On the 5th of December 2023, the Court of Justice of the European Union (hereinafter – CJEU, the Court) issued two significant decisions for all data controllers. In two separate, however related cases, Lithuanian and German national courts raised questions regarding conditions for calculating fines under the GDPR. The clarifications offered by the Court provide guidance on topics including the subjects of fines, the requirement of fault (or lack thereof), and more.
Background of the cases:
In the case, Deutsche Wohnen SE v Staatsanwaltschaft Berlin, the questions raised by the German court stemmed from a dispute triggered by a EUR 14,385,000 fine imposed on Deutsche Wohnen SE (hereinafter – DW), a listed real estate company headquartered in Berlin. DW, through participating interests in various companies, owns around 163,000 residential units and 3,000 commercial units. The fine was a result of excessive personal data retention periods implemented by the company and DW contested the decision in court. The court raised questions regarding the imposition of fines on legal entities, considering conflicts with national law.
The second case was referred to the Court of Justice for a preliminary ruling by a Lithuanian court. Amid the COVID-19 pandemic, the Health Minister of Lithuania instructed the National Public Health Centre (hereinafter NVSC) to procure an IT system for tracking individuals exposed to the virus. The NVSC engaged an IT service provider to create an app for this purpose. Due to GDPR violations related to this app, a fine of EUR 12,000 was imposed on the NVSC, and EUR 3,000 was imposed on the IT service provider. The NVSC contested the decision, arguing that the IT service provider should be considered the sole controller. Consequently, six questions were raised to the Court.
The key takeaways:
1. GDPR violation does not have to be committed or known by a legal person’s management body, to result in a fine. As explained by the Court, quite the opposite – legal persons are responsible for anyone acting in the course of the business of those legal persons, not just the management bodies. In other words, the imposition of a fine on a legal person as a controller is in no way subject to a previous finding that the infringement was committed by an identified natural person.
2. GDPR fines require fault. The CJEU makes it clear that one must determine whether the controller committed intentional or negligent infringement before imposing any fine. This type of behavior, whether intentional or negligent, includes cases where the controller is already aware of or should have known that their actions infringe upon something. Additionally, the court emphasized that if a data processor acts intentionally or negligently, the data controller can also be held responsible unless processing is carried out for their purposes, in a way inconsistent with the agreed framework with the data controller, or without their reasonable consent. Only under such circumstances may data processors be liable.
3. Joint controllership
The Court also provided guidance on the concept of joint controllers. Specifically, it highlighted that the key thing to consider when reviewing whether there is joint controllership involved is determining the processing purposes and means. Formal agreements are unnecessary, as a single or overlapping decision can suffice. Nevertheless, joint controllers should establish their responsibilities through mutual agreement.
4. Other considerations for the calculation of GDPR fines.
The Court also clarified, that, when calculating fines for a subject that is or is a part of an undertaking, the competition law concept of undertaking must be referred to when calculating a fine for an entity, which is an undertaking or is a part of one. Accordingly, the maximum amount of the administrative fine is calculated based on a percentage of the total worldwide annual turnover in the preceding business year of the undertaking concerned.
The content of this article is intended to provide a general guide to the subject matter. If you need assistance regarding a specific situation related to GDPR compliance or any other personal data protection question, please consult the experts of ECOVIS ProventusLaw.
Links to cases (C‑807/21 and C‑683/21)
Prepared by ECOVIS ProventusLaw junior associate Julija Ginotytė