CJEU clarifies responsibility and the question of fault for the imposition of fines

Under what specific conditions can GDPR fines be imposed on controllers? Is it necessary for individual members of management to have known about the offence or even to have acted themselves? Two long-awaited rulings by the CJEU provide a little more clarity, even though the judgments are unlikely to be to the liking of many data controllers (judgments of 5 December 2023, ref.: C683/21 and C807/21).

Questions referred to the CJEU

In the cases of the Lithuanian National Centre for Public Health (Nacionalinis visuomenės sveikatos centras prie Sveikatos apsaugos ministerijos) against the Lithuanian Data Protection Authority Valstybinė duomenų apsaugos inspekcija and Deutsche Wohnen SE against the Public Prosecutor’s Office Berlin, the CJEU was asked by the respective national courts to clarify some fundamental questions:

  • Who is the “responsible party” in the relevant sense, especially when working with other organisations?
  • Does a fine require that the underlying offence can be attributed to a specific person and must this person belong to the management level?
  • Is culpability necessary?

Current judgements on the GDPR

Read our regular reviews of data protection law rulings to stay up to date!

Judgment of the CJEU

Person responsible

The court comprehensibly assumes the definition in Art. 4 No. 7 GDPR. Accordingly, the controller is the person who alone or jointly with others decides on the purposes and means of the processing activity of personal data. It is therefore not a question of who actually carries out the processing activity. The controller is the person who influences the processing activity in their own interest and at least participates in the decision on the purposes and means. Whoever arranges for data to be processed and how it is processed is responsible.

Responsibility therefore also exists if another body is prompted to process data. It is sufficient that data is processed on the decision and at the instigation of the controller in their name or interest. It is irrelevant whether the controller comes into contact with the data itself.

It is not relevant whether any policy has been agreed between several parties. This applies even in cases where a contractual policy would be mandatory – for example in the case of joint responsibility or data processors.

Question of guilt

The court makes it clear that a fine can only be imposed if the person responsible is at fault. However, it also clarifies that no special or particularly high requirements are placed on this culpability. Intent is not necessary, negligence is sufficient.

It is also sufficient that the breach can be reasonably attributed to the controller as an organisation. It is not relevant whether persons from the management level acted or even had knowledge of the process. It is also not necessary for it to be known who specifically committed the offence. The decisive factor is that the offence could have been prevented with the appropriate care.

In plain language: Under the GDPR, there is a general organisational fault, which is rather unknown, especially in German legal practice.

Attribution of fault is also possible. Anyone who uses data processors can be fined if the data processor commits a breach that can be attributed to the controller and could have been prevented with due diligence.

Data protection assessment

With these Judgments, the CJEU makes it clear that the threat of fines should actually be taken as seriously as feared when the GDPR was introduced. Anyone who cannot prove that they have their data protection processes under control or who does not take care of them at all can be held liable. This applies both in-house and in relation to service providers.

All organisations should therefore urgently check now at the latest whether

  1. all data protection-relevant processes are established with a sufficient degree of maturity and
  2. all co-operations are defined to the necessary extent and are appropriately monitored.

Only if the processes relevant in the event of a violation were correctly defined and actually implemented, and checks and necessary corrections were carried out, is there no fault. If, despite all correct efforts, something goes wrong in exceptional cases, there is at least no risk of a fine.

It is therefore high time to set up a complete data protection management system (DSMS) and not just rely on fig leaf solutions.

Protect your business

Benefit from our legal advice in the areas of data protection law, IT law, competition law and compliance.

Contact us!

Secure the knowledge of our experts!

Subscribe to our free newsletter: