- ECJ ruling: On December 5, 2023, the European Court of Justice will rule on fines for GDPR violations in case C-807/21.
- Accountability: Companies must take responsibility for the processing of personal data and take measures to comply with the GDPR.
- Fines: ECJ requires that fines are effective, proportionate and dissuasive, taking into account various factors.
- Member States: The ECJ recognizes the Member States ' scope for specific rules on the lawfulness of data processing.
- Significance: Ruling strengthens the enforcement of the GDPR and emphasizes the need for responsible data processing practices.
- Intentionality: For penalties, factors such as intentionality or negligence of the offense are taken into account.
- Companies: Companies must align their data processing practices even more closely with GDPR requirements.
The judgment of the European Court of Justice (ECJ) of December 5, 2023 in case C-807/21 concerns the interpretation of Art. 83 para. 4 to 6 of the General Data Protection Regulation (GDPR). This decision has important implications for the imposition of fines for breaches of the GDPR.
Context and background of the judgment
The judgment was issued in the context of a legal dispute between Deutsche Wohnen SE and the Berlin public prosecutor’s office regarding fines imposed pursuant to Art. 83 GDPR for violations of various articles of the GDPR. The case concerned the long-term storage of tenant data, which was considered a violation of the GDPR.
Key aspects of the judgment
- Responsibility and liability: The ECJ emphasizes the responsibility and liability of the controller for any processing of personal data carried out by it or on its behalf. This underlines the need for companies to take appropriate and effective measures to ensure that their data processing activities comply with the GDPR.
- Conditions for the imposition of fines: The Court clarifies that fines must be effective, proportionate and dissuasive. When deciding on the imposition of a fine and its amount, various factors are taken into account, including the nature, gravity and duration of the infringement, the intentional or negligent nature of the infringement and the measures taken by the controller or processor to mitigate the damage.
- Member States’ room for maneuver: The ECJ recognizes that the GDPR offers the Member States leeway for specifying their regulations. This also includes defining the conditions under which the processing of personal data is lawful.
Effects and significance
The ruling has far-reaching implications for the practice of imposing GDPR fines. It emphasizes the importance of careful and responsible data processing and strengthens the enforcement of the GDPR. Companies must now pay even closer attention to ensuring that their data processing practices comply with the requirements of the GDPR, particularly with regard to responsibility and liability for data processing.
