The European Court of Justice (CJEU) has clarified the conditions under which a national supervisory authority (DPA) may fine one or more controllers for violations of the GDPR. In particular, it points out that the imposition of such fines is predicated on illegal activity. In other words, the violation must be committed intentionally or negligently. Furthermore, if the recipient of the fine is part of a corporate group, the calculation of the fine must be based on the turnover of the group as a whole.

Judgments of the Court in Cases C-683/21 | Nacionalinis visuomenės sveikatos centras and C-807/21 | Deutsche Wohnen

A Lithuanian court and a German court sought the CJEU’s advice regarding the possibility for national DPAs to issue fines on the data controllers that infringe the regulation provisions. 

In the Lithuanian case, the National Public Health Centre under the Ministry of Health contested a fine of € 12 000 imposed on it in the context of the creation, with the assistance of a private undertaking, of a mobile application for registering and monitoring the data of persons exposed to Covid-19. 

In the German case, a real estate company and its group of undertakings (which held approximately 166,000 buildings) contested a fine of over € 14 million. The fine was imposed because the company stored the personal data of tenants for longer than necessary. 

The CJEU decision 

The Court holds that a data controller should not receive an administrative fine unless it is proved that the infringement was committed wrongfully, that is to say, intentionally or negligently. According to the CJEU, this happens when the controller could not have been unaware of the infringing nature of its conduct, regardless of whether or not it was aware of the infringement. In particular, it is not necessary that: 

  • the infringement was committed by the controller’s management body 
  • the management body was aware of the infringement 

On the contrary, if the data controller is a legal person, it is liable for infringements committed by: 

  • its representatives, directors, or managers 
  • any other person acting in the course of the business of that legal person and on its behalf (it is irrelevant if the infringement was committed by an identified natural person) 
  • a processor performing data processing activities on its behalf 

Finally, the Court clarifies that Joint-Controllership arises solely from the fact that those entities have participated in the determination of the purposes and means of processing. There is then no need for a formal arrangement between the entities in question. A common decision, or converging decisions, are sufficient. However, when there is a Joint Controllership, the parties involved must determine their respective responsibilities by means of an arrangement between them. 

Final observation 

About the calculation of the fine where the addressee is or forms part of an undertaking, the Court states that the competent DPA must: 

  • take into account the undertaking under competition law 
  • calculate the fine on the basis of a percentage of the total worldwide annual turnover of the undertaking concerned, taken as a whole, in the preceding business year. 

Source: https://curia.europa.eu/jcms/upload/docs/application/pdf/2023-12/cp230184en.pdf