Wrongful infringement needed to impose administrative sanction for GDPR violations
The ECJ decided two cases involving fines contested by entities in Lithuania and Germany. The Lithuanian National Public Health Centre challenged a €12,000 fine for creating a Covid-19 tracking app, while Deutsche Wohnen, a German real estate company, contested a fine exceeding €14 million for storing tenant data excessively.
The Court of Justice highlighted the specific conditions necessary for imposing administrative fines under the General Data Protection Regulation (GDPR): fines can only be applied in cases of intentional or negligent misconduct, emphasizing the need for wrongful infringement.
It highlighted the responsibility of legal entities for breaches committed by their representatives or those acting on their behalf during business operations, without needing to identify the specific individual responsible beforehand.
Furthermore, the Court delineated the notion of joint control in data processing, emphasizing that joint controllership arises from shared decisions on processing purposes and methods, rather than requiring a formal arrangement. In cases of joint control, responsibilities need to be established through agreement between the involved entities.
Lastly, in determining fines for undertakings, the supervisory authority is directed to apply the concept of an ‘undertaking’ from competition law. This involves calculating the maximum fine as a percentage of the total global annual turnover of the undertaking in the preceding business year.
Here the judgments: ECJ judgments in Cases C-683/21 | Nacionalinis visuomenės sveikatos centras and C-807/21 | Deutsche Wohnen ( C-683/21 and C-807/21 )
For more information: Francesca Giannoni-Crystal