CJEU - C807/21 - Deutsche Wohnen

From GDPRhub
CJEU - C807/21 Deutsche Wohnen
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 83(4) GDPR
Article 83(5) GDPR
Article 83(6) GDPR
Decided: 5 December 2023
Parties:
Case Number/Name: C807/21 Deutsche Wohnen
European Case Law Identifier: ECLI:EU:C:2023:950
Reference from: KG Berlin (Germany)
Language: 24 EU Languages
Original Source: AG Opinion
Judgement
Initial Contributor: Sophia Hassel

The CJEU ruled that administrative fines under Article 83(4) to (6) can be assigned to anyone who fits the definition of a controller. For the purpose of calculting fines, a controller will be considered an undertaking as defined by competition law and fined on its overall turnover. The ability to impose administrative fines is limited to where a party has breached the GDPR with intent or negligence.

English Summary

Facts

DW is a listed real estate company and indirectly holds around 163,000 housing units and 3,000 commercial units. The owners of these units are subsidiaries (holding companies) of DW and lease the units to other companies in the group (service companies). DW is only in charge or the central management. DW and the group of companies which it manages process the personal data of the tenants of said units.

In 2017, the Berlin DPA informed DW during an on-the-spot inspection that companies within its group were storing personal data in a potentially infringent filing system. The DPA could not tell if it the storage was necessary nor if there were safeguards to ensure the erasure of data which was no longer required. DW told the DPA that it would move data to a more compliant database but this never materialised in practice.

In 2019, the DPA fined DW €14,385,000 for intentional infringement of Article 5(1)(a), (c) and (e) and of Article 25(1) GDPR. The DPA found that DW intentionally failed to take the measures needed to allow personal data relating to tenants to be regularly erased or to check whether they had erroneously been stored. It also stated that DW had continued to store the personal data of at least 15 named tenants where such storage was not necessary.

DW appealed this decision to Berlin's Regional Court. The court stated that the imposition of a fine on a legal person is regulated by national law (Paragraph 30 of the OWiG).[1] As a requirement for the imposition of the administrative fine against a legal person, German law requires that the original infringement shall be attributed to a natural person that is responsible for the legal person's compliance with the law.

The Public Prosecutor's Office in Berlin filed an appeal with Berlin's Higher Regional Court. The Court observed that the limited liability regime of legal persons under national law is incompatible with the regime of direct liability of undertakings established by Article 83 of the GDPR. As a result, it referred the decision to the CJEU and asked two questions:

1) Does Article 83(4) to (6) GDPR incorporate into national law the functional concept of an undertaking and the principle of an economic entity (as defined by competition law in Articles 101 and 102 TFEU).[2] If this is the case, does it broaden the definition of a legal entity underpinning [OWiG] paragraph 30? If so, does this mean that administrative fine proceedings can be brought directly against an undertaking and a fine imposed without the need to find that a natural and identified person committed an administrative offence?

2) If the answer to Question 1 is affirmative, is Article 83(4) to (6) of the GDPR to be interpreted as meaning that the undertaking must have committed an obligation breach intentionally/negligently through an employee, or is the objective fact of an occurrence of a breach caused by it sufficient for a fine to be imposed on that undertaking (the principle of strict liability)?[3]

Holding

The CJEU decided that an infringement of Article 83(4) to (6) is not limited to natural persons and requires intent on the side of the controller.

On the first question

Article 83(4) to (6) precludes national legislation and a fine may be imposed on any person (be they natural or legal) who fit the definition of a controller under the GDPR.

First, the concept of a controller is defined broadly and the EU legislator did not distinguish between natural or legal persons. Article 4(7) GDPR defines it as a natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data. The CJEU has also ruled in the past that a natural person may be considered a controller when they participate in determining the purposes and means of processing.[4] That means (as the Advocate General noted in points 57 to 59 of his Opinion), legal persons are liable for infringements committed on their behalf by any person (natural or legal). As a result, a controllers' liability is extremely broad.

