Record Reduction: Regional Court Hanover cuts multi-million GDPR fine to barely 7%

Regional Court Hanover, Order of 6 May 2024, case no. 128 Owi-LG 5301 Js 114949/21 (1/21)

The Regional Court (Landgericht) Hanover (“Court”) has reduced a fine of EUR 10.4 million imposed by the Lower Saxony State Commissioner for Data Protection (Landesbeauftragter für den Datenschutz Niedersachsen – “LfD Niedersachsen”) against a system house and mail order company for unlawful video surveillance in work, sales and break areas to EUR 700,000
(Regional Court Hannover, Order of 6 May 2024, case no. 128 Owi-LG 5301 Js 114949/21 (1/21)). The Court confirmed violations of the GDPR but significantly corrected the amount of the fine and the justification of the authority on several points.

The case

The LfD Niedersachsen had imposed a fine of EUR 10,417,000.00 on the company, a system house and mail order company for products in the fields of consumer electronics, communication, IT and household appliances (“Controller”), in an administrative fine notice dated 16 December 2020. According to the LfD Niedersachsen, the Controller had installed a total of 81 video cameras in sales and work rooms as well as in publicly accessible outdoor areas of its retail stores used as break areas between 25 March 2017 and 18 July 2019. Customers, employees and uninvolved third parties were present in the areas under video surveillance. In addition, the Controller did not black out the areas inviting customers to linger, publicly accessible parts of the outdoor area, sales and work rooms and the outdoor area used as a break room, and stored the recordings for an excessive period of time.

The supervisory authority proceedings were initiated by a complaint in March 2017 about numerous cameras at the Controller's premises. The LfD Niedersachsen initiated supervisory proceedings in March 2017, i.e. before the General Data Protection Regulation (“GDPR”) came into force.

The locations of the Controller which were subject to the supervisory authority proceedings, are used to carry out logistical activities such as the processing of customer returns and returns to suppliers. Parts of product management, sales and IT are also based there.

The purposes of the processing included monitoring and enforcing domiciliary rights, preventing unauthorised access, and detecting and investigating criminal offences. All video data was stored by the Controller for 60 days. The Controller had not carried out a prior review of the processing but did so before the GDPR came into force in March 2018 in the supervisory authority proceedings. The Controller was of the opinion that a storage period of up to 60 weekdays was still appropriate and necessary for the investigation of thefts. The Controller stated that the further purposes - monitoring the receipt and dispatch of goods, the handling of goods and the verification of the handling of third-party goods - also made the storage period necessary, as internal processing usually took four to six weeks. The LfD Niedersachsen rejected the purpose of goods control as a mere pretext and deemed a retention period for surveillance footage of non-public areas in the warehouse of 72 hours to 10 days to be acceptable. During the proceedings, the Controller removed cameras, realigned them, extensively masked large areas within their fields of view and reduced the retention period.

On 2 October 2019, the LfD Niedersachsen concluded the supervisory procedure and issued a reprimand against the Controller in accordance with Article 58(2)(b) GDPR, imposing the costs of the administrative proceedings. The case was subsequently referred within the LfD Niedersachsen to the department responsible for administrative offences, which in November 2019 initiated administrative offence proceedings and imposed an administrative fine of EUR 10,417,000.00 on the Controller.

Following the supervisory authority proceedings and prior to the judgment of the Regional Court Hanover, several employees of Controller were convicted of aggravated gang theft for offences committed between March and May 2018. 

The Court's reasons

The Court considers the fine notice to be largely lawful on its merits. However, it orders a significant reduction in the amount of the fine. In the end, the administrative fine imposed at the judicial stage amounted to less than 7% of the original fine.

In the view of the Court, the Controller culpably infringed Article 5(1)(a), Article 6 GDPR, § 26 BDSG, Article 17 and Article 25 GDPR and thus committed an administrative offence in terms of Article 83(2), (4)(a) and (5)(a) and (b) GDPR.

