(AGENPARL) – mar 05 dicembre 2023 PRESS RELEASE No 184/23
Luxembourg, 5 December 2023
Judgments of the Court in Cases C-683/21 | Nacionalinis visuomen?s sveikatos centras and C-807/21 |
Deutsche Wohnen
Only a wrongful infringement of the General Data Protection Regulation
may result in an administrative fine being imposed
Where the addressee of the fine forms part of a group of companies, that fine must be calculated on the basis
of the group’s turnover
The Court of Justice clarifies the conditions under which national supervisory authorities may impose an
administrative fine on one or more controllers for an infringement of the General Data Protection Regulation
(GDPR). In particular, it holds that the imposition of such a fine requires that there be wrongful conduct; in other
words, that the infringement has been committed intentionally or negligently. Moreover, where the addressee
of the fine forms part of a group of companies, the calculation of that fine must be based on the turnover of the
entire group.
A Lithuanian court and a German court have asked the Court of Justice to interpret the General Data Protection
Regulation (GDPR) 1 regarding the possibility for national supervisory authorities to penalise the infringement of that
regulation by imposing an administrative fine on the data controller.
In the Lithuanian case, the National Public Health Centre under the Ministry of Health is contesting a fine of € 12 000
which has been imposed on it in the context of the creation, with the assistance of a private undertaking, of a
mobile application for registering and monitoring the data of persons exposed to Covid-19.
In the German case, the real estate company Deutsche Wohnen, which indirectly holds approximately 163 000
housing units and 3 000 commercial units, is contesting, inter alia, a fine of over € 14 million which has been
imposed on it as a result of its having stored the personal data of tenants for longer than necessary.
The Court holds that a data controller may not have an administrative fine imposed on it for an
infringement of the GDPR unless that infringement was committed wrongfully, that is to say, intentionally
or negligently. That is the case where the controller could not have been unaware of the infringing nature of its
conduct, regardless of whether or not it was aware of the infringement.
Where the controller is a legal person, it is not necessary for the infringement to have been committed by
its management body; nor is it necessary for that body to have had knowledge of that infringement. On the
contrary, a legal person is liable both for infringements committed by its representatives, directors or managers,
and for those committed by any other person acting in the course of the business of that legal person and on its
behalf. Moreover, the imposition of an administrative fine on a legal person as a controller cannot be subject to a
previous finding that that infringement was committed by an identified natural person.
Communications Directorate
Press and Information Unit
curia.europa.eu
Furthermore, a controller may also have a fine imposed on it in respect of operations performed by a
processor, to the extent that the controller may be held responsible for such operations.
With regard to joint control by two or more entities, the Court clarifies that such control arises solely from the
fact that those entities have participated in the determination of the purposes and means of processing.
Classification as ‘joint controllers’ does not require that there be a formal arrangement between the entities in
question. A common decision, or converging decisions, are sufficient. However, where there are in fact joint
controllers, they must determine their respective responsibilities by means of an arrangement between them.
Lastly, as regards the calculation of the fine where the addressee is or forms part of an undertaking, the
supervisory authority must take as its basis the concept of an ‘undertaking’ 2 under competition law. Thus, the
maximum amount of the fine must be calculated on the basis of a percentage of the total worldwide annual
turnover of the undertaking concerned, taken as a whole, in the preceding business year.
NOTE: A reference for a preliminary ruling allows the courts and tribunals of the Member States, in disputes which
have been brought before them, to refer questions to the Court of Justice about the interpretation of European
Union law or the validity of a European Union act. The Court of Justice does not decide the dispute itself. It is for the
national court or tribunal to dispose of the case in accordance with the Court’s decision, which is similarly binding on
other national courts or tribunals before which a similar issue is raised.
Unofficial document for media use, not binding on the Court of Justice.
The full text and, as the case may be, the abstract of the judgments (C-683/21 and C-807/21) are published on the
CURIA website on the day of delivery.
Stay Connected!
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the
processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
That concept covers any entity engaged in an economic activity, irrespective of the legal status of that entity and the way in which it is financed. The
concept of an undertaking therefore refers to an economic unit even if, in law, that economic unit consists of several natural or legal persons.
Communications Directorate