Marian Härtel
Filter nach benutzerdefiniertem Beitragstyp
Filter by Kategorien
Archive - Old blogposts
Blockchain and law
Blockchain and web law
Blockchain Law
Competition law
Data protection Law
Esport and politics
Esport Business
EU law
Labour law
Law and Blockchain
Law and computer games
Law and Esport
Law on the Internet
Law on the protection of minors
News in brief
Online retail
Web3 Law
Youtube video
Just call!

03322 5078053

Extended analysis of the ECJ ruling on the GDPR and its impact

In an earlier post on my blog, I already briefly addressed the important ruling of the ECJ of December 5, 2023. I would now like to undertake a more detailed analysis and expansion.

Guiding principles of the ECJ ruling

  1. Direct liability of legal persons: The ECJ confirms that a fine under Art. 83 GDPR can be imposed on a legal person without the infringement having previously been attributed to an identified natural person. This represents a departure from previous German legal practice, which presupposed such an attribution.
  2. Culpable conduct as a prerequisite: A fine may only be imposed if it is proven that the person responsible (be it a natural or legal person) committed the violation intentionally or negligently. This means that the supervisory authorities must provide evidence of culpable conduct.

Further aspects

  • Group turnover as the basis of assessment: If the addressee of the fine belongs to a group, the turnover of the entire group is decisive when calculating the fine. This can lead to significantly higher fines, especially for large multinational corporations.
  • Liability for breaches by third parties: A legal entity is liable not only for breaches committed by its management bodies, but also for breaches committed by any other person in the course of their business activities on behalf of the legal entity. This considerably extends the scope of liability.
  • Joint responsibility: In the case of joint responsibility of several entities for data processing, liability already arises from participation in the decision on the purposes and means of processing. A formal agreement is not required for this.

Conclusion and recommendations for action

This ruling by the ECJ significantly lowers the hurdles for the imposition of GDPR fines and extends the scope of liability for companies. It underlines the need for companies to implement a robust data protection compliance management system and continuously monitor data protection practices. In particular, the extension of liability to infringements by third parties and the consideration of group turnover when calculating fines require comprehensive risk assessment and management.

I will be happy to provide you with further information and individual advice on this topic.

Marian Härtel

Marian Härtel

Marian Härtel is a lawyer and entrepreneur specializing in copyright law, competition law and IT/IP law, with a focus on games, esports, media and blockchain.


03322 5078053