On December 5, 2023, the Court of Justice of the European Union (CJEU) issued two important judgments that clarified the legal grounds for the imposition of administrative fines under the General Data Protection Regulation (GDPR) (Cases C-683/21 and C-807/21). These judgements were issued in the context of requests for preliminary ruling introduced by respectively a German Court and a Lithuanian Court. The interpretation of the GDPR given by the CJEU is applicable and binding on all European Union (EU) Member States.

Key Takeaways:

  1. EU Member States do not have any margin of discretion regarding the conditions for imposing an administrative fine and must not impose additional conditions to those provided by the GDPR.
  2. An administrative fine can be imposed only where the controller has intentionally or negligently committed a GDPR infringement.
  3. The controller is liable for the processing activities performed by its processor.
  4. The concept of "undertaking" within the meaning of EU competition law is only relevant to calculate the amount of the fine.

1. EU Member States do not have any margin of discretion regarding the conditions for imposing an administrative fine and must not impose additional conditions to those provided by the GDPR.

The CJEU considered that no GDPR provision suggests that EU Member States would have a margin of discretion concerning the conditions for imposing an administrative fine for GDPR infringement. Consequently, EU Member States are limited by the conditions laid down in the GDPR and are not authorized to impose additional conditions that are not explicitly provided by the GDPR for the imposition of administrative fine.

The CJEU stressed that the objective of the GDPR is to ensure a consistent and high-level protection of personal data across the EU. According to the CJEU, this entails that supervisory authorities must have equivalent powers for monitoring GDPR compliance and must impose equivalent sanctions. Allowing EU Member States to impose additional conditions for the imposition of administrative fine would be contrary to the purpose of the GDPR, and would risk weakening the effectiveness and deterrent effect of administrative fines.

Accordingly, the CJEU considered that a national law providing that the imposition of an administrative fine on a legal person as a controller is subject to a previous finding that the infringement was committed by an identified natural person is precluded by GDPR to the extent that no GDPR provision provides such a condition. It added that a legal person acting as a controller is liable for infringements committed by its representatives, directors or managers, and for those committed by any other person acting in the course of the business of that legal person and on its behalf.

2. An administrative fine can be imposed only where the controller has intentionally or negligently committed a GDPR infringement.

The CJEU noted that the GDPR provides a system of sanctions which allows supervisory authorities to impose the most appropriate penalties depending on the circumstances of each individual case.

It remarked that Article 83(2) GDPR lists the factors to be considered by supervisory authorities when assessing whether an administrative fine should be imposed. Such list notably includes "the intentional or negligent character of the infringement". The CJEU further remarked that by contrast, this provision does not refer to any possibility of rendering the controller liable in the absence of wrongful conduct on its part.

It also reminded that Article 58 GDPR provides that administrative fines may be imposed "in addition to, or instead of" other corrective measures. The CJEU also commented that it results from recital 148 GDPR that supervisory authorities may refrain from imposing an administrative fine and instead issue a reprimand where the former would constitute a disproportionate burden.

Moreover, according to the CJEU, it would be contrary to the purpose of ensuring an equivalent and homogenous data protection pursued by the GDPR and it could distort competition between economic operators within the Union if Member States were allowed to impose administrative fine in the absence of fault.

Accordingly, the CJEU concluded that only GDPR infringements committed wrongfully by the controller, namely those committed intentionally or negligently, may result in an administrative fine being imposed on that controller. It further specified that a controller may be fined when that controller could not have been unaware of the infringing nature of its conduct, regardless of whether or not it was aware of the infringement and regardless of whether the infringement has been committed by its management body or upon knowledge of its management body.

3. The controller is liable for the processing activities performed by its processor.

The CJEU reminded that a controller is responsible and liable not only for the processing activities that it carries out itself, but also for processing activities that are performed on its behalf by its processor. Accordingly, a controller could be fined for the processing activities conducted by its processor.

However, the controller is not liable when the processor has processed personal data for its own purposes or when that processor has processed such data in a manner incompatible with the instructions of the controller, or in such a manner that it cannot reasonably be considered that the controller consented to such processing.

4. The concept of "undertaking" within the meaning of EU competition law is only relevant to calculate the amount of the fine.

The CJEU clarified that the concept of "undertaking" within the meaning of Articles 101 and 102 of the Treaty on the Functioning of the EU is not relevant to assess whether an administrative fine may be imposed; the concept only matters to determine the amount of the administrative fine and notably the total worldwide annual turnover in the preceding business year of the undertaking concerned.

More specifically, the CJEU clarified that the concept of "undertaking" under the GDPR incorporates the concept of undertaking under EU competition law, and includes any entity engaged in an economic activity, irrespective of the legal status of that entity and the way in which it is financed. The concept of undertaking defines an economic unit even if in law that economic unit consists of several persons, natural or legal, while that economic unit consists of a unitary organization of personal, tangible and intangible elements, pursuing a specific economic aim on a long-term basis.

Conclusion

These clarifications are important and will be useful for companies subject to enforcement actions, provided that the Data Protection Authorities will need to demonstrate that a given GDPR infringement results from intentional or negligent actions by the controller to be able to impose an administrative fine. This means that the burden of proof and the motivation obligation are strengthened for Data Protection Authorities when they want to impose an administrative fine. Further, it is clear from the CJEU's ruling that the imposition of a fine should be the last resort, and be the option chosen only where Data Protection Authorities believe that other sanctions - such as warnings, reprimands, etc. - would not be sufficiently efficient to ensure compliance with the GDPR. In a nutshell, these findings constitute useful defense arguments.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.