ECJ confirms: Data protection fines can be assessed on group turnover
Data protection penalties for accused companies may be based on the group turnover, not just the turnover of the offending company. Also in criminal courts.
(Image: peterschreiber.media/Shutterstock.com)
The European Court of Justice (ECJ) has issued a landmark ruling on the calculation of fines under the General Data Protection Regulation (GDPR). It confirms that the maximum amount of the fine may be calculated on the basis of a percentage of the global turnover of the entire group, even if only a part of the group is accused in an EU member state. The ECJ is thus continuing its case law from the Deutsche Wohnen case for criminal judgments as well.
The current reference decision in case C-383/23 is based on a case from Denmark. There, companies can be criminally charged for data protection offenses. The data protection authority accused a furniture retailer of violating data protection law in the period from May 2018 to January 2019 by storing the data of at least 350,000 former customers. The authority requested a fine of 1.5 million crowns, the equivalent of around 201,000 euros.
Videos by heise
When calculating this amount, the data protection authority not only considered the turnover of the accused company, but also the worldwide turnover of the entire group to which the furniture retailer belongs. The criminal court, however, only saw negligence and calculated the fine using only the turnover of the accused part of the group. This resulted in a comparatively modest fine of 100,000 crowns (13,400 euros).
Appeal leads to motion for referral
The Court of Appeal appealed to by the public prosecutor referred the question of which turnover may form the basis for calculating the penalty to the ECJ. The decisive factor here is the interpretation of the term “undertaking” in Article 83 (4) to (6) GDPR. The ECJ has now confirmed the line of case law it established in 2023 in the Deutsche Wohnen case: The term “undertaking” in Article 83 GDPR therefore corresponds to the term “undertaking” in Articles 101 and 102 of the Treaty on the Functioning of the European Union under antitrust law.
This means that the fine for GDPR infringements can be determined “on the basis of a percentage of the total worldwide annual turnover of the preceding financial year” of the group, provided it is an “economic unit”. This is because “this concept of undertaking includes (…) any entity carrying out an economic activity, regardless of its legal form and the way in which it is financed. It therefore designates an economic entity, even if, from a legal perspective, it consists of several natural or legal persons.”
At the same time, the ECJ emphasizes that this calculation only leads to the maximum amount of the fine. The competent authority must punish “in each individual case in an effective, proportionate and dissuasive manner”. Criteria such as the nature, gravity, and duration of the infringement, the number of data subjects, the extent of the damage and the measures taken to mitigate it, the intentional or negligent nature of the infringement, the degree of responsibility and the categories of personal data involved must be considered. All of this applies regardless of whether the data protection penalty is to be imposed by an administrative authority (as in Germany) or a criminal court (as in Denmark).
(ds)
