In an earlier post on my blog itmedialaw.com, I briefly addressed the important ruling of the ECJ of December 5, 2023. This article provides a more detailed analysis and expansion on the implications of this decision, particularly regarding GDPR fines.
Guiding Principles of the ECJ Ruling on GDPR Fines
The recent ECJ ruling has set significant precedents for the imposition of GDPR fines. It clarifies several key aspects of liability and penalty assessment.
- Direct Liability of Legal Persons: The ECJ confirms that a fine under Article 83 GDPR can be imposed directly on a legal person. This is possible even without the infringement being previously attributed to an identified natural person.
This ruling marks a departure from previous German legal practice, which typically required such an attribution.
- Culpable Conduct as a Prerequisite: A fine may only be imposed if culpable conduct is proven. This means the responsible party, whether a natural or legal person, must have committed the violation intentionally or negligently.
Supervisory authorities are now tasked with providing evidence of this culpable conduct.
Further Aspects and Implications of the ECJ Ruling
Beyond the guiding principles, the ECJ ruling introduces several other crucial aspects that impact companies subject to GDPR.
- Group Turnover as the Basis of Assessment: When calculating a GDPR fine, the turnover of the entire group is decisive if the addressee of the fine belongs to a group. This can lead to significantly higher fines, especially for large multinational corporations.
- Liability for Breaches by Third Parties: A legal entity's liability extends beyond infringements committed by its own management bodies. It now also encompasses breaches committed by any other person in the course of their business activities on behalf of the legal entity. This considerably broadens the scope of liability for GDPR violations.
- Joint Responsibility: In cases where several entities share responsibility for data processing, liability arises directly from participation in deciding the purposes and means of processing. A formal agreement is not a prerequisite for establishing this joint responsibility.
Conclusion and Recommendations for Action
This ECJ ruling significantly lowers the hurdles for imposing GDPR fines and expands the scope of liability for companies. It underscores the urgent need for businesses to implement a robust data protection compliance management system.
Furthermore, companies must continuously monitor their data protection practices. The extended liability for infringements by third parties and the consideration of group turnover necessitate comprehensive risk assessment and management strategies.
I will be happy to provide you with further information and individual advice on this topic.