When imposing a GDPR fine, is the turnover of the individual company or the group of companies used as a reference framework? The European Court of Justice (CJEU) has made an important decision on this issue. We explain the consequences for corporations and groups of companies (judgment of 13 February 2025, ref.: C-383/23).
Facts of the underlying case
The background to the CJEU ruling was a Danish criminal case against ILVA A/S (part of the Lars Larsen Group). On the recommendation of the Danish Data Protection Authority, the Danish Public Prosecutor’s Office sought a fine of DKK 1.5 million (equivalent to approximately €201,000) against the company as the controller within the meaning of the General Data Protection Regulation (GDPR) for alleged violations of the GDPR. The Public Prosecutor’s Office based its calculation on the Lars Larsen Group’s group-wide turnover.
The competent court then reduced the penalty to DKK 100,000 (equivalent to approximately EUR 13,400) on the grounds that only ILVA A/S was charged, that the company was engaged in independent retail activities and had therefore not been established solely for the purpose of processing personal data across the group.
The public prosecutor’s office subsequently lodged an appeal with the regional court. It argued that the fine for a GDPR violation should be based on the turnover of the entire group. ILVA/AS rejected this view, as the charges were brought only against this company as such and not against the parent company. The Court of Appeal suspended the proceedings and referred the following questions to the CJEU for a preliminary ruling.
Firstly, the court wanted to know whether the term “undertaking” in Art. 83(4) to (6) GDPR is to be equated with the term “undertaking” used in Art. s 101 and 102 TFEU, so that it covers any entity engaged in an economic activity, regardless of its legal status.
Secondly, if the above question were to be answered in the affirmative, it had to be clarified which turnover should be used as the basis for calculating the GDPR fine: the total annual turnover of the undertaking or only the annual turnover of the specific company concerned?
Current judgements on the GDPR
Read our regular reviews of data protection law rulings to stay up to date!
CJEU ruling
The CJEU confirms the first question. The term “undertaking” in Art. 83 GDPR is to be interpreted within the meaning of Art. 101 and 102 TFEU. This means that the term “undertaking” refers to an economic entity which, even if it is legally composed of several natural or legal persons, has permanent joint human, material and intangible resources to achieve a single economic purpose.
For this reason, according to the answer to the second question, the maximum amount of a GDPR fine must be calculated on the basis of the total turnover of the entire economic entity in the preceding financial year.
In addition, the CJEU emphasises that when determining the fine, a distinction must be made between the maximum amount – which is generally based on the total turnover of the group – and the specific calculation of the fine actually to be imposed. The latter is carried out in each individual case by the competent supervisory authority.
According to Art. 83(1) GDPR, each supervisory authority must ensure that the fine is effective, proportionate, and dissuasive. In addition, Art. 83(2) GDPR requires authorities to take various individual factors into account when determining the fine. These include, among other things, the nature, gravity and duration of the infringement, the number of persons affected and the extent of the damage suffered.
The CJEU acknowledges that the criteria mentioned there do not expressly refer to the concept of “undertaking” within the meaning of Art. s 101 and 102 TFEU. However, the Court emphasises that a fine is only effective, proportionate, and dissuasive if, in addition to the criteria set out in Art. 83(2) GDPR, the actual and material capacity of the undertaking concerned is also taken into account when determining the amount of the fine. This means that the authority must examine whether the addressee belongs to an undertaking within the meaning of Art. s 101 and 102 TFEU in order to determine the specific amount of the fine.
Recommendations for action for corporations and groups of companies
The ruling makes it clear that data protection risks should be considered across the entire group. It is therefore worthwhile to take a preventive and structured approach, not only to avoid GDPR violations, but also to be able to prove that all necessary steps have been taken in the event of legal proceedings.
Establish a central governance structure and define clear responsibilities. In our experience, a uniform policy with defined roles, reporting channels and reporting obligations reduces the risk of errors.
Document all evidence of technical and organisational measures, internal audits, risk assessments and incident response steps. This evidence can be helpful in the process and may influence the amount of the penalty.
Review internal group contracts and liability regulations. In practice, it is useful to establish clear contractual mechanisms for data transfers within the group.
When imposing a sanction, check the actual performance of the economic entity. A well-documented presentation of the financial circumstances is a decisive factor when it comes to demonstrating the proportionality and reasonableness of the sanction.
Conclusion
The CJEU ruling once again highlights the high financial risk for corporations: A data protection breach by individual group companies usually results in fines for the entire group. Although the proportionality test remains a protective mechanism, it only applies if companies can provide comprehensible evidence of their economic situation.
The key is to have an established data protection organisation that spans the entire group. Companies that implement data protection in a structured manner with clear responsibilities can demonstrate that they have taken the necessary measures in the event of proceedings, thereby reducing the risk of fines.