The Court is convinced that the relevant period of the offence ran from 5 May 2018 to 18 July 2019. This follows from the video recordings submitted during the administrative proceedings. In particular, the Court states that the LfD Niedersachsen has shifted the start of the offence too far forward. The start date is not based on the complainant's submission, but solely on the video recordings submitted in the administrative proceedings. The Court also notes that the cameras were not in use throughout the entire period; rather, several groups of cameras were active only during certain intervals, because the Controller implemented various adjustments in response to the concerns raised during the supervisory proceedings. With regard to the end of the offence, the Court concurs with the opinion of the LfD Niedersachsen. For the offence to be established, it is not decisive how many cameras were in operation at which point in time. What matters is that the unlawful state of affairs existed on a broad scale and not merely as an isolated occurrence

Video recordings of employees – Violation of Articles 5(1)(a) and 6 GDPR and Section 26 BDSG

The processing of personal data relating to employees was unlawful, as 81 cameras recorded sales areas, workspaces and parts of an outdoor area used as a break space.

The Court considers Section 26 of the Federal Data Protection Act (New Version) (Bundesdatenschutzgesetz neue Fassung - “BDSG n.F.”) as the relevant potential legal basis but rejects any justification for data processing under Section 26(1) sentence 2 BDSG n.F.. In the Court’s view, that provision may in principle also cover preventive measures aimed at averting criminal offences. With regard to the necessity of the video surveillance, the Court clarifies that gate or bag checks - identified by the LfD Niedersachsen as a less intrusive measure - could only prevent theft committed solely by employees but were not suitable to prevent theft committed by supposed customers acting in concert with employees. Nevertheless, the video surveillance was insufficient as a deterrent or preventive measure, as it had been deliberately circumvented. A balancing of conflicting interests of employees and the Controller weighed in favour of the employees. An allegedly deterrent effect of video surveillance cannot in itself justify permanent and/or non‑event‑related monitoring of employees; otherwise, surveillance could be expanded without limit to the detriment of affected individuals.

Regarding the asserted purpose of goods tracking, the Court criticises the LfD Niedersachsen for insufficient fact‑finding. The authority should not have dismissed this purpose as a mere pretext without further examination and ought to have conducted an exemplary on‑site inspection. Nevertheless, this does not change the outcome: Even for purposes of goods tracking, the surveillance was not necessary, because the cameras captured individuals and not merely goods, packaging or equipment. The scope of the video recordings was therefore not suitable to serve the alleged legitimate interest. It is not acceptable to allow traders or mail‑order companies to gain a cost advantage by replacing personnel‑based controls with extensive video surveillance.

Articles 6(1)(b) and (c) GDPR are likewise inapplicable as legal bases: Monitoring employees as they carry out contractual tasks neither constitutes performance of a contract nor compliance with a legal obligation in terms of those provisions.

Video recordings of customers and uninvolved third parties – No violation of Articles 5(1)(a) and 6 GDPR

According to the Court, the recording of customers and uninvolved third parties was lawful. Monitoring sales areas to prevent theft by customers is, in principle, covered by the Controller’s legitimate interests under Article 6(1)(f) GDPR and is common practice. The Court does not consider the monitoring in question to constitute excessive surveillance of customers. It finds no overriding, particularly protected interests on the part of customers that would preclude such monitoring. Given that the various infringements formed a unitary course of conduct (tateinheitliche Begehungsweise), a partial acquittal was not warranted.

Excessive retention period – Violation of Article 17(1) GDPR

The Court classfies the storage of video material from 39 cameras for periods ranging from 10 to 60 days to be a violation of Article 17(1) GDPR. The Court clarified that storage periods are not necessarily limited to the 72 hours suggested by the German Data Protection Conference (Datenschutzkonferenz – "DSK"), provided that a robust, pre‑defined and graduated surveillance concept is in place. However, the Controller completely lacked such a concept. Video surveillance did not constitute merely one element among several control mechanisms but effectively served as the primary measure for theft prevention and/or goods control. In the absence of a documented concept and alternative measures, the extended retention periods were not necessary and were therefore unlawful under data protection law.

Lack of masking and absence of a processing concept– Violation of Article 25(2) GDPR

The Court finds that the failure to mask certain areas of sales and workspaces as well as the break area, together with the absence of a viable processing concept, constitutes an infringement of Article 25(2) GDPR.

