European court of justice clarifies conditions for imposing GDPR fines
The Court of Justice of the European Union (the CJEU) has issued judgments which clarify the conditions for imposing fines for breach of the General Data Protection Regulation (the GDPR)1.
The CJEU rejected strict (no fault) liability for GDPR infringements and held that only wrongful (intentional or negligent) infringements may lead to a fine. Additionally, the CJEU held that, where the addressee of a fine is or forms part of an undertaking (or corporate group), the maximum potential fine must be calculated on the basis of the undertaking’s total worldwide (group-wide) turnover. Although a UK court may have regard to this ruling, it is not bound by it following the UK’s exit from the European Union.
On 5 December 2023, the CJEU issued judgments in Cases C-683/21 (‘Nacionalinis’) and C-807/21 (‘Deutsche Wohnen’). These judgments follow requests from respectively a Lithuanian Court and a German Court to the CJEU to interpret the GDPR regarding the conditions which must exist for a national supervisory authority to impose a fine on a controller for an infringement of the GDPR. Article 4(7) of the GDPR defines a controller as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”.
Article 83(1) GDPR provides that each supervisory authority shall ensure that the imposition of administrative fines for infringement of the GDPR shall “in each individual case be effective, proportionate and dissuasive”. Article 83(2) GDPR provides that administrative fines shall, depending on the circumstances of each case, be imposed in addition to, or instead of, alternative measures, such as warnings, reprimands and orders compelling conduct to ensure compliance. It also provides that when deciding whether to impose an administrative fine and deciding on the amount of the fine in each case due regard must be given to various factors, including the nature, gravity and duration of the infringement, the intentional or negligent character of the infringement, any action taken by the controller or processor to mitigate damage suffered by data subjects (individuals), and the degree of responsibility of the controller or processor.
In Nacionalinis, the National Public Health Centre under the Ministry of Health contested a fine imposed on it regarding the creation of a mobile application for the registration and monitoring of data of persons exposed to Covid-19. The application was created with the assistance of a private undertaking. The Vilniaus apygardos administracinis teismas (Regional Administrative Court, Vilnius) referred questions to the CJEU regarding the concept of “controller” and the requirements of the relationship between joint controllers.2
In Deutsche Wohnen, Deutsche Wohnen (a real estate company) contested a fine imposed on it for failing to take the necessary measures to allow tenants’ personal data regularly to be erased where such data was no longer necessary or had been stored erroneously. Additionally, Deutsche Wohnen had unnecessarily stored the personal data of at least 15 tenants.3 The Kammergericht Berlin (Higher Regional Court, Berlin) referred questions to the CJEU regarding bringing a fine against an undertaking directly and the culpability required for a fine to be imposed. 4
Infringement must be wrongful
The CJEU rejected strict (no fault) liability for GDPR infringements. In both judgments, the CJEU held that only wrongful infringements of the GDPR can result in the imposition of a fine on the controller. Wrongful infringements are “those committed intentionally or negligently”.5 Although the CJEU rejected strict liability, the scope of liability is rather wide. Specifically, the CJEU clarified that a controller may be considered to have committed a wrongful infringement and thus, may be fined, where the controller “could not have been unaware of the infringing nature of its conduct, whether or not it was aware that it was infringing the provisions of the GDPR”.6 In other words, a controller may be fined where the controller was in a position to determine that its conduct was infringing in nature. It is irrelevant whether the controller had in fact established that its conduct was infringing the GDPR.7 When determining whether the controller was in such a position, the court may consider amongst other things (a) the clarity of the relevant provisions of the GDPR and (b) whether other controllers had been aware of the infringing nature of similar conduct.8
Where the controller is a legal person, such as a company or other organisation, it is unnecessary for the infringement to have been committed by its management body, nor for the management body to have had knowledge of the infringement.9
Who is liable for an infringement?
