The European Court of Justice issued a landmark ruling on Tuesday (5 December) that is set to facilitate the imposition of fines for infringements of the General Data Protection Regulation (GDPR).
The European Court of Justice (ECJ) put out a verdict that will make it easier for data protection authorities to sanction infringements of EU data protection rules and will likely result in higher fines on average.
The verdict at the EU level results from two national courts from Lithuania and Germany asking for guidance on the conditions for sanctioning data controllers.
One of the two cases sees Deutsche Wohnen, a German real estate company, coming up against Staatsanwaltschaft Berlin, the Public Prosecutions Office of Berlin. In this case, the Berlin Commissioner for Data Protection and Freedom of Information imposed a €14.5 million fine in 2020.
“With its judgement in the ‘Deutsche Wohnen’ case, the ECJ has established fundamental requirements for the imposition of fines against companies for GDPR violations,” German Attorney-at-Law Stefan Hessel told Euractiv.
Meanwhile, in Lithuania, the National Public Health Centre under the Ministry of Health was contesting a fine of €12,000 imposed on it due to “a mobile application for registering and monitoring the data of persons exposed to COVID-19”, the document adds.
“Today’s ECJ landmark decision on GDPR administrative fines in the case ‘Deutsche Wohnen’ strengthens enforcement of the EU GDPR as it lowers requirements for imposing fines on legal entities,” said Jan Spittka, partner and GDPR expert at global law firm Clyde & Co.
According to today’s decision, a fine for infringement on data controllers can be imposed when “that infringement was committed wrongfully, that is to say, intentionally or negligently”.
“This threshold is already exceeded if the company as a controller was objectively in a position to recognise the unlawfulness of its actions,” Hessel said.
Moreover, a controller can have a fine imposed on it “in respect of operations performed by a processor, to the extent that the controller may be held responsible for such operations”, the ECJ shared.
Not knowing of the infringement is also not an excuse, as the company is responsible for any infringements committed by people acting on their behalf.
“A fine does not require any action or even knowledge on the part of the company’s management body,” Hessel explained.
The decision will make it easier for member states’ data protection supervisory authorities to impose fines, which could also result in higher fines being imposed in the future, Spittka said.
The fine imposed can be based on the company’s or parent company’s turnover.
Fines will affect not only EU member states but also the countries with establishments in the EU and fall under the GDPR. The UK and the US, for example, both “fall within the territorial scope”, Spittka reminded.
To “minimise liability risks” in the future, companies must “ensure that employees are given clearer instructions on data protection and that these are closely monitored”, Hessel concluded.
[Edited by Luca Bertuzzi/Nathalie Weatherald]
Read more with EURACTIV