Innovations in data protection law: ECJ ruling lowers hurdles for GDPR fines

The judgment of the European Court of Justice (ECJ) of December 5, 2023 in case C-807/21 concerns the interpretation of Art. 83 para. 4 to 6 of the General Data Protection Regulation (GDPR). This decision has important implications for the imposition of fines for breaches of the GDPR.

Context and background of the judgment

The judgment was issued in the context of a legal dispute between Deutsche Wohnen SE and the Berlin public prosecutor’s office regarding fines imposed pursuant to Art. 83 GDPR for violations of various articles of the GDPR. The case concerned the long-term storage of tenant data, which was considered a violation of the GDPR.

Key aspects of the judgment

1. Responsibility and liability: The ECJ emphasizes the responsibility and liability of the controller for any processing of personal data carried out by it or on its behalf. This underlines the need for companies to take appropriate and effective measures to ensure that their data processing activities comply with the GDPR.
2. Conditions for the imposition of fines: The Court clarifies that fines must be effective, proportionate and dissuasive. When deciding on the imposition of a fine and its amount, various factors are taken into account, including the nature, gravity and duration of the infringement, the intentional or negligent nature of the infringement and the measures taken by the controller or processor to mitigate the damage.
3. Member States’ room for maneuver: The ECJ recognizes that the GDPR offers the Member States leeway for specifying their regulations. This also includes defining the conditions under which the processing of personal data is lawful.

Effects and significance

The ruling has far-reaching implications for the practice of imposing GDPR fines. It emphasizes the importance of careful and responsible data processing and strengthens the enforcement of the GDPR. Companies must now pay even closer attention to ensuring that their data processing practices comply with the requirements of the GDPR, particularly with regard to responsibility and liability for data processing.

Author: Marian Härtel

Marian Härtel ist Rechtsanwalt und Fachanwalt für IT-Recht mit einer über 25-jährigen Erfahrung als Unternehmer und Berater in den Bereichen Games, E-Sport, Blockchain, SaaS und Künstliche Intelligenz. Seine Beratungsschwerpunkte umfassen neben dem IT-Recht insbesondere das Urheberrecht, Medienrecht sowie Wettbewerbsrecht. Er betreut schwerpunktmäßig Start-ups, Agenturen und Influencer, die er in strategischen Fragen, komplexen Vertragsangelegenheiten sowie bei Investitionsprojekten begleitet. Dabei zeichnet sich seine Beratung durch einen interdisziplinären Ansatz aus, der juristische Expertise und langjährige unternehmerische Erfahrung miteinander verbindet. Ziel seiner Tätigkeit ist stets, Mandanten praxisorientierte Lösungen anzubieten und rechtlich fundierte Unterstützung bei der Umsetzung innovativer Geschäftsmodelle zu gewährleisten.