Banner2.png

CJEU - C-383/23 - ILVA (Fine for an infringement of the GDPR): Difference between revisions

From GDPRhub
(Created page with "{{CJEUdecisionBOX |Case_Number_Name=C‑383/23 ILVA |ECLI=ECLI:EU:C:2025:84 |Opinion_Link= |Judgement_Link=https://curia.europa.eu/juris/document/document.jsf?text=&docid=295319&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=654942 |Date_Decided=13.02.2025 |Year=2025 |GDPR_Article_1=Article 83(4) GDPR |GDPR_Article_Link_1=Article 83 GDPR#4 |GDPR_Article_2=Article 83(5) GDPR |GDPR_Article_Link_2=Article 83 GDPR#5 |GDPR_Article_3=Article 83(6) GDPR |GDPR_Art...")
 
m (Cwa moved page CJEU - C‑383/23 - ILVA to CJEU - C-383/23 - ILVA: Problems with character encoding)
(12 intermediate revisions by one other user not shown)
Line 4: Line 4:
|ECLI=ECLI:EU:C:2025:84
|ECLI=ECLI:EU:C:2025:84


|Opinion_Link=
|Opinion_Link=https://curia.europa.eu/juris/document/document.jsf;jsessionid=B6B9551E48F83FB1DCA11154781C043C?text=2016%252F679&docid=290027&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=3480945#ctx1
|Judgement_Link=https://curia.europa.eu/juris/document/document.jsf?text=&docid=295319&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=654942
|Judgement_Link=https://curia.europa.eu/juris/document/document.jsf?text=&docid=295319&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=654942


Line 38: Line 38:
|Party_Link_2=
|Party_Link_2=


|Reference_Body=High Court of Western Denmark (Denmark)
|Reference_Body=Vestre Landsret (Denmark)
|Reference_Case_Number_Name=
|Reference_Case_Number_Name=


Line 45: Line 45:
}}
}}


The court found that when a controller which is or forms part of an undertaking is fined for GDPR violations, the fine's maximum amount is based on a percentage of the undertaking’s total worldwide annual turnover in the preceding business year.
The CJEU held that DPAs and courts must take into account if a controller is part of an undertaking within the meaning of Articles 101 and 102 TFEU when setting fine amounts. Additionally they must base the fines' maximum amount on the undertaking’s and not the controller's turnover.  


==English Summary==
==English Summary==


=== Facts ===
=== Facts ===
ILVA operates a chain of furniture stores and is part of the Lars Larsen Group. The total group turnover in the 2016/2017 financial year amounted to DKK6.57 Billion (approximately 881,000,000 €) and ILVA’s turnover amounted to almost DKK1.8 billion (approximately EUR 241 million) for the same financial year.
ILVA (the controller) operates a chain of furniture stores and is part of the Lars Larsen Group (the undertaking). The total undertaking's turnover was multiple times higher than that of the controller. The controller is charged before the Danish courts with violating the GDPR in relation to the retention of the data of at least 350,000 former customers.


ILVA is charged before the Danish courts with having failed, to fulfil its GDPR obligations as controller in relation to the retention of the data of at least 350,000 former customers.
On the recommendation of the Danish DPA, the Public Prosecutor’s Office sought the imposition of a fine of DKK1,500,000 (approximately 201,000€) on the controller. The calculation of that amount was based not only on the turnover of the controller, but also on the overall turnover of the undertaking.


On the recommendation of the Danish DPA, the Public Prosecutor’s Office sought the imposition of a fine of DKK 1.5 million (approximately EUR 201 000) on ILVA. The calculation of that amount was based not only on the turnover of ILVA, but also on the overall turnover of the Lars Larsen Group.
The Aarhus District Court (Retten i Aarhus) found that since the charges had been brought only against the controller, it was not necessary to take into account the turnover of the undertaking to determine the amount of the fine. Furthermore, the court noted that the controller was engaged in an independent retail activity and that it had not been set up by the parent company for the sole purpose of processing the undertaking's data.


12      By judgment of 12 February 2021, the retten i Aarhus (Aarhus District Court, Denmark) found that since the charges had been brought only against ILVA, it was not necessary to take into account the turnover of the Lars Larsen Group in order to determine the amount of the fine. Furthermore, the court noted that ILVA was engaged in an independent retail activity and that it had not been set up by the parent company of that group for the sole purpose of processing the group’s data.
The Public Prosecutor’s Office appealed to the High Court of Western Denmark (Vestre Landsret), which decided to stay the proceedings and to request a preliminary ruling asking in essence, whether [[Article 83 GDPR#4|Article 83(4) to (6) GDPR]], read in the light of Recital 150, must be interpreted as meaning that the term ‘undertaking’ in those provisions corresponds to the concept of ‘undertaking’, within the meaning of Articles 101 and 102 TFEU, with the result that, where a fine for infringement of the GDPR is imposed on a controller which is or forms part of an undertaking, the amount of the fine is to be determined on the basis of a percentage of the undertaking’s total worldwide annual turnover in the preceding business year.


