CJEU - C807/21 - Deutsche Wohnen: Difference between revisions

Revision as of 17:10, 5 December 2023

CJEU - C807/21 Deutsche Wohnen

Court:	CJEU
Jurisdiction:	European Union
Relevant Law:	Article 83(4) GDPR Article 83(5) GDPR Article 83(6) GDPR
Decided:
Parties:
Case Number/Name:	C807/21 Deutsche Wohnen
European Case Law Identifier:
Reference from:	Kammergericht Berlin (Higher Regional Court, Berlin, Germany)
Language:	24 EU Languages
Original Source:	AG Opinion Judgement
Initial Contributor:	sh

The CJEU decided that where the controller is a legal person, it is not necessary for the infringement to have been committed by its management body; nor is it necessary for that body to have had knowledge of that infringement.

English Summary

Facts

DW is a listed real estate company and indirectly holds arouund 163,000 housing units and 3,000 commercial units. The owners of these units are subsidiaries (holding companies) of DW and lease the units to other companies in the group (service companies). DW is only in charge or the central management. DW and the group of companies which it manages process the personal data of the tenants of said units.

In 2017, the Berlin DPA informed DW during an on-the-spot inspection that companies within its group were storing personal data in a potentially infringent filing system. The DPA could not tell if it the storage was necessary nor if there were safeguards to ensure the erasure of data which was no longer required. DW told the DPA that it would move data to a more compliant database but this never materialised in practice.

In 2019 the DPA fined DW an administrative fine of €14,385,000 for intentional infringement of Article 5(1)(a), (c) and (e) and of Article 25(1) GDPR. The DPA found that DW intentionally failed to take the measures needed to allow personal data relating to tenants to be regularly erased where such data were no longer necessary or had, for some other reason, erroneously been stored. It also stated that DW had continued to store the personal data of at least 15 named tenants where such storage was not necessary.

DW appealed this decision to Berlin's Regional Court. The court stated that the the imposition of a fine on a legal person is exhaustively regulated by national law (Paragraph 30 of the OWiG).^[1] A finding of an administrative infringement can only be made against a natural person, not a legal person, under this provision. Therefore, the actions of other legal persons (the company groups) cannot be to another legal person (DW).

Berlin's Public Prosecutor's office appealed this decision before the Berlin's Higher Regional Court. The Court noted that the limited liability regime of legal persons under national law conflicts with the regime of direct liability of undertakings laid down in Article 83 of the GDPR. It therefore reffered the decision to the CJEU and asked two questions:

1) Does Article 83(4) to (6) GDPR incorporate into national law the functional concept of an undertaking and the principle of an economic entity (as defined by competition law in Articles 101 and 102 TFEU).^[2] If this is the case, does it broaden the definition of a legal entity underpinning [OWiG] paragraph 30? If so, does this mean that administrative fine proceedings can be brought directly against an undertaking and a fine imposed without the need to find that a natural and identified person committed an administrative offence?

2) If the answer to Question 1 is affirmative, is Article 83(4) to (6) of the GDPR to be interpreted as meaning that the undertaking must have committed an obligation breach intentionally/negligently through an employee, or is the objective fact of an occurrence of a breach caused by it sufficient for a fine to be imposed on that undertaking (the principle of strict liability)?^[3]

Holding

The CJEU decided that an infringement of

On the first question,

On the second question,

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

↑ The Bundesdatenschutzgesetz (Federal Law on data protection) of 30 June 2017 and amended 19 June 2020.
↑ In the field of competition law, the concept of 'undertaking' covers any entity engaged in an economic activity, regardless of its legal status and the way in which it is financed. Any activity consisting in offering goods or services on a given market is an economic activity. It follows that this is a very broad definition.
↑ Strict liability is the imposition of liability on a party without a finding of fault or criminal intent.The claimant need only prove that the behaviour (in this case a breach) occurred and that the defendant was responsible.

[1] The Bundesdatenschutzgesetz (Federal Law on data protection) of 30 June 2017 and amended 19 June 2020.

[2] In the field of competition law, the concept of 'undertaking' covers any entity engaged in an economic activity, regardless of its legal status and the way in which it is financed. Any activity consisting in offering goods or services on a given market is an economic activity. It follows that this is a very broad definition.

[3] Strict liability is the imposition of liability on a party without a finding of fault or criminal intent.The claimant need only prove that the behaviour (in this case a breach) occurred and that the defendant was responsible.

