Under what specific conditions can GDPR fines be imposed on controllers? Is it necessary for individual members of management to have known about the offence or even to have acted themselves? Two long-awaited rulings by the CJEU provide a little more clarity, even though the judgments are unlikely to be to the liking of many data controllers (judgments of 5 December 2023, ref.: C683/21 and C807/21).
Questions referred to the CJEU
In the cases of the Lithuanian National Centre for Public Health (Nacionalinis visuomenės sveikatos centras prie Sveikatos apsaugos ministerijos) against the Lithuanian Data Protection Authority Valstybinė duomenų apsaugos inspekcija and Deutsche Wohnen SE against the Public Prosecutor’s Office Berlin, the CJEU was asked by the respective national courts to clarify some fundamental questions:
- Who is the “responsible party” in the relevant sense, especially when working with other organisations?
- Does a fine require that the underlying offence can be attributed to a specific person and must this person belong to the management level?
- Is culpability necessary?
Current judgements on the GDPR
Read our regular reviews of data protection law rulings to stay up to date!
Judgment of the CJEU
The court comprehensibly assumes the definition in Art. 4 No. 7 GDPR. Accordingly, the controller is the person who alone or jointly with others decides on the purposes and means of the processing activity of personal data. It is therefore not a question of who actually carries out the processing activity. The controller is the person who influences the processing activity in their own interest and at least participates in the decision on the purposes and means. Whoever arranges for data to be processed and how it is processed is responsible.
Responsibility therefore also exists if another body is prompted to process data. It is sufficient that data is processed on the decision and at the instigation of the controller in their name or interest. It is irrelevant whether the controller comes into contact with the data itself.
It is not relevant whether any policy has been agreed between several parties. This applies even in cases where a contractual policy would be mandatory – for example in the case of joint responsibility or data processors.
Question of guilt
The court makes it clear that a fine can only be imposed if the person responsible is at fault. However, it also clarifies that no special or particularly high requirements are placed on this culpability. Intent is not necessary, negligence is sufficient.
It is also sufficient that the breach can be reasonably attributed to the controller as an organisation. It is not relevant whether persons from the management level acted or even had knowledge of the process. It is also not necessary for it to be known who specifically committed the offence. The decisive factor is that the offence could have been prevented with the appropriate care.
In plain language: Under the GDPR, there is a general organisational fault, which is rather unknown, especially in German legal practice.
Attribution of fault is also possible. Anyone who uses data processors can be fined if the data processor commits a breach that can be attributed to the controller and could have been prevented with due diligence.
Data protection assessment
With these Judgments, the CJEU makes it clear that the threat of fines should actually be taken as seriously as feared when the GDPR was introduced. Anyone who cannot prove that they have their data protection processes under control or who does not take care of them at all can be held liable. This applies both in-house and in relation to service providers.
All organisations should therefore urgently check now at the latest whether
- all data protection-relevant processes are established with a sufficient degree of maturity and
- all co-operations are defined to the necessary extent and are appropriately monitored.
Only if the processes relevant in the event of a violation were correctly defined and actually implemented, and checks and necessary corrections were carried out, is there no fault. If, despite all correct efforts, something goes wrong in exceptional cases, there is at least no risk of a fine.
It is therefore high time to set up a complete data protection management system (DSMS) and not just rely on fig leaf solutions.