On 5 December 2023, the Court of Justice of the European Union handed down two judgments (C-807/21 Deutsche Wohnen and C-683/21 Nacionalinis[1]) in which it ruled that only a deliberate breach of the General Data Protection Regulation (the “GDPR”) can lead to an administrative fine by a national supervisory authority.
The German and Lithuanian courts have both requested for a preliminary ruling concerning the interpretation of Article 83 of the GDPR (entitled “General conditions for imposing administrative fines”). In particular, the Court of Justice was asked to clarify the conditions under which national supervisory authorities may impose administrative fines for breaches of the GDPR, and whether an objective breach of an obligation (“strict liability”) is sufficient to impose a fine under Article 83 of the GDPR.
The Court first pointed out that the substantive conditions to be met when imposing such a fine on a controller are governed solely by the law of the EU, leaving no room for manoeuvre to Member states in this respect. As regards those conditions, the Court underlined that the factors listed in the GDPR and on the basis of which the supervisory authority imposes such a fine include the “intentional or negligent character of the infringement” (Article 83, §2, b) of the GDPR). As a consequence, it is only in case of wrongful conduct that breaches of the GDPR committed by a controller may lead to an administrative fine pursuant to Article 83 of the GDPR. This is the case if the controller could not have been unaware of the infringing nature of its conduct, whether or not it is aware that it was infringing the provisions of the GDPR. Supervisory authorities will therefore have to prove that an intentional or negligent action has occurred in order to impose a fine, as a violation of the GDPR alone is not sufficient. It is nevertheless crucial for companies to be GDPR-compliant and document any internal decisions taken regarding data processing, in order to limit the risk of being fined.
In addition, the Court indicated that where the controller is a legal person, it is not necessary for the breach to have been committed by its management body, nor for that body to have even been aware of it. The Court adopted a broad approach, considering that a legal person is liable both for breaches committed by its representatives, directors or managers, as well as those committed by any other person acting in the course of its business and on its behalf. Moreover, the imposition of an administrative fine on a legal person as a controller cannot be subject to a previous finding that that infringement was committed by an identified natural person. This serves as a reminder to companies of the importance to design robust data processes and provide its staff with GDPR training.
The Court, adopting again a wide interpretation, also stated that a fine may be imposed on a controller in respect of processing operations carried out by a processor on its behalf unless, in the course of those operations, that processor has carried out processing for its own purposes or in a way incompatible with the framework or methods of processing as determined by the controller, or in such a way that it cannot reasonably be assumed that the controller would have consented thereto.
The Court also clarified that “joint control” by two or more entities results from their joint involvement in defining personal data processing purposes and methods. Such classification does not require a formal agreement between the entities beforehand. Although an agreement is an obligation imposed by the GDPR on joint controllers once qualified as such, it is not a prerequisite.
Finally, when determining fines for entities, particularly within an undertaking, the Court specified that the supervisory authority should base itself on the “undertaking” concept established by EU competition law (i.e. Articles 101 and 102 of the TFEU). This means that the maximum amount of the administrative fine is a percentage of the total worldwide annual turnover in the preceding business year of the undertaking concerned, taken as a whole (i.e. at group level). This approach, offering national supervisory authorities more flexibility due to an increased upper limit, could result in higher average fines for undertakings.
For more information on this subject, do not hesitate to contact one of the members of the IP/IT/Data Protection team of Liedekerke on their individual e-mail address or via ip/it-team@liedekerke.com.
[1] C.J.E.U., C-807/21, Deutsche Wohnen, 5 December 2023 and C.J.E.U., C-683/21, Nacionalinis, 5 December 2023, https://curia.europa.eu/.
Author
Key contacts
See all lawyers