The Public Prosecutor’s Office brought an appeal against that judgment before the Vestre Landsret (High Court of Western Denmark, Denmark), which  decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling asking in essence, whether Article 83(4) to (6) of the GDPR, read in the light of recital 150 of that regulation, must be interpreted as meaning that the term ‘undertaking’ in those provisions corresponds to the concept of ‘undertaking’, within the meaning of Articles 101 and 102 TFEU, with the result that, where a fine for infringement of the GDPR is imposed on a controller of personal data which is or forms part of an undertaking, the amount of the fine is to be determined on the basis of a percentage of the undertaking’s total worldwide annual turnover in the preceding business year, within the meaning of Articles 101 and 102 TFEU.
=== Advocate General Opinion ===
The AG emphasised that the notion of “undertaking” has been recently interpreted by the CJEU in [[BlnBDI (Berlin) - C-807/21 - Deutsche Wohnen|C-807/21 Deutsche Wohnen]]. According to the CJEU, the undertaking should be understood in line with EU competition law and Article 101 and Article 102 TFEU. In particular, it is “entity engaged in an economic activity”, no matter its legal form. When it comes to calculations of a fine, it is the undertaking turnover that should be its basis.


=== Holding ===
In the case at hand, the AG drew the attention to the influence of the parent company on the companies within the group. That influence, as defined in the CJEU case law, amounts, for example, to appointing members of boards of directors or calling shareholders meetings. If the parent company “exercise decisive influence” over the controller, then the undertaking under [[Article 83 GDPR#5|Article 83(5) GDPR]] would consist of: 1) the controller, 2) the parent company, 3) other companies under decisive influence of the parent company.
The Court ruled in Deutsche Wohnen (C‑807/21, EU:C:2023:950, paragraphs 53 to 59 that the concept of ‘undertaking’, within the meaning of Articles 101 and 102 TFEU, has no bearing on whether and under what conditions an administrative fine may be imposed pursuant to Article 83 of the GDPR on a controller who is a legal person, since that question is exhaustively regulated by Article 58(2) and Article 83(1) to (6) of that regulation .


20      That concept is relevant only for the purpose of determining the amount of the administrative fine imposed under Article 83(4) to (6) of the GDPR on a controller (judgment of 5 December 2023, Deutsche Wohnen, C‑807/21, EU:C:2023:950, paragraph 54).
Consequently, the group turnover would form a baseline for the calculation of maximum fine. Nevertheless, the AG pointed out the rules to calculate the maximum fine applicable do not have to be applied as “the main or only reference for setting the actual fine”. This is because the actual fine should reflect all facts of the case, including all aggravating and extenuating circumstances. The AG underlined that one of relevant circumstance is the role of members of undertaking in violation committed.


21      It is in that specific context of the calculation of administrative fines imposed in respect of the infringements referred to in Article 83(4) to (6) of the GDPR that the reference, in recital 150 of that regulation, to the concept of ‘undertaking’, within the meaning of Articles 101 and 102 TFEU, is to be understood (judgment of 5 December 2023, Deutsche Wohnen, C‑807/21, EU:C:2023:950, paragraph 55).
Additionally, the AG suggested that guarantees of fair criminal proceedings has to be followed as well. Especially, the principle of proportionality must be observed. In conclusion, the AG suggested to consider the following when using the concept of the ''undertaking'' in order to determine the amount of the actual fine under [[Article 83 GDPR]]:


22      In that regard, it should be stated that, for the purposes of applying the competition rules, referred to in Articles 101 and 102 TFEU, that concept covers any entity engaged in an economic activity, irrespective of the legal status of that entity and the way in which it is financed. The concept of an undertaking therefore designates an economic unit even if in law that economic unit consists of several persons, natural or legal. That economic unit consists of a unitary organisation of personal, tangible and intangible elements, which pursues a specific economic aim on a long-term basis (judgment of 5 December 2023, Deutsche Wohnen, C‑807/21, EU:C:2023:950, paragraph 56 and the case-law cited).
“First, it should be evaluated whether the parent company has exercised its decision-making power with respect to specific activities of the controller or the processor at issue in the GDPR infringement(s). Second, it needs to be considered whether specific data processing infringing the GDPR relates to the company concerned and/or to the whole group. Third, it is necessary to establish whether more than one company forming part of the group was involved in the GDPR infringement(s).


