In two judgments delivered on 5 December 2023, the EU Court of Justice ruled on the interpretation of various provisions of the GDPR. In particular, the Court clarified the conditions under which administrative fines may be imposed on one or more data controllers by national supervisory authorities for breaching the GDPR (Case C-683/21 and Case C-807/21).
• The factual background
The first case (C-683/21) originated in Lithuania where, in the context of the Covid-19 crisis, the Minister for Health instructed the National Public Health Centre (“NVSC”) to develop, with the assistance of a private undertaking (“ITSS”), a mobile application for registering and monitoring data of persons exposed to Covid-19.
Following an investigation, the State Data Protection Inspectorate found that several provisions of the GDPR were infringed and imposed, pursuant to Article 83 of the GDPR, a fine of 12.000 EUR on the NVSC as well as a fine of 3.000 EUR on ITSS as joint controller.
The NVSC contested the fine before the Vilius Administrative Court, which referred six preliminary questions to the EU Court of Justice (the “ECJ”) concerning the interpretation of Article 4(2) and (7), Article 26(1) and Article 83(1) of the GDPR.
The second case (C-807/21) took place in Germany, where the Berlin Data Protection Authority imposed an administrative fine of 14.385.000 EUR as well as other fines upon a real estate company, Deutsche Wohnen (“DW”), for having stored tenants’ personal data longer than necessary.
DW brought an action against that decision before the Berlin Regional Court who considered that the decision at issue was seriously vitiated and could not serve as a basis for the imposition of a fine. The Berlin Public Prosecutor’s Office brought an appeal against the first-instance decision before the Higher Regional Court in Berlin, which referred two preliminary questions to the ECJ concerning the interpretation of Article 83(4) to (6) of the GDPR.
• Findings of the ECJ
o With regard to controllers
The ECJ recalls that the obligations laid down by the GDPR are directed, in particular, at “controllers” whose responsibility extends to any processing of personal data which they carry out themselves or which is carried out on their behalf, and who are required, on that basis, not only to implement appropriate and effective measures, but also to be able to demonstrate the compliance of the processing activities with the GDPR. According to the ECJ, the EU legislature did not distinguish between natural persons and legal persons in order to determine the liability of a controller. Indeed, this liability depends solely on the condition that those persons, alone or jointly with others, determine the purposes and means of processing of personal data. This implies, inter alia, that legal persons are liable not only for infringements committed by their representatives, directors or managers, but also by any other person acting in the course of the business of those legal persons and on their behalf.
In this regard, the ECJ finds that administrative fines relating to an infringement referred to in Article 83(4) to (6) GDPR may be imposed on legal persons where they are controllers, without it being necessary that the infringement has previously been attributed to an identified natural person.
Furthermore, the ECJ recalls that a natural or legal person must be regarded as a controller when it exerts influence over the processing of such data, for its own purposes, and it participates, as a result, in the determination of the purposes and means of that processing. With regard to the first case, the ECJ notes that the creation of the app was commissioned by the NVSC and was intended to implement the objective assigned by that entity. For that purpose, the NVSC had envisaged that the personal data of users of the app would be processed. Also, the parameters of the app, such as the questions asked and their wording, were adapted to the needs of the NVSC which played an active role in their determination. The fact that that entity has not itself performed any processing operations in respect of such data, has not expressly agreed to the dissemination of the app through online shops, and has not acquired the abovementioned mobile application, do not preclude the NVSC from being classified as a ‘controller’. However, the NVSC cannot be regarded as the controller of personal data processing because of the mobile application at issue being made available to the public if the NVSC expressly objected to such use.
o With regard to joint controllers
The ECJ further states that when two or more entities jointly determine the purposes and means of processing, they can be classified as joint controllers even if there is no arrangement that has been concluded between them regarding the determination of the purposes and means of the processing of personal data in question or laying down the terms of the joint control.
Such classification arises solely from the fact that several entities have participated in the determination of the purposes and means of processing. Such participation can result from a common decision taken by two or more entities or from converging decisions of those entities. By contrast, it cannot be required that there be a formal arrangement between those controllers as regards the purposes and means of processing.
o With regard to the administrative fines
The ECJ clarifies that administrative fines can only be imposed when infringements referred to in Article 83(4) to (6) GDPR are committed intentionally or negligently. Accordingly, a wrongful infringement constitutes a condition for imposing a fine.
Moreover, these fines may also be imposed on a controller in respect of personal data processing operations performed by a processor on behalf of that controller, unless “that processor has carried out processing for its own purposes or has processed such data in a manner incompatible with the framework of, or detailed arrangements for, the processing as determined by the controller, or in such a manner that it cannot reasonably be considered that that controller consented to such processing”.
Finally, when calculating administrative fines, the supervisory authority must take as its basis the concept of an ‘undertaking’ within the meaning of Articles 101 and 102 TFEU. As a result, the maximum amount has to be calculated based on a percentage of the total worldwide annual turnover in the preceding business year of the undertaking concerned.
For further information about these cases and/or for general legal advice relating to data protection law, please contact Karel Janssens.