In Deutsche Wohnen, the CJEU held that legal persons are liable for infringements of the GDPR committed by their representatives, directors or managers, as well as infringements committed “by any other person acting in the course of the business of those legal persons and on their behalf”.10 Further, the CJEU held that the imposition of a fine on a legal person as a controller for an infringement of the GDPR is not subject to a previous finding that the infringement was committed by an identified natural person.11
In Nacionalinis, the CJEU found that a controller may be fined for personal data processing operations performed by a processor on the controller’s behalf. However, this does not apply where, in the context of those operations:
- the processor carried out processing for its own purposes;
- the processor processed personal data in a manner incompatible with the framework of, or detailed arrangements for, the processing as determined by the controller; or
- the processor processed personal data in such a manner that it cannot reasonably be considered that the controller consented to such processing.12
Article 26(1) GDPR defines ‘joint controllers’ as two or more controllers that “jointly determine the purposes and means of processing”. The CJEU held that there does not need to be an arrangement between the controllers regarding the determination of the purposes and means of processing personal data.13 Rather, classification of two or more entities as joint controllers arises solely from the fact that they have participated in the determination of the purposes and means of processing.14 The CJEU also held that there does not need to be an arrangement laying down the terms of the joint control.15 However, the joint controllers must determine their respective responsibilities by means of an arrangement between them.16 Indeed, Article 26 GDPR requires joint controllers to determine “in a transparent manner” their respective roles and responsibilities for compliance, especially regarding the rights of data subjects and the obligation to provide privacy notices. This relationship, and the allocation of responsibilities, should be made clear to data subjects and addressed in contractual arrangements.
Calculating the fine
In Deutsche Wohnen, the CJEU commented that the concept of an ‘undertaking’ is relevant for the purpose of calculating the amount of a fine.17 The concept of an ‘undertaking’ “covers any entity engaged in an economic activity, irrespective of the legal status of that entity and the way in which it is financed” and therefore, “the concept of an undertaking defines an economic unit even if in law that economic unit consists of several persons, natural or legal”.18
The CJEU found that when a supervisory authority decides to impose a fine on a controller (or a processor) which is or forms part of an undertaking, it must take as its basis the concept of an undertaking under competition law (specifically Articles 101 and 102 TFEU).19 Therefore, the maximum amount of the fine must be calculated on the basis of a percentage of the total worldwide annual turnover of the undertaking (group) in the preceding business year.20
Status of CJEU judgments in the UK following Brexit
Section 6(1)(a) of the European Union (Withdrawal) Act 2018 provides that a UK court or tribunal is “not bound by any principles laid down, or any decisions made, on or after exit day21 by the European Court”. However, a UK “court or tribunal may have regard to anything done on or after exit day by the European Court, another EU entity or the EU so far as it is relevant to any matter before the court or tribunal”.22
Given that the EU GDPR and UK GDPR are very similar, the UK courts may take account of these judgments. However, these judgments may become less relevant if and when the Data Protection and Digital Information Bill23 (the Bill) comes into force. The Bill introduces some significant changes which may lead the UK courts to conclude that CJEU judgments regarding the EU GDPR are less applicable when interpreting UK data protection legislation.
Businesses should ensure that their contracts with parties with whom they share personal data (whether as independent controllers, joint controllers or processors) contain appropriate terms on allocation of responsibilities and liabilities under the GDPR. Fines imposed for breaches of the GDPR are increasingly large and businesses should ensure that they are protected appropriately, both contractually and potentially by cyber risk insurance.
- Regulation (EU) 2016/679
- C-683/21, paragraph 26
- C-807/21, paragraph 18
- C-807/21, paragraph 26
- C-683/21, paragraph 73; C-807/21, paragraph 68
- C-683/21, paragraph 81; C-807/21, paragraph 76. In both judgments, the CJEU refers to three cases to support this point, including Lundbeck v Commission (Case C-591/16 P) (see footnote 7).
- Lundbeck v Commission, C-591/16 P, paragraph 158
- Lundbeck v Commission, C-591/16 P at paragraph 160 sets out the factors that the General Court had considered in concluding that the relevant undertaking was in a position to determine that its conduct was anti-competitive.
- C-807/21, paragraph 77
- C-807/21, paragraph 44
- C-807/21, paragraph 46
- C-683/21, paragraph 86
- C-683/21, paragraph 46
- C-683/21, paragraph 45
- C-683/21, paragraph 46
- C-683/21, paragraph 45
- C-807/21, paragraph 53. Articles 83(4)-(6) concern the calculation of fines.
- C-807/21, paragraph 56
- C-807/21, paragraph 59
- C-807/21, paragraph 57
- ‘Exit day’ was 31 January 2020 at 11pm. ‘Exit day’ was originally defined as 29 March 2019 at 11pm in section 20(1) of the European Union (Withdrawal) Act 2018. This was amended by paragraph 2 of The European Union (Withdrawal) Act 2018 (Exit Day) (Amendment) (No. 3) Regulations 2019 to 31 January 2020.
- European Union (Withdrawal) Act 2018, section 6(2)
- Data Protection and Digital Information Bill – Parliamentary Bills – UK Parliament