On June 16, 2025, the Conference of Independent Federal and State Data Protection Supervisory Authorities (DSK) adopted the Model Guidelines for the Procedure on Fines (MRiDaVG). These are intended to establish a uniform nationwide procedural practice for data protection supervisory authorities when sanctioning data protection violations under the GDPR ensure.
Scope of application and legal basis
The MRiDaVG apply in all fine proceedings of the independent data protection supervisory authorities under the GDPR application. They concern both domestic and cross-border situations and expressly regulate the relationship between Union law and national law. Particular attention is paid to the primacy of Union law and the principles of equivalence and effectiveness under Union law.
The MRiDaVG expressly refer to the requirements of the European Data Protection Board (EDPB) and integrate them as a primary interpretation aid. In addition, there is a clear distinction from administrative proceedings that are not of a regulatory nature.
Procedural principles and interpretation guidelines
The MRiDaVG focuses on fundamental procedural maxims that are intended to ensure that proceedings are conducted in accordance with the rule of law, effectively and in compliance with EU law:
Priority of application and conformity with Union law: The directives make it clear that national legislation that is in the Contradiction to the GDPR may not be applied in the context of administrative fine proceedings. Only the direct applicability and supremacy of Union law is decisive, as the European Court of Justice has repeatedly emphasized in its case law. This also means that national provisions must be interpreted in accordance with Union law.
Effectiveness requirement: The procedural design must ensure that the enforcement of data protection requirements is neither factually nor legally impeded. The supervisory authorities are obliged to structure their procedural practice in such a way that the effectiveness of the GDPR sanction mechanisms is fully safeguarded. This also includes the obligation to avoid procedural delays and to conduct investigations swiftly.
Opportunity principle: The MRiDaVG clarify that the data protection supervisory authorities act at their own discretion when deciding whether to initiate, continue or discontinue proceedings for fines. In doing so, the criteria set out in Art. 83 para. 2 GDPR The factors set out in the data protection regulations, such as the severity and duration of the infringement or the controller's willingness to cooperate, must be taken into account. This structures and limits the discretionary powers of the authorities.
Principle of synchronicity and parallelism: Administrative proceedings (e.g. order proceedings pursuant to Art. 58 para. 2 GDPR) and fine proceedings should generally be conducted in parallel, but strictly separated in terms of content and organization. The guidelines recommend close coordination of the timing of both proceedings. Particularly in the case of cross-border proceedings under Art. 60 GDPR a coordinated approach is required in order to avoid contradictory decisions or procedural delays.
Overall, these principles form the procedural framework for the fining practice of the German data protection supervisory authorities and at the same time serve as a Guidelines for the interpretation and application of the substantive sanctions provisions of the GDPR.
Responsibility and process coordination
The model guidelines emphasize the functional separation of administrative proceedings and administrative fine proceedings within the data protection supervisory authorities. The aim is to ensure a clear organizational and substantive distinction between the two types of proceedings in order to avoid conflicts of interest and enable specialized processing. The units responsible for administrative fine proceedings should act independently, particularly with regard to investigations and decisions on sanctions.
A key instrument for the efficient coordination of proceedings is the option of transferring responsibility in accordance with Section 39 OWiG. The data protection supervisory authorities are expressly encouraged to make use of this option if it serves to speed up, simplify or better allocate resources. Particularly in cross-border cases pursuant to Art. 60 GDPR it is considered sensible to concentrate responsibility with the lead authority in order to avoid duplication of procedures and legal uncertainty.
In addition, the MRiDaVG make it clear that close and trusting cooperation with the public prosecutor's office is essential. This applies in particular to proceedings with substantial fines or criminal relevance. In cases with an expected fine of more than EUR 10,000, the data protection supervisory authorities should actively seek contact with the competent public prosecutor's office. The involvement of the public prosecutor's office in the main hearing is recommended in accordance with the guidelines in order to effectively ensure the enforcement of data protection law, even in more complex case constellations
Procedure and documentation
The MRiDaVG regulate the individual procedural steps in detail, ranging from the initiation to the final decision on a fine. Particular emphasis is placed on Transparencytraceability and legal conformity.
File management: A separate file must be created for each fine procedure, which must be strictly separated from other administrative procedures. This separation is not only for organizational clarity, but also to ensure legal certainty. Documentation. All documents, evidence and notes relevant to the proceedings must be kept complete and consecutive in this file.
Investigations: As part of their investigations, the data protection supervisory authorities have access to the instruments of the OWiG and the StPO. These include, in particular, questioning witnesses, obtaining information from third parties and securing and evaluating evidence. In the case of cross-border matters, the provisions of the GDPR cooperation and cooperation agreements also apply. Coherence method. Investigations must always be carried out in compliance with the procedural rights of the persons concerned.
Exercise of discretion: The supervisory authorities must exercise their discretion as to whether and in what amount a fine is imposed. The criteria set out in Art. 83 para. 2 GDPR listed criteria, such as the type, severity and duration of the violation, intentionality or negligence, as well as any mitigating circumstances or previous violations. These considerations must be documented in a comprehensible manner.
Preparation of the decision: The administrative order imposing a fine must comply with the requirements of EU law. The obligation to name a natural person as the addressee does not apply in particular in the case of direct liability of an association. In cross-border proceedings, it must also be ensured that the decision meets the formal requirements of a draft decision in accordance with Art. 60 and 65 GDPR is sufficient. This includes, among other things, a detailed justification of the amount of the fine with reference to the discretionary criteria applied and the underlying findings of fact.
Information dissemination and public relations
The guidelines contain specific requirements for the disclosure of information to the public, supervisory authorities and registries:
Notifications to the Central Trade Register: For serious violations.
Press relations: Objectively and truthfully in compliance with the fair trial principle and the data protection of the persons concerned.
Attribution: Only permitted under certain conditions, for example if public reporting already exists.
Reading tip: BfDI imposes fines of 45 million euros on Vodafone
Evaluation of the Model Penalty Guidelines in practice
The MRiDaVG are an important step towards a nationwide standardized and legally compliant structure of fine proceedings in data protection law. With their detailed regulations on procedural principles, responsibilities, investigative powers and documentation obligations, they provide clear guidance for both the supervisory authorities and the companies affected. The harmonization of procedures between the federal states should also help to reduce the existing differences in sanctioning practices and reduce legal uncertainty.
For companies and others Responsible persons in the sense of GDPR this means an increased need for companies to review their internal compliance processes and adapt them where necessary. In particular with regard to the discretionary criteria emphasized in the MRiDaVG when assessing fines, well-founded internal data protection management systems are essential in order to achieve a possible reduction in liability.
It remains to be seen to what extent the courts will take into account the specifics contained in the MRiDaVG regarding the interpretation and application of the provisions of the law on fines. In particular, questions relating to the scope of the primacy of Union law, the content of the discretionary powers or the permissibility of naming names in public relations work could be subject to judicial review in the future.
Overall, the MRiDaVG strengthen legal certainty for all parties involved in the procedure, but at the same time increase the pressure to act on bodies that process data. They must improve their data protection organization and Documentation consistently to the requirements of the GDPR and adapt it to national procedural practice.
German 
English 
Italian 
French