Being part of a company group may be beneficial for companies as they can have a stronger financial background and coordinated business decisions. Must this also be taken into account if a company belonging to a group of companies is fined for violating the GDPR? In what way can it be relevant, in connection with GDPR fines, that a company is part of an undertaking? In our article, we analysed the recent decision of the CJEU which provides an answer to this question.
Smartlegal Schmidt&Partners reports from Hungary:
- Facts
ILVA, a Danish company (“Controller”) who operates a chain of furniture stores is a part of an undertaking, the Lars Larsen Group (“Undertaking”).
The Controller was charged before the Danish courts with failing to comply with the obligations set out by the GDPR[i]in relation to the retention of the personal data of its former customers.
The Danish Data Protection Authority recommended to the Public Prosecutor’s Office (“Prosecutor”)[ii] to seek the imposition of a fine based on the GDPR which was calculated not only on the turnover of the Controller but on the overall turnover of the Undertaking.
- Court procedure in Denmark
The Aarhus District Court, the first instance court found the Controller guilty and imposed a fine against him. However, according to his court, with regards to the calculation of the fine, it was not necessary to take into account the turnover of Undertaking as the charges has been brought solely against the Controller. The court added that the Controller was engaged in an independent retail activity and that it had not been set up by the parent company for the sole purpose of processing the Undertaking’s data.
The Prosecutor brought an appeal against this judgement before the High Court of Western Denmark. According to the Prosecutor, in accordance with Article 83 (4) and (6) of the GDPR, the fine imposed against a company who forms a part of a group, shall be calculated based on the turnover of the undertaking. By contrast, the Controller disputes this and is on the opinion that the fine shall be calculated solely on the basis of the turnover of the company itself but not the undertaking.
The High Court stayed the proceedings and referred the case to the Court of Justice of the European Union in order to interpret Article 83 of the GDPR.
- Question to the CJEU
The Luxembourg Court basically had to answer the question that in case of a GDPR infringement by a controller which is or forms a part of any undertaking, how shall the fine be calculated? Shall the fine be calculated on the basis of the controller’s turnover or on the basis of the undertaking’s total worldwide turnover?
- Finding of the CJEU
The CJEU referred to its earlier case law, specifically to the Deutsche Wohnen judgement [iii] where it interpreted the concept of “undertaking”. According to the Court, an undertaking designates an economic unit even if in law that economic unit consists of several persons, natural or legal. That economic unit consists of a unitary organisation of personal, tangible and intangible elements, which pursues a specific economic aim on a long-term basis.
The CJEU clearly stated in the Deutsche Wohnen judgement that where the addressee of an administrative fine is or forms part of an undertaking in the above sense, the maximum amount of the administrative fine shall be calculated on the basis of a percentage of the total worldwide annual turnover in the preceding business year of the undertaking concerned.
However, the Court added that the determination of the maximum amount of the fine must be distinguished from the actual calculation of the amount of the fine imposed in a specific case. Given that the fine imposed must be effective, proportionate and dissuasive, the supervisory authority (or other authority) imposing the fine must take into account various factors which characterise either the behaviour of the controller or the infringements themselves. One of the factors may be the actual or material economic capacity of the controller and in this regard, it is necessary to take account of whether the controller forms part of an undertaking.
- Comment
As it can be seen from the CJEU’s judgement, the fact that the controller is or forms part of an undertaking must be taken into account from two aspects:
- the maximum amount of the fine for a GDPR infringement shall be calculated based on the undertaking’s total worldwide annual turnover,
- to assess the actual or material economic capacity of controller which may influence the actual amount of the fine.
This means that company groups must pay particular attention to GDPR compliance, as a small crack in the shield at one group member can result in significant financial consequences. This is because the basis for calculating the fine for GDPR infringement can be much higher than in the case of an independently acting company.
In this article we analysed the judgement C‑383/23 of the CJEU.
Written by Anita Vereb
SMARTLEGAL is a team of agile business & litigation lawyers in Budapest, Hungary, helping international corporate clients and individual entrepreneurs doing business in Hungary. For more information please visit our website at Smartlegal.hu
[i] REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
[ii] The Danish legal system does not allow for administrative fines as set out in the GDPR, but Article 83 of the GDPR may be applied in such a manner that the fine is initiated by the supervisory authority and imposed by the competent national court.
[iii] judgment of 5 December 2023, Deutsche Wohnen, C‑807/21, EU:C:2023:950