CJEU - C-383/23 - ILVA (Fine for an infringement of the GDPR)
CJEU - C‑383/23 ILVA | |
---|---|
Court: | CJEU |
Jurisdiction: | European Union |
Relevant Law: | Article 83(4) GDPR Article 83(5) GDPR Article 83(6) GDPR Article 83(9) GDPR |
Decided: | 13.02.2025 |
Parties: | |
Case Number/Name: | C‑383/23 ILVA |
European Case Law Identifier: | ECLI:EU:C:2025:84 |
Reference from: | High Court of Western Denmark (Denmark) |
Language: | 24 EU Languages |
Original Source: | Judgement |
Initial Contributor: | tjk |
The court found that when a controller which is or forms part of an undertaking is fined for GDPR violations, the fine's maximum amount is based on a percentage of the undertaking’s total worldwide annual turnover in the preceding business year.
English Summary
Facts
ILVA operates a chain of furniture stores and is part of the Lars Larsen Group. The total group turnover in the 2016/2017 financial year amounted to DKK6.57 Billion (approximately 881,000,000 €) and ILVA’s turnover amounted to almost DKK1.8 billion (approximately EUR 241 million) for the same financial year.
ILVA is charged before the Danish courts with having failed, to fulfil its GDPR obligations as controller in relation to the retention of the data of at least 350,000 former customers.
On the recommendation of the Danish DPA, the Public Prosecutor’s Office sought the imposition of a fine of DKK 1.5 million (approximately EUR 201 000) on ILVA. The calculation of that amount was based not only on the turnover of ILVA, but also on the overall turnover of the Lars Larsen Group.
By judgment of 12 February 2021, the Aarhus District Court found that since the charges had been brought only against ILVA, it was not necessary to take into account the turnover of the Lars Larsen Group in order to determine the amount of the fine. Furthermore, the court noted that ILVA was engaged in an independent retail activity and that it had not been set up by the parent company of that group for the sole purpose of processing the group’s data.
The Public Prosecutor’s Office appealed to the High Court of Western Denmark, which decided to stay the proceedings. and requested a preliminary ruling asking in essence, whether Article 83(4) to (6) of the GDPR, read in the light of recital 150 of that regulation, must be interpreted as meaning that the term ‘undertaking’ in those provisions corresponds to the concept of ‘undertaking’, within the meaning of Articles 101 and 102 TFEU, with the result that, where a fine for infringement of the GDPR is imposed on a controller of personal data which is or forms part of an undertaking, the amount of the fine is to be determined on the basis of a percentage of the undertaking’s total worldwide annual turnover in the preceding business year, within the meaning of Articles 101 and 102 TFEU.
Holding
The Court ruled in Deutsche Wohnen (C‑807/21, EU:C:2023:950, paragraphs 53 to 59 that the concept of ‘undertaking’, within the meaning of Articles 101 and 102 TFEU, is relevant only for the purpose of determining the amount of the administrative fine imposed under Article 83(4) to (6) of the GDPR on a controller
22 In that regard, it should be stated that, for the purposes of applying the competition rules, the concept of an undertaking designates an economic unit even if in law that economic unit consists of several persons, natural or legal. That economic unit consists of a unitary organisation of personal, tangible and intangible elements, which pursues a specific economic aim on a long-term basis (judgment of 5 December 2023, Deutsche Wohnen, C‑807/21, EU:C:2023:950, paragraph 56 and the case-law cited).
23 Accordingly, it is apparent from Article 83(4) to (6) of the GDPR that, where the addressee of the administrative fine is or forms part of an undertaking, within the meaning of Articles 101 and 102 TFEU, the maximum amount of the administrative fine is calculated on the basis of a percentage of the total worldwide annual turnover in the preceding business year of the undertaking concerned (judgment of 5 December 2023, Deutsche Wohnen, C‑807/21, EU:C:2023:950, paragraph 57).
However, under Article 83(1) GDPR, each DPA is to ensure that administrative fines imposed pursuant to Article 83 in respect of infringements of the GDPR referred to in paragraphs 4 to 6 thereof are in each individual case effective, proportionate and dissuasive. Additionally, Article 83(2) GDPR requires that the competent DPA, when deciding whether it is necessary to impose an administrative fine and when setting the amount of that fine in each individual case, have due regard to a number of factors serving to ensure that each of those infringements is assessed on the basis of all the relevant individual circumstances and that the objectives pursued by the system of penalties provided for in the GDPR are achieved.
Although those factors do not make reference to the concept of an undertaking, within the meaning of Articles 101 and 102 TFEU, the Court has already ruled that only a fine which takes into account where appropriate, the actual or material economic capacity of the person on which the fine is imposed is effective, proportionate and dissuasive. In order to assess those conditions, it is necessary to take account of whether that person forms part of an undertaking, within the meaning of Articles 101 and 102 TFEU.
The court found, that the interpretation of Article 83 GDPR is also applicable where the established infringements of the GDPR by the competent national courts as a criminal penalty as Article 83(9) GDPR provides that - when a jurisdiction does not allow for administrative fines under the GDPR - Article 83 may be applied in such a manner that the fine is initiated by the competent DPA and imposed by competent national courts. Rrecital 151 further specifies that the administrative fines imposed by DPAs are to be effective, proportionate and dissuasive.
Thus, the court found that Article 83(4) to (6) GDPR, read in the light of Recital 150 , must be interpreted as meaning that the term ‘undertaking’ in those provisions corresponds to the concept of ‘undertaking’, within the meaning of Articles 101 and 102 TFEU, with the result that, where a fine for a GDPR infringement is imposed on a controller of personal data which is or forms part of an undertaking, the maximum amount of the fine is to be determined on the basis of a percentage of the undertaking’s total worldwide annual turnover in the preceding business year. The concept of ‘undertaking’ must also be taken into account in order to assess the actual or material economic capacity of the recipient of the fine and thus to ascertain whether the fine is at the same time effective, proportionate and dissuasive.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!