23      Accordingly, it is apparent from Article 83(4) to (6) of the GDPR, which concerns the calculation of administrative fines in respect of the infringements listed in those paragraphs, that, where the addressee of the administrative fine is or forms part of an undertaking, within the meaning of Articles 101 and 102 TFEU, the maximum amount of the administrative fine is calculated on the basis of a percentage of the total worldwide annual turnover in the preceding business year of the undertaking concerned (judgment of 5 December 2023, Deutsche Wohnen, C‑807/21, EU:C:2023:950, paragraph 57).
=== Holding ===
 
The Court clarified that the concept of ‘undertaking’ within the GDPR is relevant only for the purpose of determining the amount of the administrative fine imposed on a controller in accordance with [[Article 83 GDPR#4|Article 83(4) to (6) GDPR]]. The court defined an undertaking generally as concept for applying competition rules and specifically as an economic unit regardless if it legally consists of several natural or legal persons.  
24      However, the determination of that maximum amount must be distinguished from the actual calculation of the amount of a fine to be imposed by the competent supervisory authority for the specific infringement or infringements of the GDPR penalised by that fine.
 
25      Thus, under Article 83(1) of the GDPR, each supervisory authority is to ensure that administrative fines imposed pursuant to Article 83 in respect of infringements of the GDPR referred to in paragraphs 4 to 6 thereof are in each individual case effective, proportionate and dissuasive.
 
26      In addition to complying with those three conditions, Article 83(2) of the GDPR requires that the competent supervisory authority, when deciding whether it is necessary to impose an administrative fine and when setting the amount of that fine in each individual case, have due regard to a number of factors.
 
27      Those factors include, in accordance with the latter provision, inter alia, the nature, gravity and duration of the infringement; the number of data subjects affected and the level of damage suffered by them; the intentional or negligent character of the infringement; the actions taken by the controller or processor of personal data to mitigate the damage suffered; the degree of responsibility of that controller or processor; and the categories of personal data affected by the infringement.
 
28      Those factors characterise either the behaviour of that controller or processor, accused of infringements of certain provisions of the GDPR, or the infringements themselves. They therefore serve to ensure that each of those infringements is assessed on the basis of all the relevant individual circumstances and that the objectives pursued by the system of penalties provided for in the GDPR are achieved.
 
29      Although those factors do not make reference to the concept of an undertaking, within the meaning of Articles 101 and 102 TFEU, the Court has already ruled that only a fine which takes into account not just all of the factors thus characterising the established infringements of the GDPR, but also, where appropriate, the actual or material economic capacity of the person on which the fine is imposed is capable of satisfying the three conditions set out in Article 83(1) of the GDPR, namely to be effective, proportionate and dissuasive. In order to assess those conditions, it is necessary to take account of whether that person forms part of an undertaking, within the meaning of Articles 101 and 102 TFEU (see, to that effect, judgment of 5 December 2023, Deutsche Wohnen, C‑807/21, EU:C:2023:950, paragraph 58).
 
30      The interpretation of Article 83 of the GDPR that results from paragraphs 25 to 29 of the present judgment is also applicable where the established infringements of the GDPR are penalised not by an administrative fine but by a fine imposed by the competent national courts as a criminal penalty.
 
As Denmark, does not allow for administrative fines under the GDPR [[Article 83 GDPR#9|Article 83(9) GDPR]] provides that, Article 83 may be applied in such a manner that the fine is initiated by the competent DPA and imposed by competent national courts. Rrecital 151 further specifies that the administrative fines imposed by DPAs are to be effective, proportionate and dissuasive.
 
34      That being said, the fact that the fine is imposed by a criminal court in criminal proceedings means that that court must at all times respect the rules applicable in criminal matters, including, in particular, the procedural rights enjoyed by the accused person and the principle of proportionality of the penalty, as guaranteed by the Charter of Fundamental Rights of the European Union.


