Clifford Chance

On 5 December 2023, the Court of Justice of the European Union (CJEU) published its preliminary rulings in Cases C-683/21 (Nacionalis visuomenés sveikatos centros prie Sveikatos apsaugos ministerijos) (NVSC) and C-807-21 (Deutsche Wohnen SE) (DW). In these cases, factually unrelated but raising overlapping issues of principle, the CJEU reached several key decisions clarifying the position under the EU General Data Protection Regulation (GDPR) regarding the imposition of administrative fines by data protection supervisory authorities.

The two rulings were neatly complemented, a few days later, by the CJEU's preliminary ruling in Case C-340/21 (VB), on the circumstances in which data subjects are entitled to compensation for non-material damage suffered as a result of breach of the GDPR – see our  Court of Justice of the European Union on GDPR & Cybercrime for more details.

Case NVSC

Case NVSC concerned a fine imposed on the Lithuanian governmental agency NVSC, as joint controller, in relation to collection and processing of personal data carried out by the service provider UAB 'IT sprendimal sėkmei'. The service provider purported to act on NVSC's behalf (i.e. as a processor) in relation to the development and operation of a mobile App registering and monitoring persons exposed to Covid-19, but without any formal agreement governing the processing that it carried out. NVSC argued that, in the absence of a formal written appointment, agreement or other arrangement, the service provider could not be considered to have acted as a processor on NVSC's behalf or as a joint controller with it, but only as an independent controller in its own right.

Case DW

Case DW concerned a fine imposed on the European-incorporated and German-registered real estate company DW for, essentially, over-retention of personal data relating to tenants of a number of DW's subsidiaries. DW (and the Regional Court of Berlin) argued that, pursuant to German law, a fine could not be imposed on DW without first identifying a natural person who had committed the breach and for whose acts DW would be responsible according to ordinary principles of the German Administrative Offences Act.

Across the two cases the CJEU reached the following key decisions:

The circumstances in which a fine can be imposed

• Although this point is not made explicit in the GDPR, article 83 of the GDPR only creates a power to impose an administrative fine on a controller or processor if it has breached the GDPR either intentionally or negligently – an innocent breach would not be sufficient. This decision is set out in essentially similar terms in both rulings, relying in part on the reference in article 83(2)(b) to "the intentional or negligent character of the infringement" as a factor to be taken into account in deciding whether to impose a fine and, if so, the level of the fine.
• A controller or processor can, however, be found to have committed an intentional or negligent breach of the GDPR without it being necessary first to identify a breach which is attributed or attributable to (or even known of by) a natural person of any particular defined kind (e.g. a member of its executive board). It is sufficient for the breach to have been committed by any person acting in the course of the controller or processor's business and on its behalf. Member States are not entitled to legislate for a narrower scheme of responsibility. This point was addressed in DW.
• Similarly, a controller can be liable for a breach of the GDPR carried out on its behalf by a processor. This point was addressed in NVSC.

Application of anti-trust concepts to GDPR fines

• The concept of an "undertaking" in articles 83(4) to (6) of the GDPR is relevant only to the level of an administrative fine and not to the question of whether or in what circumstances a fine should be imposed. This point was addressed in DW and is entirely consistent with a literal reading of the GDPR.
• Where a controller or processor on whom an administrative fine is to be imposed is part of an "undertaking", and the fine is to exceed the EUR 10 million or EUR 20 million threshold specified in article 83(4) or (5), the level of the fine should be determined by reference to the worldwide annual turnover of that undertaking, with the undertaking defined in the same way that it would be defined for competition law purposes, largely by judicial decisions, in relation to articles 101 and 102 of the Treaty on the Functioning of the European Union. This point, which is also addressed in DW, is unsurprising in itself, being based on an explicit statement in recital 150 to the GDPR. It does, however, appear to rule out the possibility of an argument that, in the data protection context, the concept of an undertaking should be defined by reference to the degree of influence that one entity may have over the processing of personal data carried out by another entity, rather than over its economic activities generally. The DW ruling is explicit on this point, focussing on the need for the resulting fine to be effective, proportionate and dissuasive, which is largely an economic rather than a "data processing" question.

Joint control and controller / processor relationships

• While the GDPR requires joint controllers to arrive at "arrangement[s]" (article 26(1)), and controllers to ensure that their arrangements with processors are governed by "contract[s] or other legal act[s]", this does not mean that the absence of such arrangements, contracts or legal acts indicates the absence of relationships of joint control or of controller / processor arrangements. This point was addressed in NVSC and does not break new ground.

Conclusion

These decisions are helpful in clearly establishing that administrative fines cannot be imposed under the GDPR on a strict liability basis. They also take a small step towards clarifying the basis on which competition law concepts should be applied to determining the level of GDPR fines, although it seems likely that further complexities will arise as and if large fines continue to be imposed by the data protection supervisory authorities.