CJEU - C-807/21 - Deutsche Wohnen

From GDPRhub
Revision as of 17:42, 5 December 2023 by Sh (talk | contribs)
CJEU - C807/21 Deutsche Wohnen
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 83(4) GDPR
Article 83(5) GDPR
Article 83(6) GDPR
Decided:
Parties:
Case Number/Name: C807/21 Deutsche Wohnen
European Case Law Identifier:
Reference from: Kammergericht Berlin (Higher Regional Court, Berlin, Germany)
Language: 24 EU Languages
Original Source: AG Opinion
Judgement
Initial Contributor: sh


The CJEU decided that where the controller is a legal person, it is not necessary for the infringement to have been committed by its management body; nor is it necessary for that body to have had knowledge of that infringement.

English Summary

Facts

DW is a listed real estate company and indirectly holds arouund 163,000 housing units and 3,000 commercial units. The owners of these units are subsidiaries (holding companies) of DW and lease the units to other companies in the group (service companies). DW is only in charge or the central management. DW and the group of companies which it manages process the personal data of the tenants of said units.

In 2017, the Berlin DPA informed DW during an on-the-spot inspection that companies within its group were storing personal data in a potentially infringent filing system. The DPA could not tell if it the storage was necessary nor if there were safeguards to ensure the erasure of data which was no longer required. DW told the DPA that it would move data to a more compliant database but this never materialised in practice.

In 2019 the DPA fined DW an administrative fine of €14,385,000 for intentional infringement of Article 5(1)(a), (c) and (e) and of Article 25(1) GDPR. The DPA found that DW intentionally failed to take the measures needed to allow personal data relating to tenants to be regularly erased where such data were no longer necessary or had, for some other reason, erroneously been stored. It also stated that DW had continued to store the personal data of at least 15 named tenants where such storage was not necessary.

DW appealed this decision to Berlin's Regional Court. The court stated that the the imposition of a fine on a legal person is exhaustively regulated by national law (Paragraph 30 of the OWiG).[1] A finding of an administrative infringement can only be made against a natural person, not a legal person, under this provision. Therefore, the actions of other legal persons (the company groups) cannot be to another legal person (DW).

Berlin's Public Prosecutor's office appealed this decision before the Berlin's Higher Regional Court. The Court noted that the limited liability regime of legal persons under national law conflicts with the regime of direct liability of undertakings laid down in Article 83 of the GDPR. It therefore reffered the decision to the CJEU and asked two questions:

1) Does Article 83(4) to (6) GDPR incorporate into national law the functional concept of an undertaking and the principle of an economic entity (as defined by competition law in Articles 101 and 102 TFEU).[2] If this is the case, does it broaden the definition of a legal entity underpinning [OWiG] paragraph 30? If so, does this mean that administrative fine proceedings can be brought directly against an undertaking and a fine imposed without the need to find that a natural and identified person committed an administrative offence?

2) If the answer to Question 1 is affirmative, is Article 83(4) to (6) of the GDPR to be interpreted as meaning that the undertaking must have committed an obligation breach intentionally/negligently through an employee, or is the objective fact of an occurrence of a breach caused by it sufficient for a fine to be imposed on that undertaking (the principle of strict liability)?[3]

Holding

The CJEU decided that an infringement of Article 83(4) to (6) X and that the infringement of Article 83(4) to (6) requires intent.

On the first question

On the second question

The CJEU rejected the idea that administrative fines under the GDPR are ones of strict liability. Article 83 therefore requires a controller to have intentionally or negligently committed an infringement.

Firstly, supervisory authorities do not have discretion on this matter. The substantive conditions which a supervisory authority must satisfy when it imposes an administrative fine on a controller are governed solely by EU law, as they are laid down in detail and without leaving any discretion to the Member States, in Articles 83(1) to (6) of the GDPR.

Second, Article 83(2)(b) GDPR, read in conjunction with Article 83(3) GDPR, both describe the international and negligent character of infringements. It follows from the wording of these Articles that only infringements committed wrongfully by the controller, that is, those committed intentionally or negligently, can result in a fine being imposed on the controller.

Third, this interpretation is more broadly supported by the general purpose of the GDPR. The EU legislature did not find it necessary, when drafting the GDPR, to impose a provision of strict liability on administrative fines. The GDPR aims for a level of protection that is both equivalent and homogeneous, and it must, to that end, be applied consistently throughout the European Union. It would be contrary to that purpose to allow Member States to provide for a strict liability system of fines under Article 83 of the GDPR. Such a freedom of choice would, additionally, be liable to distort competition between economic operators within the European Union, which would run counter to the stated objectives of the EU legislature, in particular, those in recitals 9 and 13 of the GDPR.

Fourth, the fact that an infringement requires intent does not mean (in cases where the controller is a legal entity) that there needs to be action or even knowledge on the part of the management body of that legal person. [4]

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

  1. The Bundesdatenschutzgesetz (Federal Law on data protection) of 30 June 2017 and amended 19 June 2020.
  2. In the field of competition law, the concept of 'undertaking' covers any entity engaged in an economic activity, regardless of its legal status and the way in which it is financed. Any activity consisting in offering goods or services on a given market is an economic activity. It follows that this is a very broad definition.
  3. Strict liability is the imposition of liability on a party without a finding of fault or criminal intent.The claimant need only prove that the behaviour (in this case a breach) occurred and that the defendant was responsible.
  4. (see, by analogy, judgments of 7 June 1983, Musique Diffusion française and Others v Commission, 100/80 to 103/80, EU:C:1983:158, paragraph 97, and of 16 February 2017, Tudapetrol Mineralölerzeugnisse Nils Hansen v Commission, C‑94/15 P, EU:C:2017:124, paragraph 28 and the case-law cited).