On the 5th of December 2023, the Court of Justice of the European Union (CJEU) delivered two judgments (cases C-807/21 and C683/21) shedding light on the conditions and criteria for imposing and calculating fines for a breach of the General Data Protection Regulation (GDPR).
In case C-807/21, the Higher Regional Court of Berlin sought CJEU’s guidance in a dispute between the German Data Protection Authority and a German real estate company operating in multiple EU Member States. The company contested a fine for neglecting to erase tenants’ data when no longer necessary.
In case C-683/21, the Regional Administrative Court of Vilnius filed a request for a preliminary ruling in a proceeding between the Lithuanian National Public Health Centre (NVSC) and the Lithuanian Data Protection Authority. The NVSC challenged a fine imposed on them for multiple violations of the GDPR linked to a COVID-19 monitoring application created by an IT company on their behalf.
Both cases prompted the CJEU to interpret Article 83 GDPR, which outlines the general conditions for imposing administrative fines for infringements of the GDPR. This article presents the key findings from the judgments regarding liability under the GDPR for organisations, conditions for GDPR infringements, controllers’ liability for processors’ actions, and the criteria for fine calculation when the controller is part of a group of companies.
The key takeaways from the CJEU judgments hold important consequences for organisations that fall within the scope of the GDPR:
Liability of legal persons as controllers: Under German law, fines on legal persons can be imposed on the condition that the infringement is first attributed to an identified natural person (e.g., the legal person’s representatives). Since this condition is not expressly addressed in Article 83 GDRP, the CJEU was asked to clarify whether Article 83 GDPR allows national legislation to further specify the circumstances under which fines may be imposed for a violation of GDPR. The CJEU clarified that the substantive conditions for imposition of fines are exhaustively governed by the GDPR, and as a result, there is no room left to the discretion of national legislators to set additional requirements. Therefore, regardless of national law, where the controller is a legal person, for Article 83 GDPR to apply, it is not necessary for management to have been involved in the infringement. Additionally, the CJEU ruled that, in assessing whether a fine is applicable to a legal person, whether the legal person in question qualifies as an “undertaking” (a term used in Article 83 GDPR) is irrelevant. This concept being relevant only for the purpose of determining the size of the administrative fine to be imposed, as further explained below.
Wrongful conduct as a condition for the imposition of fines: The CJEU was asked to clarify whether an administrative fine may be imposed on a controller where there is an absence of any wrongful conduct on its part. The CJEU confirmed that it follows from the wording of Article 83(2) GDPR that only infringements of the GDPR committed wrongfully by the controller, that is to say those committed intentionally or negligently, can result in a fine being imposed.
Controllers’ liability for processor infringements: The CJEU was asked to clarify to what extent under Article 83 GDPR a controller is liable for violations committed by their processors. The CJEU confirmed that a controller may be fined for infringements committed by the processor while processing on their behalf. The controller however bears no responsibility for violations committed by the processor while independently conducting processing for its own purposes. Likewise, the controller is not responsible for violations committed by a processor while processing data in a manner inconsistent with the controller’s instructions or in any way that cannot reasonably be construed as having the controller’s consent.
Calculation of fines for groups of companies: As a secondary point, the CJEU clarified that the notion of an “undertaking” used in Article 83 GDPR, gains significance solely for the purposes of fine quantification. An “undertaking” is a concept grounded in EU competition law, where it is described as an economic unit that can consist of several persons (natural or legal) working towards a specific long-term economic objective. As a result, a group of companies would constitute an economic unit, therefore an undertaking. Consequently, where an administrative fine is levied at a company which is part of a larger group of companies, the maximum fine amount is calculated based on the total worldwide annual turnover in the preceding business year, for the group.
Main Implications for Data Controllers
Data controllers should consider taking various actions to mitigate the GDPR-related risks highlighted in the rulings presented above, such actions may include the following:
- Liability of legal persons and wrongful conduct: Regardless of national legislation, organisations will be held liable for GDPR infringements committed under their scope of control. This includes cases where personnel handle personal data unlawfully or where the technical and procedural measures adopted by management are not adequate. To strengthen compliance, organisations should assess that they have appropriate procedures and data protection policies in place to ensure that all data processing is carried out in accordance with GDPR. A careful review of the conditions listed under Article 83(2) GDPR (which would be considered when deciding whether to impose an administrative fine and the amount of the fine) should also be conducted and used to guide such policies and procedures. Undertake a review staff training to ensure that staff are made aware of the importance of handling personal data in compliance with company policies and procedures, emphasizing the collective responsibility.
- Controllers’ liability for processor infringements: As a controller, you will be held liable for infringements committed by the processor only as far as these relate to the processing performed on your behalf. A key mitigation can be implemented by ensuring that any agreements that are in place with processors clearly specify the precise scope of the processing to be performed on behalf of your organisation. This will assist in avoiding any grey areas that could inadvertently extend the boundaries of your liability. Additionally, verifying that there are adequate mechanisms in place to record the instructions given to processors is well advised. More risk adverse organisations may wish to supplement these mitigations with additional measures of proactive checks on whether processors are handling personal data in compliance with these instructions and the applicable law.
- Fines calculated based on the total worldwide annual turnover of a group of companies: The CJEU has now made clear that groups of companies will face potential fines calculated on the basis of revenues from all their entities. Multinationals and other such conglomerates may wish to reconsider their priorities and risk tolerance concerning GDPR violations. Adopting a consistent approach at the group level would be prudent in response to these developments.
Understanding the implications on data controllers’ responsibility and liability under the GDPR brought by the CJEU’s judgments is crucial for data controllers to address potential GDPR-related risks. Trilateral’s Data Protection and Cyber-Risk Team has significant experience in assisting organisations with the development of robust compliance plans to address GDPR requirements as well as other regulatory requirements. Feel free to contact our advisors if you would like to receive expert assistance in data protection compliance.