Court of Justice of the European Union Clarifies Imposition and Calculation of Administrative Fines for Companies Established in the EU or Processing EU Data
By Jessica Varda, J.D. Candidate, Class of 2026, Louis D. Brandeis School of Law at the University of Louisville
The Court of Justice of the European Union (CJEU) issued judgments on December 5, 2023, clarifying that national supervisory authorities may impose an administrative fine on a data controller for an infringement of the General Data Protection Regulation (GDPR) when the infringement was committed wrongfully, meaning intentionally or negligently. The objective fact that a breach occurred (“strict liability”) is not sufficient for the imposition of an administrative fine.
The GDPR applies to:
- a company or entity which processes personal data as part of the activities of one of its branches established in the [European Union (EU)], regardless of where the data is processed; or
- a company established outside the EU and is offering goods/services (paid or for free) or is monitoring the behaviour of individuals in the EU.
The GDPR defines “personal data” as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
The CJEU issued the judgments in response to two cases. In C-683/21, a Lithuanian court requested an interpretation of the GDPR in relation to a decision by which the State Data Protection Inspectorate, Lithuania imposed an administrative fine on the National Public Health Centre under the Ministry of Health, Lithuania pursuant to Article 83 of the GDPR for the creation, with assistance of a private undertaking, of a mobile application for registering and monitoring personal data related to COVID-19 exposures. In C-807/21, a German court requested an interpretation of the GDPR in relation to an administrative fine imposed by the Berlin Public Prosecutor’s Office on Deutsche Wohnen SE, a real estate company, for storing the personal data of tenants for longer than necessary.
Per the GDPR, “‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.” The opinion in C-683/21 clarifies that what is a controller can be inferred from the factual circumstances: “An entity which is in fact in a position to determine the purposes and means of the processing will thus be regarded as a ‘controller’, irrespective of whether it was formally appointed as such (by law or in a contract or otherwise).” Where the controller is a legal person, they are liable also for any infringements committed on their behalf, regardless of whether the processing is carried out in accordance with written guidelines or instructions from the controller. A controller may be fined for operations performed by a processor to the extent that the controller may be held responsible for such operations. Per the GDPR, “‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”
In the case that there are two or more entities participating in the determination of the purposes and means of processing, the CJEU will classify them as joint controllers regardless of any formal arrangement. If an offending company or entity is part of an undertaking, fines must be calculated based on the annual turnover of the undertaking as a whole for the preceding business year. Previous case law indicates “the concept of an undertaking encompasses every entity engaged in an economic activity, regardless of the legal status of the entity or the way in which it is financed.” An undertaking may consist one or several individual companies, natural persons, or corporate entities.