DATA PROTECTION
EU Court of Justice: the maximum fine for violations of the GDPR must be calculated on the turnover of the group to which the company involved in the unlawful conduct belongs.
The judgment of the Court of Justice of the European Union (CJEU) in Case C-383/23 addresses the interpretation of Article 83 of the General Data Protection Regulation (GDPR), in particular with regard to the definition of "undertaking" and the criteria for calculating financial penalties in the event of infringements of the regulation.
The Court reiterated that the concept of 'undertaking' in EU law does not refer exclusively to a single legal entity, but also includes a group of companies operating as an economic unit.
Therefore, if a subsidiary company violates the GDPR, the supervisory authority may consider the entire group of companies to which it belongs, including the parent company, as a single economic entity responsible for the infringement.
The annual turnover of reference for determining the amount of the penalty may include not only that of the company directly involved in the infringement, but also that of the parent company and other related entities, if they are part of the same economic unit.
This approach is in line with the logic of sanctions under the GDPR, which must be effective, proportionate and dissuasive.
The Court emphasised that the purpose of sanctions in the GDPR is to ensure compliance with data protection rules. The application of higher penalties, based on the group's turnover, aims to prevent large companies from circumventing the rules by relying on smaller subsidiaries to reduce the scope of sanctions.
The decision is in line with the Court's case-law on competition law, where the concept of 'undertaking' has already been interpreted broadly to avoid strategies of circumvention of the rules.
The Court reiterated that the concept of 'undertaking' in EU law does not refer exclusively to a single legal entity, but also includes a group of companies operating as an economic unit.
Therefore, if a subsidiary company violates the GDPR, the supervisory authority may consider the entire group of companies to which it belongs, including the parent company, as a single economic entity responsible for the infringement.
The annual turnover of reference for determining the amount of the penalty may include not only that of the company directly involved in the infringement, but also that of the parent company and other related entities, if they are part of the same economic unit.
This approach is in line with the logic of sanctions under the GDPR, which must be effective, proportionate and dissuasive.
The Court emphasised that the purpose of sanctions in the GDPR is to ensure compliance with data protection rules. The application of higher penalties, based on the group's turnover, aims to prevent large companies from circumventing the rules by relying on smaller subsidiaries to reduce the scope of sanctions.
The decision is in line with the Court's case-law on competition law, where the concept of 'undertaking' has already been interpreted broadly to avoid strategies of circumvention of the rules.
