Cases C-683/21 | Nacionalinis visuomenes sveikatos centras and C-807/21 | Deutsche Wohnen, the Court of Justice has clarified when national supervisory authorities may impose an administrative fine on one or more controllers for an infringement of the GDPR. In particular, it ruled that the imposition of a fine requires wrongful conduct; that is, that the infringement has been committed intentionally or negligently. Also, if the addressee of the fine is part of a group of companies, the calculation of the fine must be based on the turnover of the entire group.
A Lithuanian court and a German court asked the Court of Justice to interpret the GDPR regarding the ability of national supervisory authorities to penalise the infringement of the GDPR by imposing an administrative fine on the data controller.
In the Lithuanian case, the National Public Health Centre was contesting a fine of €12,000 which had been imposed on it in the context of the creation, with the assistance of a private undertaking, of a mobile application for registering and monitoring the data of persons exposed to COVID-19.
In the German case, the real estate company Deutsche Wohnen, which indirectly holds approximately 163,000 housing units and 3,000 commercial units, was contesting a fine of over €14 million which was imposed on it because it had stored the personal data of tenants for longer than necessary.
The Court held that a data controller may not have an administrative fine imposed on it for an infringement of the GDPR unless that infringement was committed wrongfully, meaning intentionally or negligently. This applies if the controller could not have been unaware of the infringing nature of its conduct, regardless of whether it was aware of the infringement.
If the controller is a legal person, it is not necessary for the infringement to have been committed by its management body; nor is it necessary for that body to have had knowledge of that infringement. On the contrary, a legal person is liable both for infringements committed by its representatives, directors or managers, and for those committed by any other person acting in the court of the business of that legal person and on its behalf. In addition, the imposition of an administrative fine on a legal person as a controller cannot be subject to a previous finding that that infringement was committed by an identified natural person.
Furthermore, a controller may also have a fine imposed on it for operations performed by a processor, to the extent that the controller may be held responsible for such operations.
Regarding joint control by two or more entities, the Court clarified that such control arises solely from the fact that those entities have participated in the determination of the purposes and means of processing. Classification as “joint controllers” does not require that there be a formal arrangement between the entities in question. A common decision, or converging decisions, are sufficient. However, where there are in fact joint controllers, they must determine their respective responsibilities by means of an arrangement between them.
Lastly, the Court considered the calculation of the fine where the addressee is or firms part of an undertaking. It said that the supervisory authority must take as its basis the concept of an “undertaking” under competition law. Consequently, the maximum amount of the fine must be calculated on the basis of a percentage of the total worldwide annual turnover of the undertaking concerned, taken as a whole, in the preceding business year.