Culpable breach of the GDPR can lead to a fine

If the addressee of the fine is part of a group, the fine is calculated on the basis of the group's annual turnover.

The Court clarifies the conditions under which the national supervisory authorities may impose a fine on one or more data controllers for infringement of the General Data Protection Regulation (GDPR). In particular, it states that the imposition of such a fine requires culpable conduct, i.e. the infringement must have been committed intentionally or negligently. If the addressee of the fine is part of a group, the turnover of the group must be taken into account when calculating the fine.

A Lithuanian and a German court have asked the Court of Justice to interpret the General Data Protection Regulation (GDPR) with regard to the possibility for national supervisory authorities to penalize violations of this regulation by imposing a fine on the data controller.

In the Lithuanian case, the National Center for Public Health at the Ministry of Health is appealing against a fine of 12,000 euros imposed on it in connection with the development (with the support of a private company) of a mobile application designed to collect and monitor data on people exposed to the Covid-19 virus.

In the German case, the real estate company Deutsche Wohnen, which indirectly holds around 163,000 residential units and 3,000 commercial units, is appealing against a fine of over EUR 14 million imposed on it for storing tenants' personal data for longer than necessary.

The Court of Justice rules that a data controller can only be fined for violating the GDPR if this violation was committed culpably - i.e. intentionally or negligently. This is the case if the controller could not have been unaware of the unlawfulness of its conduct, regardless of whether it was aware that it was in breach of the provisions of the GDPR.

If the controller is a legal person, it is not necessary that the infringement was committed by its management body or that this body was aware of it. Rather, a legal person is liable both for infringements committed by its representatives, managers or directors
and for infringements committed by any other person acting on its behalf in the course of their business activities. The imposition of a fine on a legal person as controller shall not be subject to the condition that it has previously been established that the infringement has been committed by an identified natural person.

In addition, a fine may also be imposed on a controller for processing operations carried out by a processor, provided that these operations can be attributed to the controller.

With regard to the joint controllership of two or more entities, the Court states that this arises solely from the fact that the entities have participated in the decision on the purposes and means of the processing. Classification as a "joint controller" does not require a formal agreement between the entities concerned. A joint decision or concordant decisions are sufficient. However, if they are indeed joint controllers, they must define their respective obligations in an agreement.

Finally, if the addressee is an undertaking or belongs to an undertaking, the supervisory authority must base its assessment of the fine on the competition law term "undertaking". The maximum amount of the fine must therefore be calculated on the basis of a percentage of the total annual turnover achieved worldwide by the company concerned as a whole in the previous financial year.

Source: ECJ press release no. 184/23 of 05.12.2023