On April 27, 2023, the Advocate General (“AG”) of the Court of Justice of the European Union (“CJEU”) issued its opinion in the case C-807/21 on the conditions for imposing GDPR fines on legal persons (e.g., companies).  He opined that Member States’ law may not stipulate conditions going beyond those set out in the GDPR that make it more difficult to impute GDPR infringements to companies.  In addition, he is of the opinion that the GDPR penalties may only be imposed on intentional or negligent conducts, since the GDPR does not provide for a strict liability (no fault) system.

The case arises from a €14.5 million fine the Berlin Supervisory Authority imposed on Deutsche Wohnen SE for infringing the GDPR’s data retention obligations.  Subsequently, the District Court of Berlin overturned the fine, because the fine failed to satisfy certain rules under the German Act on Regulatory Offences (see our blog post).  The Berlin Public Prosecutor’s Office then appealed the case to the Higher Regional Court, which referred the following two questions to the CJEU:

(1) May a penalty be imposed on a company for infringement of the GDPR without first imputing that infringement to a natural person acting on the legal person’s behalf?

The AG is of the opinion that GDPR must be interpreted as meaning that the imposition of an administrative fine on a company is not conditional on a prior finding of an infringement committed by one or more individual natural persons acting on behalf of that company.  Member States laws may not require this to be a pre-condition to impose a GDPR administrative fine.

(2) Must the GDPR infringement in respect of which the penalty is imposed in all cases have been committed intentionally or negligently, or may a penalty be imposed by the mere objective fact that a GDPR obligation was breached?

The AG is of the opinion that the question is inadmissible because it is hypothetical in nature, since in the Deutsche Wohnen SE was found to intentionally breach the GDPR.  Nevertheless, he state that in his view GDPR fines require the conduct constituting the infringement to be intentional or negligent, thus ruling out the application of a strict liability regime.

This German case is similar to an Austrian case, in which the Federal Administrative Court annulled the €18 million fine that the Austrian Supervisory Authority imposed on the Austrian Post on the grounds that Austrian procedural law requires imputing the GDPR infringement to a natural person (not necessarily a manager) acting on the legal person’s behalf (see the decision, only available in German).

*                             *                             *

The AG’s opinion is not binding on the CJEU.  The Covington Privacy and Cyber team will report back once the CJEU renders its judgment.

(This blog post was written with the contribution of Alberto Vogel.)

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Lars Lensdorf Lars Lensdorf

Lars Lensdorf is a partner in the Frankfurt office. He focuses on IT law, outsourcing, digitalization/ industry 4.0, IT related bank regulatory matters and data protection. Dr. Lensdorf’s practice covers all types of IT and outsourcing agreements, all matters of digitalization and industry…

Lars Lensdorf is a partner in the Frankfurt office. He focuses on IT law, outsourcing, digitalization/ industry 4.0, IT related bank regulatory matters and data protection. Dr. Lensdorf’s practice covers all types of IT and outsourcing agreements, all matters of digitalization and industry 4.0, including online procurement platforms, IT-compliance matters (including cybersecurity) as well as data protection.

Furthermore, he is also focused on interfaces to other practice areas to the extent that IT related matters are affected, e. g. regulatory requirements for banking and financial services as well as public procurement law. A significant part of Dr. Lensdorf’s practice is currently advice in connection with the implementation of the GDPR (data protection) in Europe.

Photo of Anna Oberschelp de Meneses Anna Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate…

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.  She has obtained a certificate for “corporate data protection officer” by the German Association for Data Protection and Data Security (“Gesellschaft für Datenschutz und Datensicherheit e.V.”). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).  Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.  Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.