On 5 December 2023, the Court of Justice of the European Union handed down two important judgments1 which clarify the conditions for imposing an administrative fine on a data-controller for a breach of the General Data Protection Regulation (Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (OJEU, 4 May 2016, No. L 119, hereinafter the GDPR).
Article 83 of the GDPR and administrative fines
Article 83 of the GDPR enshrines the possibility for the competent personal data protection authorities to impose an administrative fine on a data controller for infringing upon certain provisions of the GDPR, which are listed in the provision. These fines may amount to up to 10,000,000 EUR or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Infringement committed by fault
In its judgments of 5 December 2023, the Court of Justice ruled that such an administrative fine may only be imposed where the breach of the GDPR has been committed wrongfully by the controller, i.e. those committed intentionally or negligently. A deliberate or negligent breach is therefore a condition for the imposition of such a fine.
As regards the question whether an infringement has been committed intentionally or negligently and is, therefore, liable to be penalised by an administrative fine, the Court states that a controller can be penalised for conduct falling within the scope of the GDPR “where that controller could not be unaware of the infringing nature of its conduct, whether or not it is aware that it is infringing the provisions of the GDPR”. We understand that while it is not required for the controller to have been aware that its conduct was prohibited, an administrative fine is possible if he could not ignore that he was not protecting, or insufficiently protecting, personal data.
Liability of legal persons
First, the Court pointed out that a legal person responsible for the processing of personal data is liable not only for infringements committed by its representatives, directors or managers, but also by any other person acting in the course of the business of that legal person and on its behalf. A legal person is therefore liable, in its capacity as data-controller, for data processing operations which it carries out itself, but also for those carried out on its behalf by processors.
However, the Court of Justice has stated that that this responsibility and liability does not extend to situations where the processor has processed personal data for its own purposes or where that processor has processed such data in a manner incompatible with the instructions given by the data controller. In such cases, the processor is itself liable for breaches committed as data controller. The responsibility of a data-controller for the actions of its processors is therefore limited to situations where the processor acts in accordance with the instructions given by the controller and in accordance with the purposes of the processing, determined by the data-controller.
Furthermore, in its judgments of 5 December 2023, the Court also stated that an administrative fine may be imposed on a legal person in its capacity as controller even in the absence of any action or knowledge on the part of the management body of that legal person. Thus, the fact that the legal personal claims not to be aware of the infringement is not a valid ground to be exempted from liability, since it is liable for infringements of the GDPR committed by persons acting on its behalf, provided, as stated above, that these operations are attributable to the data-controller.
Finally, with regard to the liability of legal persons in their capacity as data controller, the Court of Justice stated that an administrative fine may be imposed on them on the basis of Article 83 GDPR even if the natural person who committed the unlawful processing operation is not precisely identified, provided that this unlawful processing operation is attributable to the legal person. The data controller cannot therefore be exempted from its liability by claiming that the natural person to whom the breach should be attributed has not been identified.
Conclusion
These judgments of the Court of Justice increase the risk of administrative fines being imposed for a breach of the GDPR, by reducing the requirements for the imposition of such fines on legal persons in their capacity as data controllers.
1 CJEU, 5 December 2023, C-683/21; CJEU, 5 December 2023, C-807/21.
For any questions or assistance, please reach out to our
Intellectual Property Team | IP@simontbraun.eu – +32 (0)2 543 70 80
Download PDF version here
***
This newsletter is not a legal advice or a legal opinion. You should seek advice from a legal counsel of your choice before acting upon any of the information in this newsletter.