[1]

[2]

[3]

@@ Line 51: / Line 51: @@
 DW is a listed real estate company and indirectly holds arouund 163,000 housing units and 3,000 commercial units. The owners of these units are subsidiaries (holding companies) of DW and lease the units to other companies in the group (service companies). DW is only in charge or the central management. DW and the group of companies which it manages process the personal data of the tenants of said units.
-In June 2017, the Berlin DPA informed DW during an on-the-spot inspection that companies within its group were storing personal data in a potentially infringent filing system. The DPA could not tell if it the storage was necessary nor if there were safeguards to ensure the erasure of data which was no longer required. DW told the DPA that it would move data to a more compliant database but this never materialised in practice. In 2019 the DPA fined DW an administrative fine of €14,385,000 for intentional infringement of Article 5(1)(a), (c) and (e) and of Article 25(1) of the GDPR. The DPA found that DW intentionally failed to take the measures needed to allow personal data relating to tenants to be regularly erased where such data were no longer necessary or had, for some other reason, erroneously been stored. It also stated that DW had continued to store the personal data of at least 15 named tenants where such storage was not necessary.
+In 2017, the Berlin DPA informed DW during an on-the-spot inspection that companies within its group were storing personal data in a potentially infringent filing system. The DPA could not tell if it the storage was necessary nor if there were safeguards to ensure the erasure of data which was no longer required. DW told the DPA that it would move data to a more compliant database but this never materialised in practice.
-Through that decision, that authority also imposed 15 other fines on DW of between €3,000 and €17,000 in respect of the infringement of Article 6(1) of the GDPR.
+In 2019 the DPA fined DW an administrative fine of €14,385,000 for intentional infringement of [[Article 5 GDPR|Article 5(1)(a), (c) and (e)]] and of [[Article 25 GDPR|Article 25(1) GDPR.]] The DPA found that DW intentionally failed to take the measures needed to allow personal data relating to tenants to be regularly erased where such data were no longer necessary or had, for some other reason, erroneously been stored. It also stated that DW had continued to store the personal data of at least 15 named tenants where such storage was not necessary.
-DW appealed this decision to Berlin's Regional Court. The court stated that the the imposition of a fine on a legal person is exhaustively regulated by national law (Paragraph 30 of the OWiG). Under that, a finding of an administrative infringement can be made only against a natural person and not against a legal person. Therefore, only the actions of representatives of the legal person can be attributed to that legal person.
+DW appealed this decision to Berlin's Regional Court. The court stated that the the imposition of a fine on a legal person is exhaustively regulated by national law (Paragraph 30 of the OWiG).<ref>The Bundesdatenschutzgesetz (Federal Law on data protection) of 30 June 2017 and amended 19 June 2020.  </ref> A finding of an administrative infringement can only be made against a natural person, not a legal person, under this provision. Therefore, the actions of other legal persons (the company groups) cannot be to another legal person (DW).
-Berlin's Public Prosecutor's office appealed this decision before the Berlin's Higher Regional Court who then reffered this decision to the CJEU.
+Berlin's Public Prosecutor's office appealed this decision before the Berlin's Higher Regional Court. The Court noted that the limited liability regime of legal persons under national law conflicts with the regime of direct liability of undertakings laid down in Article 83 of the GDPR. It therefore reffered the decision to the CJEU and asked two questions:
-The Court noted that the limited liability regime of legal persons under national law conflicts with the regime of direct liability of undertakings laid down in Article 83 of the GDPR. It therefore, asked:
+)   Does Article 83(4) to (6) GDPR incorporate into national law the functional concept of an undertaking and the principle of an economic entity (as defined by competition law in Articles 101 and 102 TFEU).<ref>In the field of competition law, the concept of 'undertaking' '''covers any entity engaged in an economic activity, regardless of its legal status and the way in which it is financed'''. Any activity consisting in offering goods or services on a given market is an economic activity. It follows that this is a very broad definition. </ref> If this is the case, does it broaden the definition of a legal entity underpinning [OWiG] paragraph 30? If so, does this mean that administrative fine proceedings can be brought directly against an undertaking and a fine imposed without the need to find that a natural and identified person committed an administrative offence?
-)   Does Article 83(4) to (6) of the GDPR incorporate into national law the functional concept of an undertaking and the principle of an economic entity (as defined by competition law in Articles 101 and 102 TFEU). If this is the case, does it broaden the definition of a legal entity underpinning [OWiG] paragraph 30? If so, does this mean that administrative fine proceedings can be brought directly against an undertaking and a fine imposed without the need for a finding that a natural and identified person committed an administrative offence?
+)  If the answer to Question 1 is affirmative, is Article 83(4) to (6) of the GDPR to be interpreted as meaning that the undertaking must have committed an obligation breach intentionally/negligently through an employee, or is the objective fact of an occurrence of a breach caused by it sufficient for a fine to be imposed on that undertaking (the principle of strict liability)?<ref>Strict liability is the imposition of liability on a party without a finding of fault or criminal intent.The claimant need only prove that the behaviour (in this case a breach) occurred and that the defendant was responsible.</ref>
-)  If the answer to Question 1 is affirmative, is Article 83(4) to (6) of the GDPR to be interpreted as meaning that the undertaking must have committed an obligation breach intentionally/negligently through an employee, or is the objective fact of an occurrence of a breach caused by it sufficient for a fine to be imposed on that undertaking (the principle of strict liability)?
+=== Holding ===
+The CJEU decided that an infringement of
-=== Holding ===
+On the first question,
-X
+On the second question,
 == Comment ==