35      In that regard, as the Advocate General stated in point 74 of her Opinion, Article 83 of the GDPR requires that the competent supervisory authorities must, without exception, ensure that the principle of proportionality is observed in the calculation of the actual amount of the fine imposed, whereby a fair balance is struck between the demands of the general interest in protecting personal data and the requirements of the protection of the rights of the controller of such data, the processor or the undertaking of which they form part. It follows that an application of the concept of ‘undertaking’, within the meaning of Articles 101 and 102 TFEU, in the context of the implementation of Article 83(4) to (6) of the GDPR, does not appear to encounter any obstacles of principle where infringements of the GDPR are penalised not by administrative fines but by fines imposed by criminal courts.
The court confirmed its ruling in [[CJEU - C-807/21 - Deutsche Wohnen|C‑807/21 Deutsche Wohnen]] that [[Article 83 GDPR#4|Article 83(4) to (6) GDPR]] read in the light of Recital 150 must be interpreted to mean, that where the addressee of the administrative fine is or forms part of an undertaking, within the meaning of Articles 101 and 102 TFEU, the maximum amount of the administrative fine is calculated on the basis of a percentage of the total worldwide annual turnover in the preceding business year of the undertaking concerned.


36      In the light of the foregoing considerations, the answer to the questions referred is that Article 83(4) to (6) of the GDPR, read in the light of recital 150 of that regulation, must be interpreted as meaning that the term ‘undertaking’ in those provisions corresponds to the concept of ‘undertaking’, within the meaning of Articles 101 and 102 TFEU, with the result that, where a fine for infringement of the GDPR is imposed on a controller of personal data which is or forms part of an undertaking, the maximum amount of the fine is to be determined on the basis of a percentage of the undertaking’s total worldwide annual turnover in the preceding business year. The concept of ‘undertaking’ must also be taken into account in order to assess the actual or material economic capacity of the recipient of the fine and thus to ascertain whether the fine is at the same time effective, proportionate and dissuasive.
However, the court stated that pursuant to [[Article 83 GDPR#1|Article 83(1) GDPR]], DPAs must ensure that administrative fines are in each individual case effective, proportionate and dissuasive. Additionally, [[Article 83 GDPR#2|Article 83(2) GDPR]] requires that the competent DPA, when deciding whether to impose an administrative fine and when setting the amount have due regard to a number of factors serving to ensure that each of those infringements is assessed on the basis of all the relevant individual circumstances and that the objectives pursued by the system of penalties provided for in the GDPR are achieved. Although, those factors do not make reference to the concept of an undertaking, within the meaning of Articles 101 and 102 TFEU, the court reiterated from it's aforementioned [[CJEU - C-807/21 - Deutsche Wohnen|''Deutsche Wohnen'' judgement]], that only a fine which takes into account the actual or material economic capacity of a controller is effective, proportionate and dissuasive. To assess those conditions, the court found, it is necessary to take account of whether that controller forms part of an undertaking.


The court found that Article 83(4) to (6) GDPR, read in the light of Recital 150 , must be interpreted as meaning that the term ‘undertaking’ in those provisions corresponds to the concept of ‘undertaking’, within the meaning of Articles 101 and 102 TFEU, with the result that, where a fine for a GDPR infringement  is imposed on a controller of personal data which is or forms part of an undertaking, the maximum amount of the fine is to be determined on the basis of a percentage of the undertaking’s total worldwide annual turnover in the preceding business year. The concept of ‘undertaking’ must also be taken into account in order to assess the actual or material economic capacity of the recipient of the fine and thus to ascertain whether the fine is at the same time effective, proportionate and dissuasive.
Additionally, the court held, that pursuant to [[Article 83 GDPR#9|Article 83(9) GDPR]] this also applies where GDPR infringements are established by competent national courts within criminal proceedings.  


== Comment ==
== Comment ==

Revision as of 09:52, 20 February 2025

CJEU - C‑383/23 ILVA
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 83(4) GDPR
Article 83(5) GDPR
Article 83(6) GDPR
Article 83(9) GDPR
Decided: 13.02.2025
Parties:
Case Number/Name: C‑383/23 ILVA
European Case Law Identifier: ECLI:EU:C:2025:84
Reference from: Vestre Landsret (Denmark)
Language: 24 EU Languages
Original Source: AG Opinion
Judgement
Initial Contributor: tjk


The CJEU held that DPAs and courts must take into account if a controller is part of an undertaking within the meaning of Articles 101 and 102 TFEU when setting fine amounts. Additionally they must base the fines' maximum amount on the undertaking’s and not the controller's turnover.

English Summary

Facts

ILVA (the controller) operates a chain of furniture stores and is part of the Lars Larsen Group (the undertaking). The total undertaking's turnover was multiple times higher than that of the controller. The controller is charged before the Danish courts with violating the GDPR in relation to the retention of the data of at least 350,000 former customers.

On the recommendation of the Danish DPA, the Public Prosecutor’s Office sought the imposition of a fine of DKK1,500,000 (approximately 201,000€) on the controller. The calculation of that amount was based not only on the turnover of the controller, but also on the overall turnover of the undertaking.