This violation, however, carries less weight, as Article 83(4) GDPR provides for a significantly lower fine range for breaches of Article 25(2) than the one applicable under Article 83(5) GDPR, which governs the more serious substantive infringements also established in the case.

Unitary offences

The Court assumes unitary concurrence of offences (Tateinheit) pursuant to Section 19 of the Administrative Offences Act (Gesetz über Ordnungswidrigkeiten – “OWiG”) as all established infringements stem from a single underlying decision and must be regarded as one natural course of conduct. The Court does not consider a separation of the various processing purposes - namely between theft prevention on the one hand and goods‑flow or inbound/outbound goods control on the other - to be warranted. What is decisive is that, in the Court’s view, the video recordings were also intended to be used for the detection of potential theft in those areas where the Controller claimed that the primary purpose was goods control. Thus, across all affected camera segments, the surveillance pursued the same overarching complex of purposes. A division into separate offences is therefore precluded, making the assessment as a single unitary offence legally consist.

Determination of the administrative fine

The Court bases its calculation of the fine on the GDPR because the relevant period of the offence extended across the applicability of the former BDSG (“BDSG a.F.”) and continued into the subsequent GDPR regime. The applicable provision is Article 83(5) GDPR. The Court considers the infringement of Article 25 GDPR to recede pursuant to Section 19(2) sentence 1 OWiG, as the offences were assessed as a single unitary act.

Relying on the case law of the European Court of Justice (“ECJ”) on antitrust fines, the Court uses the last financial year completed before the fine was imposed to determine the upper limit in terms of Article 83(5) GDPR and arrives at a statutory maximum fine of EUR 29,433,695.62.

The Court ultimately evaluates the infringements as being of minor severity. The Court took into account as mitigating factors that the data collected was only viewed and evaluated on an event-driven basis, that the vast majority of recordings were deleted unviewed once the retention period had expired, that the surveillance pressure initially exerted by the extensive video surveillance had noticeably decreased as a result of the supervisory proceedings through the the removal, realignment and masking of cameras, that there was an increased risk of theft, and that the LfD Niedersachsen had failed to consider the purpose of goods control. Also weighing in the Controller’s favour were its cooperative conduct, including the complete remediation of the deficiencies by the end of the proceedings and the initial difficulties in the transition to GDPR standards. To the extent that infringements of the pre‑GDPR legal regime were sanctionable, the corresponding statutory fine levels were significantly lower. The lack of clear guidelines and case law regarding the implementation of the GDPR the resulting legal uncertainty, particularly during the transition period between the old and new regulations, is also considered as mitigating factors by the Court. In this respect, the Controller's assumption that a 60‑day retention period was permissible because it conducted only event‑driven reviews amounted to an avoidable mistake of law (vermeidbarer Verbotsirrtum).

The Court does not consider the behaviour of the Controller to be an intentional violation. Rather, it assumes that the Controller considered the processing to be lawful before and during the supervisory authority proceedings and also relied on the assessment of its external data protection officer.

Nevertheless, the Court affirms negligence. Such negligence can also be assumed without identifying, in the individual case, a specific natural person whose conduct or omission is attributable to the infringement. The GDPR is based on a prohibition subject to specific authorization and requires controllers to maintain an appropriate level of awareness of legal risks and to establish organisational measures that ensure lawful processing through instructions, supervision and control. Where - as here - an unlawful data‑processing situation exists, and no special exonerating circumstances are shown, this indicates a breach of duty on the part of the company’s owner or authorised management body and thus at least negligence. The decision to implement comprehensive video surveillance is attributable to senior management; that their data‑protection obligations were, at a minimum, negligently not sufficiently fulfilled follows from the established infringements.