Second, a combined reading of Article 4(7), Article 83 and Article 58(2)(i) of the GDPR show that an administrative fine may also be imposed on legal persons where they are controllers. Given that the GDPR is explicit on this point, national law cannot override the GDPR and does not provide Member States with any discretion to introduce additional requirements.

Third, the concept of an undertaking (within the meaning of Articles 101 and 102 TFEU), therefore has no bearing on the conditions for an administrative fine under Article 83 GDPR. That question is exhaustively regulated by Article 58(2) and Article 83(1) to (6) GDPR. Thus the concept of an undertaking is relevant only for the purpose of determining the amount of the administrative fine imposed under Article 83(4) to (6) of the GDPR on a controller.

Last, the concept of an undertaking (within the meaning of Articles 101 and 102 TFEU) defines an economic unit which can be composed of several persons, natural or legal. When the addressee of the administrative fine is or forms part of an undertaking, the maximum amount of the administrative fine must be calculated on the basis of a percentage of the total worldwide annual turnover in the preceding business year of the undertaking concerned. Therefore, the fine is not limited to the turnover of one of DW's subsidiaries, but is rather calculated based on the turnover of DW as a whole (holding and service companies included).

On the second question

The CJEU rejected the idea that administrative fines under the GDPR are ones of strict liability. Article 83 therefore requires a controller to have intentionally or negligently committed an infringement.

First, supervisory authorities do not have discretion on this matter. The substantive conditions which a supervisory authority must satisfy when it imposes an administrative fine on a controller are governed solely by EU law, as they are laid down in detail and without leaving any discretion to the Member States, in Articles 83(1) to (6) of the GDPR.

Second, Article 83(2)(b) GDPR, read in conjunction with Article 83(3) GDPR, both describe the intentional and negligent character of infringements. It follows from the wording of these Articles that only infringements committed wrongfully by the controller, that is, those committed intentionally or negligently, can result in a fine.

Third, this interpretation is more broadly supported by the general purpose of the GDPR. The EU legislature did not find it necessary, when drafting the GDPR, to impose a provision of strict liability on administrative fines. The GDPR aims for a level of protection that is both equivalent and homogeneous, and it must, to that end, be applied consistently throughout the European Union. It would be contrary to that purpose to allow Member States to provide for a strict liability system of fines under Article 83 of the GDPR. Such a freedom of choice would, additionally, be liable to distort competition between economic operators within the European Union, which would run counter to the stated objectives of the EU legislature, in particular, those in recitals 9 and 13 of the GDPR.

Last, where the controller is a legal person, it is not necessary for the infringement to have been committed by its management body, nor is it necessary for that body to have had knowledge of that infringement. Rather a legal person is liable for infringements commited by its representatives which can be any person acting in the course of business on the controllers behalf. [5]

Comment

Negligence or Intent as a requirement for an administrative fine under the GDPR is also highlighted in CJEU - C-683/21 - Nacionalinis visuomenės sveikatos centras.

Further Resources

Share blogs or news articles here!

  1. The Act on Regulatory Offences: https://www.gesetze-im-internet.de/englisch_owig/index.html
  2. In the field of competition law, the concept of 'undertaking' covers any entity engaged in an economic activity, regardless of its legal status and the way in which it is financed. Any activity consisting in offering goods or services on a given market is an economic activity.
  3. Strict liability is the imposition of liability on a party without a finding of fault or criminal intent.The claimant need only prove that the behaviour (in this case a breach) occurred and that the defendant was responsible.
  4. (see, to that effect, judgment of 10 July 2018, Jehovan todistajat, C‑25/17, EU:C:2018:551, paragraph 68).
  5. (see, by analogy, judgments of 7 June 1983, Musique Diffusion française and Others v Commission, 100/80 to 103/80, EU:C:1983:158, paragraph 97, and of 16 February 2017, Tudapetrol Mineralölerzeugnisse Nils Hansen v Commission, C‑94/15 P, EU:C:2017:124, paragraph 28 and the case-law cited).