfG has since recognised the right to informational self‑determination, as a defensive right against state investigative measures, also for legal persons. Moreover, since 2014, the BVerfG no longer derives the self‑incrimination privilege solely from personality rights but from the rule‑of‑law principle under Article 20(3) GG, which applies to legal persons through Article 19(3) GG. The BVerfG would therefore be unlikely to uphold its 1997 position today.

Moreover, the BVerfG’s older reasoning also predates the European Court of Justice’s (“ECJ”) decision in Deutsche Wohnen, which clarified that GDPR fines may be imposed directly on controllers. Where the controller is a legal person, it is itself the offender. The Higher Regional Court Berlin confirmed this position on in early 2024. The same applies to processors.

GDPR fines are fault‑based, and for legal persons the attribution is direct. Thus, imposing a GDPR fine on a legal person does indeed contain a fault element and moral reproach. The VG Berlin’s reliance on outdated dogmatics – treating legal entities merely as secondary participants – fails to reflect this development.

The VG Berlin also incorrectly states that neither the ECtHR nor the ECJ has recognised a right to silence for legal persons. The European Court of Human Rights (“ECtHR”) has long recognised the right to silence and the privilege against self‑incrimination as elements of a fair trial under Article 6 ECHR. While the ECtHR has not ruled explicitly on legal entities in this context, procedural guarantees under Article 6(1) ECHR unquestionably apply to them.

In EU competition law, the ECJ has likewise acknowledged a limited yet genuine protection against compelled self‑incrimination for companies. In light of Article 52(3) CFR, requiring alignment with ECHR standards, the absence of detailed engagement by the VG Berlin is a significant shortcoming.

Ultimately, the question of whether the nemo tenetur principle applies to legal entitiess is not even decisive. Under Article 83(8) GDPR, supervisory authorities must comply with appropriate procedural safeguards when imposing fines. The German legislature has granted the "party subject to disclosure" a statutory right to refuse disclosure under Section 40(4)(2) BDSG. According to sentence 1, those subject to the authority’s supervision – and their management personnel – are subject to the duty to provide information.

The VG Berlin cannot override the clear statutory wording. The right also protects management personnel, even if they themselves are not directly subject to a GDPR fine. Legal persons can act only through natural persons; depriving them of this right would render it meaningless.

Section 40(4)(2) BDSG is a rule of administrative‑procedure law, not merely of administrative‑offence law. The German administrative-offence law (Ordnungswidrigkeitengesetz – “OWiG”) already contains a comprehensive refusal right for natural persons via Section 46 OWiG in conjunction with Sections 55 et seq. German Criminal Procedure Law (“Strafprozessordnung – “StPO"). A parallel provision in the BDSG would be superfluous unless the legislature intended it to apply to the administrative procedure as well.

Impact on Section 43(4) BDSG (Evidence-Use Prohibition)

If the VG Berlin’s restrictive view were adopted, it could significantly undermine other statutory protections, such as Section 43(4) BDSG. Under this provision, information contained in breach notifications under Article 33 GDPR or notifications to data subjects under Article 34 GDPR may be used in administrative‑offence proceedings only with the controller’s consent. Without such consent, an evidentiary prohibition applies.

Section 43(4) BDSG is controversial, with some arguing that it exceeds what is permissible under EU law. Following the logic of the VG Berlin, such concerns would increase even further. However, the same arguments supporting a broader interpretation of Section 40(4) BDSG also justify upholding Section 43(4) BDSG.

Requiring a legal person to submit mandatory notifications under threat of fines (Article 83(4)(a) GDPR) and then using those same submissions against it – even where the content itself reveals a GDPR infringement – would undermine the nemo tenetur principle. The evidentiary prohibition is thus an appropriate safeguard.

4. Conclusion

If the VG Berlin’s approach were to prevail, the statutory protections under Section 40(4)(2) BDSG (and Section 43(4) BDSG) would be significantly weakened. As a consequence, companies would face substantial self‑incrimination risks when responding to supervisory information requests. For now, the decision creates legal uncertainty. Companies must respond comprehensively to information requests while the extent of their protection against early‑stage self‑incrimination remains unclear. The decision places strong emphasis on the duty to cooperate without resolving how controllers can protect their position during the administrative inquiry. It is anticipated that future case law will address the scope of the refusal right in a more nuanced manner.

Supervisory authorities are likely to interpret their powers broadly and may request detailed information long after an incident. Companies should prepare to respond systematically, coherently, and promptly. Delays or selective answers increase the likelihood of escalation. Despite the VG Berlin’s restrictive approach, companies should not assume that Section 40(4)(2) BDSG is categorically inapplicable to corporate contexts. Instead, they should carefully assess whether providing certain information could have relevance in potential fine proceedings. This applies in particular to cases in which the scope and structure of a potential infringement would only become apparent through the information requested. A graduated assessment of the authority’s questions – from the mandatory degree of cooperation to the potential risk of self‑incrimination – is therefore indispensable. Clear communication with supervisory authorities is equally important: every response should be coordinated, documented, and consistent. Experience from administrative‑fine proceedings shows that the ‘first impression’ often shapes the further course of the case: ill‑considered or inconsistent statements are difficult to correct and may facilitate the transition to a fine proceeding. Thus, working compliance structures remain the most effective defence. Companies with established data protection management systems can respond more efficiently and minimise risks.

At the same time, statutory safeguards such as Sections 40(4) and 43(4) BDSG should not be overlooked. Even if the VG Berlin interprets them narrowly, other courts may adopt broader interpretations. Controllers should therefore document the reasons why an information request was answered or – at least partially – treated with restraint. This creates transparency and helps prevent later allegations of a lack of cooperation.

For data protection officers, this gives rise to a clear need for action: information requests from supervisory authorities must not be answered reflexively or without internal coordination. Acting in isolation entails considerable risks – particularly where complex historical processing activities or extensive data‑exchange operations are involved. Data protection officers should be aware that such internal consultations are not a sign of excessive caution, but an essential component of a responsible compliance framework – not least to minimise their own liability risks and to ensure a consistent communication strategy on behalf of the organisation.

Overall, the decision demonstrates that organisations must take supervisory information requests seriously while at the same time carefully considering which information they provide and how they present it. A well‑prepared, strategic approach can reduce the risk of sanctions and preserve room for manoeuvre in both administrative and fine proceedings.