Extended analysis of the ECJ ruling on the GDPR and its impact

In an earlier post on my blog itmedialaw.com, I already briefly addressed the important ruling of the ECJ of December 5, 2023. I would now like to undertake a more detailed analysis and expansion.

Guiding principles of the ECJ ruling

Content Hide

1. Guiding principles of the ECJ ruling

2. Further aspects

3. Conclusion and recommendations for action

3.1. Author: Marian Härtel

Direct liability of legal persons: The ECJ confirms that a fine under Art. 83 GDPR can be imposed on a legal person without the infringement having previously been attributed to an identified natural person. This represents a departure from previous German legal practice, which presupposed such an attribution.
Culpable conduct as a prerequisite: A fine may only be imposed if it is proven that the person responsible (be it a natural or legal person) committed the violation intentionally or negligently. This means that the supervisory authorities must provide evidence of culpable conduct.

Further aspects

Group turnover as the basis of assessment: If the addressee of the fine belongs to a group, the turnover of the entire group is decisive when calculating the fine. This can lead to significantly higher fines, especially for large multinational corporations.
Liability for breaches by third parties: A legal entity is liable not only for breaches committed by its management bodies, but also for breaches committed by any other person in the course of their business activities on behalf of the legal entity. This considerably extends the scope of liability.
Joint responsibility: In the case of joint responsibility of several entities for data processing, liability already arises from participation in the decision on the purposes and means of processing. A formal agreement is not required for this.

Conclusion and recommendations for action

This ruling by the ECJ significantly lowers the hurdles for the imposition of GDPR fines and extends the scope of liability for companies. It underlines the need for companies to implement a robust data protection compliance management system and continuously monitor data protection practices. In particular, the extension of liability to infringements by third parties and the consideration of group turnover when calculating fines require comprehensive risk assessment and management.

Key Facts

Direct liability of legal persons: ECJ allows fines against legal persons without attribution to natural persons.
Culpable conduct as a prerequisite: Supervisory authorities must prove culpable conduct before fines are imposed.
Group turnover as a basis for assessment: Fines are calculated according to the turnover of the entire group, which can lead to higher amounts.
Liability for infringements by third parties: Legal entities are also liable for infringements committed by third parties in the course of their business activities.
Joint responsibility: Liability arises through participation in decisions on data processing purposes, without formal agreement.
Extended liability: ruling lowers hurdles for GDPR fines and requires robust data protection compliance management
Risk assessment and management: Companies must carry out comprehensive risk assessments and continuously monitor data protection practices.

I will be happy to provide you with further information and individual advice on this topic.

Author: Marian Härtel

Marian Härtel ist Rechtsanwalt und Fachanwalt für IT-Recht mit einer über 25-jährigen Erfahrung als Unternehmer und Berater in den Bereichen Games, E-Sport, Blockchain, SaaS und Künstliche Intelligenz. Seine Beratungsschwerpunkte umfassen neben dem IT-Recht insbesondere das Urheberrecht, Medienrecht sowie Wettbewerbsrecht. Er betreut schwerpunktmäßig Start-ups, Agenturen und Influencer, die er in strategischen Fragen, komplexen Vertragsangelegenheiten sowie bei Investitionsprojekten begleitet. Dabei zeichnet sich seine Beratung durch einen interdisziplinären Ansatz aus, der juristische Expertise und langjährige unternehmerische Erfahrung miteinander verbindet. Ziel seiner Tätigkeit ist stets, Mandanten praxisorientierte Lösungen anzubieten und rechtlich fundierte Unterstützung bei der Umsetzung innovativer Geschäftsmodelle zu gewährleisten.

Tags: Analyse Beratung Blog Compliance GDPR Haftung Judgment Legal entity Management Privacy