Written by Haim Ravia and Dotan Hammer
The European Union’s Court of Justice (CJEU) held that administrative fines may only be imposed on a data controller under the GDPR where it has either intentionally or negligently violated the GDPR. The CJEU clarified that a lack of awareness about a GDPR breach does not insulate entities from fines, highlighting the importance of active compliance with GDPR mandates.
The litigant at issue also asserted that it was not a data controller, as it neither directly processed the data nor formalized an agreement with the company that had developed the bespoke software that processed that data. On the other hand, the software development company positioned itself merely as a data processor.
The CJEU dismissed these claims, finding that the entity that requests the software and defines its purposes and methods is a controller, whether or not it is directly involved in data processing or procurement agreements. A controller may also be liable for a processor’s wrongdoings if these are committed under the instructions of the controller. However, a controller cannot be fined for the wrongdoings of a processor if the processor acted for its own purposes, in contravention of the processing instructions of the controller, or in ways that cannot be deemed to have been consented to by the controller.
Relatedly, the CJEU issued another decision regarding a penalty imposed on a German property rental firm. The company argued that, under German law, administrative fines cannot be levied against a legal entity unless the infringement is directly attributable to the entity’s management. The CJEU rejected this argument, affirming that legal entities are liable for the actions of their representatives and any person acting on their behalf. The Court also determined that for a company part of a corporate group, fines should be calculated based on the group’s total turnover.
Click here to read the CJEU’s decision in C‑683/21 concerning the criteria for administrative fines under the GDPR.
Click here to read the CJEU’s decision in C‑807/21 concerning GDPR fines imposable on corporations.