Key Facts
- Direct liability of legal persons: ECJ allows fines against legal persons without attribution to natural persons.
- Culpable conduct as a prerequisite: Supervisory authorities must prove culpable conduct before fines are imposed.
- Group turnover as a basis for assessment: Fines are calculated according to the turnover of the entire group, which can lead to higher amounts.
- Liability for infringements by third parties: Legal entities are also liable for infringements committed by third parties in the course of their business activities.
- Joint responsibility: Liability arises through participation in decisions on data processing purposes, without formal agreement.
- Extended liability: ruling lowers hurdles for GDPR fines and requires robust data protection compliance management
- Risk assessment and management: Companies must carry out comprehensive risk assessments and continuously monitor data protection practices.
In an earlier post on my blog itmedialaw.com, I already briefly addressed the important ruling of the ECJ of December 5, 2023. I would now like to undertake a more detailed analysis and expansion.
Guiding principles of the ECJ ruling
- Direct liability of legal persons: The ECJ confirms that a fine under Art. 83 GDPR can be imposed on a legal person without the infringement having previously been attributed to an identified natural person. This represents a departure from previous German legal practice, which presupposed such an attribution.
- Culpable conduct as a prerequisite: A fine may only be imposed if it is proven that the person responsible (be it a natural or legal person) committed the violation intentionally or negligently. This means that the supervisory authorities must provide evidence of culpable conduct.
Further aspects
- Group turnover as the basis of assessment: If the addressee of the fine belongs to a group, the turnover of the entire group is decisive when calculating the fine. This can lead to significantly higher fines, especially for large multinational corporations.
- Liability for breaches by third parties: A legal entity is liable not only for breaches committed by its management bodies, but also for breaches committed by any other person in the course of their business activities on behalf of the legal entity. This considerably extends the scope of liability.
- Joint responsibility: In the case of joint responsibility of several entities for data processing, liability already arises from participation in the decision on the purposes and means of processing. A formal agreement is not required for this.
Conclusion and recommendations for action
This ruling by the ECJ significantly lowers the hurdles for the imposition of GDPR fines and extends the scope of liability for companies. It underlines the need for companies to implement a robust data protection compliance management system and continuously monitor data protection practices. In particular, the extension of liability to infringements by third parties and the consideration of group turnover when calculating fines require comprehensive risk assessment and management.
I will be happy to provide you with further information and individual advice on this topic.
