ECJ Clarifies GDPR Administrative Fines
In its judgments of 5 December 2023 in Case C-683/21 (Nacionalinis visuomenės sveikatos centras) and Case C-807/21 (Deutsche Wohnen), the ECJ clarified several aspects of the General Data Protection Regulation (GDPR) regarding administrative fines for data protection infringements. It follows that a data controller can only be fined if the infringement was committed wrongfully, meaning intentionally or negligently. This applies even if the infringement was not directly committed by the management body of a legal entity but by its representatives or anyone acting on its behalf. Additionally, the Court stated that, when calculating fines for entities that are part of a larger group, the total turnover of the entire group must be taken into account.
These replies resulted from respective inquiries from Lithuanian and German courts concerning fines imposed on the National Public Health Centre of Lithuania (contesting a fine of €12,000) and on the German real estate company Deutsche Wohnen (contesting a fine of over €14 million imposed as a result of its having stored the personal data of tenants for longer than necessary).
The Court also highlighted that data controllers could be fined for actions performed by processors as part of their responsibility. It also addressed the concept of joint control without the need for a formal arrangement between entities, because a common decision, or converging decisions, is sufficient to establish such control.