According to the ECJ's judgment of 13 February 2025 in Case C-383/23 (ILVA), a fine for a violation of the General Data Protection Regulation (GDPR) may be calculated on the basis of the global turnover of an entire group of companies.

Background of the case

The case, referred for a preliminary ruling by the High Court of Western Denmark (Vestre Landsret), clarified how fines under Art. 83(4) to (6) GDPR should be calculated for a company that is part of a corporate group. In the underlying proceedings in Denmark, ILVA A/S, a furniture retailer and subsidiary of the Lars Larsen Group, had been charged with failing to comply with GDPR obligations concerning the retention of personal data of former customers.

The Danish prosecutor was seeking a fine, partly based on the overall turnover of the corporate group and arguing that the concept of an “undertaking” in Art. 83(4)–(6) GDPR should align with the competition law understanding in Arts. 101 and 102 TFEU. The District Court of Aarhus disagreed, finding ILVA liable only for its own actions and imposing a lower fine calculated on its own turnover. The case was subsequently appealed.

ECJ ruling

The ECJ held that the term “undertaking” in Art. 83 GDPR must indeed be understood in the same way as it is in EU competition law. This interpretation entails that a corporate group may be treated as a single economic unit when one of its entities commits an infringement. Consequently, for purposes of determining the maximum amount of the fine, the supervisory authority or national court may take into consideration the entire worldwide turnover of the entire economic entity (i.e., the group), not just the subsidiary’s turnover.

The Court emphasized, however, that the actual amount of the fine must be effective, proportionate, and dissuasive in each individual case, taking into account the specific circumstances listed in Art. 83(2) GDPR, such as the nature and gravity of the infringement and the controller's responsibility. It also noted that, even when fines are imposed by criminal courts (as in Denmark, where GDPR fines are considered criminal penalties), and not handled as administrative sanctions, there are no obstacles of principle since criminal courts must at all times respect the rules applicable in criminal matters and ensure the principle of proportionality when calculating the fines.

Put in focus

In sum, the ECJ confirmed that the GDPR’s concept of an “undertaking” incorporates the competition law notion of a single economic unit. Accordingly, when calculating GDPR fines for group-affiliated entities, the turnover of the entire group may be considered — in this way ensuring that fines are not only proportionate to the infringement but also to the economic capacity of the offender.

The ruling could set a precedent for other digital laws, as the Digital Markets Act, the Digital Services Act and the AI Act, for example, provide for similar sanction mechanisms.