A new ruling by the Court of Justice of the European Union (CJEU) limits the circumstances in which GDPR fines can be imposed on organizations.
The decision follows the case of a German real estate company, Deutsche Wohnen, after it was accused of retaining customer data longer than necessary by the Berlin Data Protection Commissioner in 2019.
The original fine of €14.5 million was reversed in 2021 on the grounds that, under German law, the company could only be held responsible if a specific individual or executive could be blamed.
However, hearing an appeal on the case, the CJEU ruled that a “data controller may not have an administrative fine imposed on it for an infringement of the GDPR unless that infringement was committed wrongfully; that is to say, intentionally or negligently”.
The result has been welcomed by Deutsche Wohnen.
"The case raised important questions about the application of GDPR," said Kai Mertens, a partner at Squire Patton Bogg, which represented the firm in the case.
"We are pleased that the European Court of Justice has now clarified that only an intentional or negligent infringement of the GDPR may result in an administrative fine."
The court ruled, though, that a controller can be punished for breaching the GDPR if they “could not have been unaware” of the illegality of their actions - regardless of whether they understood that they were in breach of GDPR provisions.
Ruling offers clarity on GDPR fines
Data protection expert Jonathan Kirsop of law firm Pinsent Masons said the decision provides welcome clarification.
"The judgment seems to limit the scope for fines being imposed for more ‘technical’ or administrative breaches where a controller has acted in good faith and with its best efforts to ensure appropriate processes in place," he said.
"That said, fines will still be imposed where a controller should have known that it had committed a breach, whether or not it did so."
The decision applies to any organization that has a subsidiary within the EU that processes the personal data of EU citizens, or that offers goods and services within the union.
Kirsop believes that the UK government and Information Commissioner’s Office (ICO) are likely to adopt the CJEU's approach.
The business value of Zscaler Data Protection
Discover a tool that minimizes the risks related to data loss and other security events
"The CJEU’s finding, as a general rule, reflects how the ICO has tended to seek to enforce the UK GDPR by focusing on those violations which had the most impact and were derived from a materially deficient approach by controllers," he said.
"The UK government is currently seeking to update the UK data protection regime, with the Data Protection and Digital Information Bill currently before parliament, but the Bill maintains the administrative fine framework and principles of the GDPR, notwithstanding that it envisages expanding these to encompass electronic marketing violations."
As part of the ruling, the court also considered a Lithuanian case in which the National Public Health Centre under the Ministry of Health contested a €12,000 fine relating to a mobile app for registering and monitoring the data of people exposed to Covid 19.
The court concluded that an organization found to have breached GDPR can be fined based on the turnover of its parent company, as well as its own turnover - thus increasing potential fines.
"By maintaining that an undertaking may encompass a group of entities – where engaged in a common economic activity – the court is explicit that group turnover will often be the basis for calculation," Kirsop added.
This, he noted, "closes the door for any attempt to create artificial group structures with controllers placed in legal entities with limited turnover."
