New criteria for GDPR fines determined by the CJEU

The Court of Justice of the European Union (“CJEU“) has ruled on the conditions under which national data protection supervisory authorities may impose administrative fines on one or more data controllers for a violation of EU Regulation 679/2016 (“GDPR“).

Let’s cover the specifics of the case:

The case leading to the CJEU decision

The case originates from the submission of a request for a preliminary ruling to the CJEU, conveyed under Article 267 of the Treaty on the Functioning of the European Union, by a Lithuanian court (in C-683/21) and a German court (in C-807/21).

The national courts referred the case to the CJEU in order for the CJEU to provide its interpretation of Article 83 of the GDPR, regarding the conditions for the imposition of administrative fines for violation of the Regulation.

Specifically, the challenges originated from the following sanctioning measures:

• in the Lithuanian case, the National Center for Public Health of the Ministry of Health contested a fine in the amount of 12,000 euros imposed on it with reference to the creation of a mobile application for the purpose of recording and monitoring the data of persons exposed to Covid-19, which was implemented with the assistance of a private company; while
• in the German case, a real estate company, which indirectly owns hundreds of thousands of housing units and commercial units, contested, among other things, a fine of more than 14 million euros, imposed on it for storing the personal data of tenants for longer than necessary.

The interpretation provided by the CJEU on GDPR fines

The following summarizes the principles of law developed by the CJEU rendered in Cases C-683/21 and C-807/21 with reference to the manner in which administrative fines for violating the GDPR are imposed:

1. it is only possible to impose an administrative pecuniary fines for the violation of the GDPR on a data controller if said violation was committed maliciously or negligently. This requirement is fulfilled when the data controller cannot be unaware of the unlawfulness of its conduct, regardless of whether it had, or did not, have knowledge of the breach;
2. when the controller is a legal entity, it is not necessary that the violation was committed by one of its administrative bodies or that this body had knowledge of it. On the contrary, a legal person is liable both for violations committed by its representatives, directors or managers and for violations committed by anyone acting in the course of its business or on its behalf;
3. the imposition of an administrative fine on a legal entity in its capacity as a data controller cannot be made conditional on a prior finding that said violation was committed by an identified individual;
4. a fine may also be imposed on a data controller for operations carried out by a sub-contractor (processor or sub-processor) to the extent that such operations can be imputed to the data controller;
5. when the recipient of the financial penalty is part of a group of companies, the calculation of the financial penalty should be based on the turnover of the whole group;
6. Classification as a “joint controller” does not require a formal agreement between the companies. Joint or converging decisions are sufficient, but agreements on respective responsibilities must be defined.
7. with regard to the calculation of the GDPR fine when the recipient is or is part of an enterprise, the supervisory authority must rely on the notion of “enterprise,” inherent in the competition law of the European Union, which includes any entity engaged in an economic activity, regardless of its legal status and method of financing. Therefore, this notion refers to an economic unit even if, in legal terms, it consists of several natural or legal persons;
8. the maximum amount of the fine must be calculated on the basis of a percentage of the global annual worldwide turnover in the previous financial year of the enterprise concerned, taken as a whole.

Some considerations for companies on the CJEU relating to the issue GDPR fines

These CJEU decisions are particularly interesting for companies to which the GDPR applies because it clarifies the conditions for the application of any administrative fines, which may be imposed whenever the data controller cannot be unaware of the unlawfulness of its behavior, regardless of whether or not it has had, or has not had, knowledge of the infringement.

On a similar topic you might be interested in “Rules to calculate GDPR fines by the Italian Supreme Court.“