On April 27, 2023, the Advocate General (“AG”) of the Court of Justice of the European Union (“CJEU”) issued its opinion in the case C-807/21 on the conditions for imposing GDPR fines on legal persons (e.g., companies).  He opined that Member States’ law may not stipulate conditions going beyond those set out in the GDPR that make it more difficult to impute GDPR infringements to companies.  In addition, he is of the opinion that the GDPR penalties may only be imposed on intentional or negligent conducts, since the GDPR does not provide for a strict liability (no fault) system.

The case arises from a €14.5 million fine the Berlin Supervisory Authority imposed on Deutsche Wohnen SE for infringing the GDPR’s data retention obligations.  Subsequently, the District Court of Berlin overturned the fine, because the fine failed to satisfy certain rules under the German Act on Regulatory Offences (see our blog post).  The Berlin Public Prosecutor’s Office then appealed the case to the Higher Regional Court, which referred the following two questions to the CJEU:

(1) May a penalty be imposed on a company for infringement of the GDPR without first imputing that infringement to a natural person acting on the legal person’s behalf?

The AG is of the opinion that GDPR must be interpreted as meaning that the imposition of an administrative fine on a company is not conditional on a prior finding of an infringement committed by one or more individual natural persons acting on behalf of that company.  Member States laws may not require this to be a pre-condition to impose a GDPR administrative fine.

(2) Must the GDPR infringement in respect of which the penalty is imposed in all cases have been committed intentionally or negligently, or may a penalty be imposed by the mere objective fact that a GDPR obligation was breached?

The AG is of the opinion that the question is inadmissible because it is hypothetical in nature, since in the Deutsche Wohnen SE was found to intentionally breach the GDPR.  Nevertheless, he state that in his view GDPR fines require the conduct constituting the infringement to be intentional or negligent, thus ruling out the application of a strict liability regime.

This German case is similar to an Austrian case, in which the Federal Administrative Court annulled the €18 million fine that the Austrian Supervisory Authority imposed on the Austrian Post on the grounds that Austrian procedural law requires imputing the GDPR infringement to a natural person (not necessarily a manager) acting on the legal person’s behalf (see the decision, only available in German).

*                             *                             *

The AG’s opinion is not binding on the CJEU.  The Covington Privacy and Cyber team will report back once the CJEU renders its judgment.

(This blog post was written with the contribution of Alberto Vogel.)

Tags: Advocate General, Austria, CJEU, GDPR Fine, Germany, legal persons, Penalties
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Lars Lensdorf Lars Lensdorf

Lars Lensdorf is a partner in the Frankfurt office. He focuses on IT law, outsourcing, cloud-services, digitalization/ industry 4.0, IT related bank regulatory matters, IT-compliance, incl. cybersecurity and data protection.

Furthermore, Lars is also focused on interfaces to other practice areas to the…

Lars Lensdorf is a partner in the Frankfurt office. He focuses on IT law, outsourcing, cloud-services, digitalization/ industry 4.0, IT related bank regulatory matters, IT-compliance, incl. cybersecurity and data protection.

Furthermore, Lars is also focused on interfaces to other practice areas to the extent that IT related matters are affected, e. g. regulatory requirements for banking and financial services as well as public procurement law.

Read more about Lars LensdorfEmail
Show more Show less
Photo of Anna Sophia Oberschelp de Meneses Anna Sophia Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses advises on EU data protection, cybersecurity, and consumer law. Her practice covers the full range of Europe’s digital regulatory framework, including GDPR, ePrivacy, NIS2, the Cyber Resilience Act, the AI Act, the Digital Services Act, the Data Act…

Anna Sophia Oberschelp de Meneses advises on EU data protection, cybersecurity, and consumer law. Her practice covers the full range of Europe’s digital regulatory framework, including GDPR, ePrivacy, NIS2, the Cyber Resilience Act, the AI Act, the Digital Services Act, the Data Act, the European Health Data Space, and EU consumer protection law, including product safety, product liability, and consumer rights legislation. She focuses on the operational side of compliance — helping clients design policies and processes, draft documentation, and build the internal frameworks needed to meet regulatory requirements in practice.

She also advises on contentious matters, drawing on experience managing investigations before national regulators and proceedings before national courts and the Court of Justice of the European Union. She works closely with Covington’s disputes teams on matters at the intersection of regulatory compliance and litigation.

Read more about Anna Sophia Oberschelp de MenesesEmailAnna Sophia's Linkedin Profile
Show more Show less