On April 27, 2023, the Advocate General (“AG”) of the Court of Justice of the European Union (“CJEU”) issued its opinion in the case C-807/21 on the conditions for imposing GDPR fines on legal persons (e.g., companies).  He opined that Member States’ law may not stipulate conditions going beyond those set out in the GDPR that make it more difficult to impute GDPR infringements to companies.  In addition, he is of the opinion that the GDPR penalties may only be imposed on intentional or negligent conducts, since the GDPR does not provide for a strict liability (no fault) system.

The case arises from a €14.5 million fine the Berlin Supervisory Authority imposed on Deutsche Wohnen SE for infringing the GDPR’s data retention obligations.  Subsequently, the District Court of Berlin overturned the fine, because the fine failed to satisfy certain rules under the German Act on Regulatory Offences (see our blog post).  The Berlin Public Prosecutor’s Office then appealed the case to the Higher Regional Court, which referred the following two questions to the CJEU:

(1) May a penalty be imposed on a company for infringement of the GDPR without first imputing that infringement to a natural person acting on the legal person’s behalf?

The AG is of the opinion that GDPR must be interpreted as meaning that the imposition of an administrative fine on a company is not conditional on a prior finding of an infringement committed by one or more individual natural persons acting on behalf of that company.  Member States laws may not require this to be a pre-condition to impose a GDPR administrative fine.

(2) Must the GDPR infringement in respect of which the penalty is imposed in all cases have been committed intentionally or negligently, or may a penalty be imposed by the mere objective fact that a GDPR obligation was breached?

The AG is of the opinion that the question is inadmissible because it is hypothetical in nature, since in the Deutsche Wohnen SE was found to intentionally breach the GDPR.  Nevertheless, he state that in his view GDPR fines require the conduct constituting the infringement to be intentional or negligent, thus ruling out the application of a strict liability regime.

This German case is similar to an Austrian case, in which the Federal Administrative Court annulled the €18 million fine that the Austrian Supervisory Authority imposed on the Austrian Post on the grounds that Austrian procedural law requires imputing the GDPR infringement to a natural person (not necessarily a manager) acting on the legal person’s behalf (see the decision, only available in German).

*                             *                             *

The AG’s opinion is not binding on the CJEU.  The Covington Privacy and Cyber team will report back once the CJEU renders its judgment.

(This blog post was written with the contribution of Alberto Vogel.)

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Lars Lensdorf Lars Lensdorf

Lars Lensdorf is a partner in the Frankfurt office. He focuses on IT law, outsourcing, cloud-services, digitalization/ industry 4.0, IT related bank regulatory matters, IT-compliance, incl. cybersecurity and data protection.

Furthermore, Lars is also focused on interfaces to other practice areas to the…

Lars Lensdorf is a partner in the Frankfurt office. He focuses on IT law, outsourcing, cloud-services, digitalization/ industry 4.0, IT related bank regulatory matters, IT-compliance, incl. cybersecurity and data protection.

Furthermore, Lars is also focused on interfaces to other practice areas to the extent that IT related matters are affected, e. g. regulatory requirements for banking and financial services as well as public procurement law.

Photo of Anna Sophia Oberschelp de Meneses Anna Sophia Oberschelp de Meneses

I advise companies across the EU on technology laws, with a focus on data protection, cybersecurity, and current consumer protection laws. I help businesses navigate complex regulations like the GDPR, AI Act, Digital Services Act, Unfair Commercial Practices Directive, and the upcoming Digital…

I advise companies across the EU on technology laws, with a focus on data protection, cybersecurity, and current consumer protection laws. I help businesses navigate complex regulations like the GDPR, AI Act, Digital Services Act, Unfair Commercial Practices Directive, and the upcoming Digital Fairness Act, turning legal requirements into practical, business-friendly solutions.

In data protection, I support tailored GDPR compliance, international data transfers, and privacy-conscious marketing. On cybersecurity, I guide clients through risk assessments, incident response, and evolving laws such as NIS2 and the Cyber Resilience Act. Regarding consumer protection, I advise on existing laws to help businesses revise their terms and conditions for compliance and review online interfaces to ensure all mandatory consumer information is clearly provided, tackling issues like dark patterns and unfair contract clauses.

Fluent in multiple languages and experienced across borders, I’m passionate about helping clients embed compliance into their operations and thrive in the fast-changing digital landscape.