Regarding to the calculation of the administrative fine, the Court expressly distances itself from the concept developed by the German Data Protection Conference (Datenschutzkonferenz – "DSK"), which relies primarily on the annual turnover to determine the fine range for corporate offenders. Article 83 (2) sentence 2 GDPR primarily considers aspects related to the offence. The rigid focus on annual turnover leads structurally inconsistent outcomes, particularly where small companies commit serious infringements or large companies commit minor ones. In the absence of a reliable basis in the GDPR, the Court considers it necessary - in the interest of a comparable level of sanctions - to rely instead on the cross‑jurisdictional approach developed by the European Data Protection Board (“EDPB”). To determine the fine concretly, the Court therefore applies the EDPB's Guidelines 04/22 calculation of administrative fines under the GDPR. Based on a low degree of severity, the Court sets the initial fining range at 0–10% of annual turnover (in this case: €2,943,369.56) and reduces it to 75% due to the company’s low profit margin, resulting in an adjusted upper threshold of EUR 2,207,527.21.

On this basis, the Court imposes a fine of €700,000.00 and therefore (again) takes into account that part of the offence was committed before the GDPR entered into force, that the Controller made efforts to remedy the situation promptly thereafter, the allegations were based exclusively on the information provided by the Controller and no on-site inspection was carried out. The Court also considers it mitigating that the video footage was only reviewed on an event‑driven basis, and that the Controller suffered reputational damage due to the public issuance of the fine notice.
 

Conclusion

The significant reduction in the fine is justified and therefore welcome. The decision once more demonstrates that challenging a GDPR fine in court can be worth it, even if the underlying GDPR infringement cannot be refuted.

Surprisingly, the decision does not address the question of whether a prior reprimand pursuant Article 58(2)(b) GDPR could preclude or at least limit the subsequent imposition of a fine. From the Controller’s perspective, clarification on this would have been necessary, as the blocking effect is controversial in the light of the prohibition of double punishment (ne bis in idem) and the ECJ has not yet ruled on this issue.

With regard to the reliance of Section 26(1) BDSG n.F. as a specific legal basis, it must be noted that Section 26(1) sentence 1 BDSG n.F. has been inapplicable since the ECJ’s judgment of 30 March 2023 (case number C-34/21). The Federal Labour Court (Bundesarbeitsgericht – "BAG") excludes the applicability of the entire first paragraph (BAG, judgment of 8 May 2025 – 8 AZR 209/21).

With respect to the retention period, the Court emphasises in particular that retention periods longer than the 48-72 hours suggested for in the DSK guidelines may, in principle, be lawful from the outset, provided they are supported by a viable, pre-documented and graduated concept.

The Court rightly criticises DSK’s turnover-based model developed by for determining the fine range. Article 83(2) GDPR primarily focuses on criteria related to the offence and a rigid dependence on turnover can lead to results that are contrary to the system. The Court’s reliance instead on the cross‑jurisdictional approach of the EDPB strengthens the harmonisation of sanctioning practice and increases predictability for companies.

The Court assesses intent and negligence not at the level of the violation of the GDPR itself, but—unusually—within the culpability and sentencing assessment during the fine calculation. This appears to draw on the ECJ’s judgment in Deutsche Wohnen (ECJ, judgment of 2 December 2023 – C‑807/21). The ECJ requires culpable conduct for the imposition of GDPR fines, without demanding the identification of a specific natural person. The Court rejects an unavoidable mistake of law that would exclude culpability but regards the avoidable mistake of law as a mitigating factor. At the same time, it holds that the mere existence of an unlawful processing situation is sufficient to infer that the obligations of the company’s owner or authorised representative were not adequately fulfilled. As a rule, this warrants the assumption of negligent conduct.

The Court also correctly considers the insufficient investigation of the facts by the LfD Niedersachsen as a mitigating factor. The LfD Niedersachsen had prematurely dismissed the purpose of the goods inspection as a mere pretext without pursuing further investigation of the facts such as an exemplary on‑site inspection—contrary to the principle of official investigation governing administrative offence proceedings.  Equally consistent is the limitation of the offence period to the time after 5 May 2018, because reliable video recordings were only available from that date onwards. A mere complaint submitted to the authority does not entitle it to infer an earlier start of the offence, as this does not reveal the exact number and alignment of the cameras or the actual processing activity.

Despite its deficiencies – in particular the failure to address whether a prior reprimand could operate as a bar to later fining and the application of Section 26(1) BDSG n.F.– the judgment nevertheless sets important markers for a proportionate fining practice and sharpens, in a noteworthy way, the data‑protection obligations imposed on controllers.