CJEU - C‑383/23 - Anklagemyndigheden v ILVA A/S

From GDPRhub
Revision as of 07:58, 23 September 2024 by Wp (talk | contribs) (Created page with "{{CJEUdecisionBOX |Case_Number_Name=C‑383/23 Anklagemyndigheden v ILVA A/S |ECLI=ECLI:EU:C:2024:752 |Opinion_Link=https://curia.europa.eu/juris/document/document.jsf;jsessionid=B6B9551E48F83FB1DCA11154781C043C?text=2016%252F679&docid=290027&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=3480945#ctx1 |Judgement_Link= |Date_Decided= |Year= |GDPR_Article_1=Article 83(4) GDPR |GDPR_Article_Link_1=Article 83 GDPR#4 |GDPR_Article_2=Article 83(6) GDPR |GDPR_A...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
CJEU - C‑383/23 Anklagemyndigheden v ILVA A/S
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 83(4) GDPR
Article 83(6) GDPR
Decided:
Parties: ILVA A/S
Case Number/Name: C‑383/23 Anklagemyndigheden v ILVA A/S
European Case Law Identifier: ECLI:EU:C:2024:752
Reference from: Vestre Landsret (Denmark)
Language: 24 EU Languages
Original Source: AG Opinion
Initial Contributor: wp


The Advocate General explained that undertaking under Article 83 GDPR encompasses “entity engaged in an economic activity”, no matter its legal form. Although the group turnover would form a baseline for the calculation of maximum fine, the actual fine should reflect all facts of the case, including all aggravating and extenuating circumstances.

English Summary

Facts

ILVA is a company operating a chain of furniture shops in Denmark (a controller). The controller violated Article 5(1)(e) GDPR, Article 5(2) GDPR and Article 6 GDPR regarding the retention of former customers’ personal data. For violations at stake, the Danish DPA (Datatilsynet) advised the public prosecutor imposing a fine of €201,000. The controller was a part of the Lars Larsen Group. Hence, the calculation of the fine was based on the group’s turnover.

The Aarhus District Court (Retten i Aarhus) found the controller guilty. However, the fine was lowered to €13,400, since it was the controller, not the group, who violated the GDPR.

The public prosecutor appealed against the aforementioned judgement before High Court of Western Denmark (Vestre Landsret). High Court of Western Denmark stayed the proceedings and referred the following questions to the CJEU for a preliminary ruling:

1) Must the term “undertaking” in Article 83(4) to (6) GDPR be understood as an undertaking within the meaning of Articles 101 and 102 TFEU, in conjunction with recital 150 of that regulation, and the case-law of the [Court of Justice] [on] EU competition law, so that the term “undertaking” covers any entity engaged in an economic activity, regardless of that entity’s legal status and the way in which it is financed? 2) If the answer to Question 1 is in the affirmative, must Article 83(4) to (6) GDPR be interpreted as meaning that, when imposing a fine on an undertaking, regard must be had to the total worldwide annual turnover of the economic entity of which the undertaking forms part, or only the total worldwide annual turnover of the undertaking itself?’

Advocate General Opinion

On 12 September Advocate General Medina issued his opinion.

At the beginning, the AG explained that within Danish legal system the DPA has no powers to impose fines. The DPA has to report the case with the police, who investigates the case and when necessary initiates the proceedings before a court.

Further, the AG decided to examine both questions together.

The AG emphasised that the notion of “undertaking” has been recently interpreted by the CJEU in case C-807/21 Deutsche Wohnen. According to the CJEU, the undertaking should be understood in line with EU competition law. In particular, it is “entity engaged in an economic activity”, no matter its legal form. When it comes to calculations of a fine, it is the undertaking turnover that should be its basis.

In the case at hand, the AG draw the attention to influence of parent company on the companies within the group. That influence, as defined in the CJEU case law, amounts, for example, to appointing members of boards of directors or calling shareholders meetings. If the parent company “exercise decisive influence” over the controller, then the undertaking under Article 83(5) GDPR would consist of: 1) the controller, 2) the parent company, 3) other companies under decisive influence of the parent company.

Consequently, the group turnover would form a baseline for the calculation of maximum fine.

Nevertheless, the AG pointed out the rules to calculate the maximum fine applicable don’t have to be applied as “the main or only reference for setting the actual fine”. This is because the actual fine should reflect all facts of the case, including all aggravating and extenuating circumstances. The AG underlined that one of relevant circumstance is the role of members of undertaking in violation committed. Additionally, the AG suggested that guarantees of fair criminal proceedings has to be followed as well. Especially, the principle of proportionality must be observed.

In conclusion, the AG proposed Article 83 GDPR, in relation to the actual fine and the notion of undertaking, to be interpreted as follows: “First, it should be evaluated whether the parent company has exercised its decision-making power with respect to specific activities of the controller or the processor at issue in the GDPR infringement(s). Second, it needs to be considered whether specific data processing infringing the GDPR relates to the company concerned and/or to the whole group. Third, it is necessary to establish whether more than one company forming part of the group was involved in the GDPR infringement(s).”

Holding

The judgement has not been issued yet.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!