The Aarhus District Court (Retten i Aarhus) found that since the charges had been brought only against the controller, it was not necessary to take into account the turnover of the undertaking to determine the amount of the fine. Furthermore, the court noted that the controller was engaged in an independent retail activity and that it had not been set up by the parent company for the sole purpose of processing the undertaking's data.

The Public Prosecutor’s Office appealed to the High Court of Western Denmark (Vestre Landsret), which decided to stay the proceedings and to request a preliminary ruling asking in essence, whether Article 83(4) to (6) GDPR, read in the light of Recital 150, must be interpreted as meaning that the term ‘undertaking’ in those provisions corresponds to the concept of ‘undertaking’, within the meaning of Articles 101 and 102 TFEU, with the result that, where a fine for infringement of the GDPR is imposed on a controller which is or forms part of an undertaking, the amount of the fine is to be determined on the basis of a percentage of the undertaking’s total worldwide annual turnover in the preceding business year.

Advocate General Opinion

The AG emphasised that the notion of “undertaking” has been recently interpreted by the CJEU in C-807/21 Deutsche Wohnen. According to the CJEU, the undertaking should be understood in line with EU competition law and Article 101 and Article 102 TFEU. In particular, it is “entity engaged in an economic activity”, no matter its legal form. When it comes to calculations of a fine, it is the undertaking turnover that should be its basis.

In the case at hand, the AG drew the attention to the influence of the parent company on the companies within the group. That influence, as defined in the CJEU case law, amounts, for example, to appointing members of boards of directors or calling shareholders meetings. If the parent company “exercise decisive influence” over the controller, then the undertaking under Article 83(5) GDPR would consist of: 1) the controller, 2) the parent company, 3) other companies under decisive influence of the parent company.

Consequently, the group turnover would form a baseline for the calculation of maximum fine. Nevertheless, the AG pointed out the rules to calculate the maximum fine applicable do not have to be applied as “the main or only reference for setting the actual fine”. This is because the actual fine should reflect all facts of the case, including all aggravating and extenuating circumstances. The AG underlined that one of relevant circumstance is the role of members of undertaking in violation committed.

Additionally, the AG suggested that guarantees of fair criminal proceedings has to be followed as well. Especially, the principle of proportionality must be observed. In conclusion, the AG suggested to consider the following when using the concept of the undertaking in order to determine the amount of the actual fine under Article 83 GDPR:

“First, it should be evaluated whether the parent company has exercised its decision-making power with respect to specific activities of the controller or the processor at issue in the GDPR infringement(s). Second, it needs to be considered whether specific data processing infringing the GDPR relates to the company concerned and/or to the whole group. Third, it is necessary to establish whether more than one company forming part of the group was involved in the GDPR infringement(s).”

Holding

The Court clarified that the concept of ‘undertaking’ within the GDPR is relevant only for the purpose of determining the amount of the administrative fine imposed on a controller in accordance with Article 83(4) to (6) GDPR. The court defined an undertaking generally as concept for applying competition rules and specifically as an economic unit regardless if it legally consists of several natural or legal persons.

The court confirmed its ruling in C‑807/21 Deutsche Wohnen that Article 83(4) to (6) GDPR read in the light of Recital 150 must be interpreted to mean, that where the addressee of the administrative fine is or forms part of an undertaking, within the meaning of Articles 101 and 102 TFEU, the maximum amount of the administrative fine is calculated on the basis of a percentage of the total worldwide annual turnover in the preceding business year of the undertaking concerned.

However, the court stated that pursuant to Article 83(1) GDPR, DPAs must ensure that administrative fines are in each individual case effective, proportionate and dissuasive. Additionally, Article 83(2) GDPR requires that the competent DPA, when deciding whether to impose an administrative fine and when setting the amount have due regard to a number of factors serving to ensure that each of those infringements is assessed on the basis of all the relevant individual circumstances and that the objectives pursued by the system of penalties provided for in the GDPR are achieved. Although, those factors do not make reference to the concept of an undertaking, within the meaning of Articles 101 and 102 TFEU, the court reiterated from it's aforementioned Deutsche Wohnen judgement, that only a fine which takes into account the actual or material economic capacity of a controller is effective, proportionate and dissuasive. To assess those conditions, the court found, it is necessary to take account of whether that controller forms part of an undertaking.

Additionally, the court held, that pursuant to Article 83(9) GDPR this also applies where GDPR infringements are established by competent national courts within criminal proceedings.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!