Luxembourg, 5 December 2023
PRESS RELEASE No 184/23
Only a wrongful infringement of the General Data Protection Regulation may result in an administrative fine being imposed.
Where the addressee of the fine forms part of a group of companies, that fine must be calculated on the basis of the group’s turnover.
The Court of Justice clarifies the conditions under which national supervisory authorities may impose an administrative fine on one or more controllers for an infringement of the General Data Protection Regulation (GDPR). In particular, it holds that the imposition of such a fine requires that there be wrongful conduct; in other words, that the infringement has been committed intentionally or negligently. Moreover, where the addressee of the fine forms part of a group of companies, the calculation of that fine must be based on the turnover of the entire group.
A Lithuanian court and a German court have asked the Court of Justice to interpret the General Data Protection Regulation (GDPR)1 regarding the possibility for national supervisory authorities to penalise the infringement of that regulation by imposing an administrative fine on the data controller.
In the Lithuanian case, the National Public Health Centre under the Ministry of Health is contesting a fine of € 12 000 which has been imposed on it in the context of the creation, with the assistance of a private undertaking, of a mobile application for registering and monitoring the data of persons exposed to Covid-19.
In the German case, the real estate company Deutsche Wohnen, which indirectly holds approximately 163 000 housing units and 3 000 commercial units, is contesting, inter alia, a fine of over € 14 million which has been imposed on it as a result of its having stored the personal data of tenants for longer than necessary.
The Court holds that a data controller may not have an administrative fine imposed on it for an infringement of the GDPR unless that infringement was committed wrongfully, that is to say, intentionally or negligently. That is the case where the controller could not have been unaware of the infringing nature of its conduct, regardless of whether or not it was aware of the infringement.
Where the controller is a legal person, it is not necessary for the infringement to have been committed by its management body; nor is it necessary for that body to have had knowledge of that infringement. On the contrary, a legal person is liable both for infringements committed by its representatives, directors or managers, and for those committed by any other person acting in the course of the business of that legal person and on its behalf. Moreover, the imposition of an administrative fine on a legal person as a controller cannot be subject to a previous finding that that infringement was committed by an identified natural person.
The Court of Justice clarifies the conditions under which national supervisory authorities may impose an administrative fine on one or more controllers for an infringement of the General Data Protection Regulation (GDPR). In particular, it holds that the imposition of such a fine requires that there be wrongful conduct; in other words, that the infringement has been committed intentionally or negligently. Moreover, where the addressee of the fine forms part of a group of companies, the calculation of that fine must be based on the turnover of the entire group.
Furthermore, a controller may also have a fine imposed on it in respect of operations performed by a processor, to the extent that the controller may be held responsible for such operations. With regard to joint control by two or more entities, the Court clarifies that such control arises solely from the fact that those entities have participated in the determination of the purposes and means of processing. Classification as ‘joint controllers’ does not require that there be a formal arrangement between the entities in question. A common decision, or converging decisions, are sufficient.
However, where there are in fact joint controllers, they must determine their respective responsibilities by means of an arrangement between them. Lastly, as regards the calculation of the fine where the addressee is or forms part of an undertaking, the supervisory authority must take as its basis the concept of an ‘undertaking’2 under competition law. Thus, the maximum amount of the fine must be calculated on the basis of a percentage of the total worldwide annual turnover of the undertaking concerned, taken as a whole, in the preceding business year.
NOTE: A reference for a preliminary ruling allows the courts and tribunals of the Member States, in disputes which have been brought before them, to refer questions to the Court of Justice about the interpretation of European Union law or the validity of a European Union act. The Court of Justice does not decide the dispute itself. It is for the national court or tribunal to dispose of the case in accordance with the Court’s decision, which is similarly binding on other national courts or tribunals before which a similar issue is raised.
1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
2 That concept covers any entity engaged in an economic activity, irrespective of the legal status of that entity and the way in which it is financed. The concept of an undertaking therefore refers to an economic unit even if, in law, that economic unit consists of several natural or legal persons.
Source – EU Court of Justice – Email