CJEU confirms that GDPR fines are conditional on the penalized conduct being intentional or negligent


On 5 December 2023, the Court of Justice of the European Union (CJEU) issued its judgment in the Deutsche Wohnen case C‑807/21.

The Court adopts the point of view of the Advocate General Campos Sánchez-Bordona  (who issued his Opinion in April this year), indicating that:

  • the application of a GDPR fine upon a legal person acting as controller is not conditional on an infringement previously attributed to a natural person, and
  • a controller (legal person or undertaking) may be fined under GDPR to the extent the penalized conduct was committed with intention or negligence.

While the answer to the first above point is more relevant for the German law (a German court requested this preliminary ruling), we would like to stress the fact that the Court, in reaching its answer, refers to the notion of “enterprise”.

Thus, similar to what it said in its previous case-law (Case Sumal C-882/19), the Court took the view that the concept of “undertaking” covers “any entity engaged in an economic activity, irrespective of the legal status of that entity and the way in which it is financed”. Therefore, follows the CJUE, the concept of an undertaking “defines an economic unit even if in law that economic unit consists of several persons, natural or legal”. The Court also said that the aforementioned economic unit “consists of a unitary organisation of personal, tangible and intangible elements which pursues a specific economic aim on a long-term basis”.

Therefore, according to the Court, when applying the fines based on GDPR, the maximum amount thereof is calculated on the basis of a percentage of the total worldwide annual turnover in the preceding business year of the “undertaking” as defined above.

As regards the second question, the Court confirms that a controller (legal person or undertaking) may be sanctioned with fines under GDPR as far as the conduct which is penalized was committed with intention or negligence. In other words, the objective fact of breach caused by the controller is not sufficient for a fine to be imposed on such controller (i.e., no strict liability).

The CJEU also clarifies that the controller has committed the infringement intentionally or negligently when such controller “could not be unaware of the infringing nature of its conduct, whether or not it is aware that it is infringing the provisions of the GDPR”.

As a conclusion, the Court judgement shows how important is the internal documentation of the reasoning behind the data processing-related decisions taken within the organization. We may think here about applying data protection impact assessments, legitimate interest assessments, documentation of data breaches, documented assessments on the data storage and choosing the adequate legal ground for processing. The more documented the decision is, the better the data protection reasoning will be, and the less chance for the organization to be sanctioned for the fact that it “could not be unaware of the infringing nature of its conduct”.