CJEU - C-807/21 - Deutsche Wohnen

From GDPRhub
Revision as of 16:49, 5 December 2023 by Sh (talk | contribs) (Created page with "{{CJEUdecisionBOX |Case_Number_Name=C807/21 Deutsche Wohnen |ECLI= |Opinion_Link=https://curia.europa.eu/juris/document/document.jsf?text=&docid=272981&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=4523475 |Judgement_Link=https://curia.europa.eu/juris/document/document.jsf?text=&docid=280325&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=4523475 |Date_Decided= |Year= |GDPR_Article_1=Article 83(4) GDPR |GDPR_Article_Link_1=Article 83 GDPR#4 |GDP...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
CJEU - C807/21 Deutsche Wohnen
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 83(4) GDPR
Article 83(5) GDPR
Article 83(6) GDPR
Decided:
Parties:
Case Number/Name: C807/21 Deutsche Wohnen
European Case Law Identifier:
Reference from: Kammergericht Berlin (Higher Regional Court, Berlin, Germany)
Language: 24 EU Languages
Original Source: AG Opinion
Judgement
Initial Contributor: sh


The CJEU decided that where the controller is a legal person, it is not necessary for the infringement to have been committed by its management body; nor is it necessary for that body to have had knowledge of that infringement.

English Summary

Facts

DW is a listed real estate company and indirectly holds arouund 163,000 housing units and 3,000 commercial units. The owners of these units are subsidiaries (holding companies) of DW and lease the units to other companies in the group (service companies). DW is only in charge or the central management. DW and the group of companies which it manages process the personal data of the tenants of said units.

In June 2017, the Berlin DPA informed DW during an on-the-spot inspection that companies within its group were storing personal data in a potentially infringent filing system. The DPA could not tell if it the storage was necessary nor if there were safeguards to ensure the erasure of data which was no longer required. DW told the DPA that it would move data to a more compliant database but this never materialised in practice. In 2019 the DPA fined DW an administrative fine of €14,385,000 for intentional infringement of Article 5(1)(a), (c) and (e) and of Article 25(1) of the GDPR. The DPA found that DW intentionally failed to take the measures needed to allow personal data relating to tenants to be regularly erased where such data were no longer necessary or had, for some other reason, erroneously been stored. It also stated that DW had continued to store the personal data of at least 15 named tenants where such storage was not necessary.

Through that decision, that authority also imposed 15 other fines on DW of between €3,000 and €17,000 in respect of the infringement of Article 6(1) of the GDPR.

DW appealed this decision to Berlin's Regional Court. The court stated that the the imposition of a fine on a legal person is exhaustively regulated by national law (Paragraph 30 of the OWiG). Under that, a finding of an administrative infringement can be made only against a natural person and not against a legal person. Therefore, only the actions of representatives of the legal person can be attributed to that legal person.

Berlin's Public Prosecutor's office appealed this decision before the Berlin's Higher Regional Court who then reffered this decision to the CJEU.

The Court noted that the limited liability regime of legal persons under national law conflicts with the regime of direct liability of undertakings laid down in Article 83 of the GDPR. It therefore, asked:

1) Does Article 83(4) to (6) of the GDPR incorporate into national law the functional concept of an undertaking and the principle of an economic entity (as defined by competition law in Articles 101 and 102 TFEU). If this is the case, does it broaden the definition of a legal entity underpinning [OWiG] paragraph 30? If so, does this mean that administrative fine proceedings can be brought directly against an undertaking and a fine imposed without the need for a finding that a natural and identified person committed an administrative offence?

2) If the answer to Question 1 is affirmative, is Article 83(4) to (6) of the GDPR to be interpreted as meaning that the undertaking must have committed an obligation breach intentionally/negligently through an employee, or is the objective fact of an occurrence of a breach caused by it sufficient for a fine to be imposed on that undertaking (the principle of strict liability)?

Holding

X

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!