EU Court of Justice: only a wrongful infringement of the General Data Protection Regulation may result in an administrative fine being imposed.

A Lithuanian court and a German court have asked the Court of Justice to interpret the General Data Protection Regulation (GDPR) 1 regarding the possibility for national supervisory authorities to penalise the infringement of that regulation by imposing an administrative fine on the data controller. In the Lithuanian case, the National Public Health Centre under the Ministry of Health is contesting a fine of € 12 000 which has been imposed on it in the context of the creation, with the assistance of a private undertaking, of a mobile application for registering and monitoring the data of persons exposed to Covid-19. In the German case, the real estate company Deutsche Wohnen, which indirectly holds approximately 163 000 housing units and 3 000 commercial units, is contesting, inter alia, a fine of over € 14 million which has been imposed on it as a result of its having stored the personal data of tenants for longer than necessary. The Court holds that a data controller may not have an administrative fine imposed on it for an infringement of the GDPR unless that infringement was committed wrongfully, that is to say, intentionally or negligently. That is the case where the controller could not have been unaware of the infringing nature of its conduct, regardless of whether or not it was aware of the infringement.

Where the controller is a legal person, it is not necessary for the infringement to have been committed by its management body; nor is it necessary for that body to have had knowledge of that infringement. On the contrary, a legal person is liable both for infringements committed by its representatives, directors or managers, and for those committed by any other person acting in the course of the business of that legal person and on its behalf. Moreover, the imposition of an administrative fine on a legal person as a controller cannot be subject to a previous finding that that infringement was committed by an identified natural person.

Furthermore, a controller may also have a fine imposed on it in respect of operations performed by a processor, to the extent that the controller may be held responsible for such operations.

With regard to joint control by two or more entities, the Court clarifies that such control arises solely from the fact that those entities have participated in the determination of the purposes and means of processing. Classification as ‘joint controllers’ does not require that there be a formal arrangement between the entities in question. A common decision, or converging decisions, are sufficient. However, where there are in fact joint controllers, they must determine their respective responsibilities by means of an arrangement between them.

Lastly, as regards the calculation of the fine where the addressee is or forms part of an undertaking, the supervisory authority must take as its basis the concept of an ‘undertaking’ 2 under competition law. Thus, the maximum amount of the fine must be calculated on the basis of a percentage of the total worldwide annual turnover of the undertaking concerned, taken as a whole, in the preceding business year.