GDPR Fines According To The European Court Of Justice (ECJ) Culpability Is Required 20 FEB 2024 Website

Landmark data protection ruling issued

The European Court of Justice (CJEU) issued a landmark ruling on December 5, 2023 in a data protection appeal case involving German property company Deutsche Wohnen. With CJEU determining that liability requires culpable infringement, legal experts are cautioning that this eagerly awaited judgement could have major implications for organizations that breach GDPR rules.

The ruling not only affects organizations operating in the EU, but also those with EU subsidiaries and are processing personal data on EU citizens, or providing goods and services within the EU.  

Case timeline

  • In 2019, Deutsche Wohnen was fined €14.5 million by the Berlin Data Protection Commissioner. During an on-site inspection, the responsible data protection supervisory authority found that personal data of tenants was being stored in an electronic archive system for longer than necessary. This breaches the data minimization and storage limitation principles set out by the General Data Protection Regulation (GDPR).
  • In 2021, this preliminary ruling was overturned by the Court of Appeal (Kammergericht - KG) in Berlin. Under German law, the KG determined that the company could not be held responsible for violating the GDPR unless blame could be apportioned to a specific individual or executive.

Critical questions raised

This landmark case affects interpretation of Article 83 of the GDPR, specifically how administrative fines should be imposed.

In this case, the KG referred two critical questions to the CJEU:

  1. Can a fine be imposed on a company under the GDPR without the infringement first being attributed to a specific individual? For example, a specific employee of Deutsche Wohnen.
  2. If question 1 was answered affirmative, could this then be interpreted as meaning that either the company had culpably committed the breach mediated by an employee or was the objective breach of duty (“strict liability”) attributed to the company sufficient?

According to the KG, culpable breach of the GDPR is difficult to prove.

CJEU responses

The CJEU answered the first question by stating that, according to the GDPR, the controller within the meaning of the regulation is generally liable. The controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. It therefore depends solely on whether the company determines the purposes and means of the processing.

According to European legislation it is therefore not necessary for the company's liability to be attributed to a specific employee. In contrast, the German Administrative Offences Act (OWiG) requires that fines are attributed to a specific person. 

As a European regulation, the GDPR applies directly in all member states and takes precedence over national laws. The regulation does not offer national legislators any discretionary powers to reduce the conditions for imposing fines.

Following the CJEU’s ruling, the German regulation must now be interpreted by the courts in accordance with European law and national legislators are required to adapt the German law on fines to the new case law.

In the second question, the CJEU referred to the general liability principles of the GDPR. This means that the controller must commit an infringement culpably - i.e. intentionally or negligently - in order for a fine to be imposed on them. This view is also confirmed by the rest of the GDPR's system of sanctions.

Instead of, or in addition to fines, if there is a lack of culpable infringement in individual cases, or if there are problems regarding proof, the supervisory authorities can impose further sanctions in the form of warnings, cautions or instructions.

Even if fines are an effective means of enforcing the provisions of the GDPR, the European legislator has not provided for strict liability.

The CJEU ruling also raised the question as to  whether a company is at fault in the event of an intentional or negligent employee infringement. The KG may examine whether Deutsche Wohnen SE at management level can be accused of organisational fault. This could be regarded the case if there is no established compliance or data protection management system. Nevertheless, the CJEU still stated that the management does not need knowledge of the specific act of infringement by the employee or even have committed an act of infringement itself.

Significance for practice

This landmark CJEU ruling generally provides more clarity when imposing GDPR administrative fines on companies. The decision now makes it easier for data protection supervisory authorities in EU member states to sanction legal entities. However, there still remain many contractions, particularly with regards to culpability and the German understanding of principle of fault.

Conversely, the CJEU ruling has strengthened companies to the extent that they can only be accused of an infringement by an employee if the company acted culpably. Therefore, if companies generally ensure that their data protection management functions properly, they should be protected against fines for individual data protection breaches that are not attributable to a systematic failure.

This makes it even more imperative for companies to ensure that their compliance management system includes robust data protection controls, supported by appropriate guidelines, defined responsibilities, training, documentation, etc.

For more guidance on data protection and the implications of this landmark case, please contact Dr Christian Lenz, dhpg, Germany

For further information

Dr. Christian Lenz
Senior Partner

The information contained herein is for general informational purposes only and is not intended, and should not be construed, as legal, auditing, accounting, investment, or tax advice or opinion provided by CLA Global or any of its individual member firms to the reader.  No client, advisory, fiduciary, or other professional relationship is established or implied between the reader and CLA Global or any of its member firms through the presentation of the information contained herein.  The reader is cautioned that this material may not be applicable to, or suitable for, the reader’s specific circumstances or needs, and may require consideration of a number of other factors if any action is to be contemplated.  Accordingly, the information presented herein should not be considered a substitute for the reader’s independent investigation and sound technical business judgment, and the reader is advised to contact his or her CLA Global member firm or other tax or professional advisor prior to taking any action based upon said information.  Neither CLA Global nor any of its member firms assume any obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein.