The CJEU applies the concept of economic entity to a breach of the GDPR

 The Court of Justice of the European Union was asked about the concept of an undertaking, in the presence of a parent company and its subsidiary, for the determination of the amount of the administrative fine imposed for a breach of the General Data Protection Regulation.

In the context of this case, the subsidiary of the Lars Larsen Group, the company Ilva is being sued by the Danish authorities for having breached its obligations under the General Data Protection Regulation (GDPR) in its capacity as controller of personal data in the context of the retention of the data of at least 350,000 former customers.  

To sanction the subsidiary, the data protection authority in Denmark initially justified the amount of the sanction pronounced by taking into account the overall turnover of the Lars Larsen Group, which had the effect of severely sanctioning the subsidiary. An action was brought before the competent Danish court, which rejected the application of the group’s aggregate appeal figure, to reassess the amount of the fine at the amount of 13,400 euros.  

The Public Prosecutor’s Office appealed this judgment, considering that “the term ‘company’ in Article 83 (4) to (6) of the GDPR must be understood in the sense that, in order to set a fine in the event of a breach of the GDPR by a company, reference must be made to the turnover of the group of which that company is a part. It follows from recital 150 of the GDPR that this term must be understood in accordance with Articles 101 and 102 TFEU ”(paragraph 13). 

As a reminder, Article 150 of the GDPR provides that ”When administrative fines are imposed on a company, this term must, for this purpose, be understood as a company in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European Union“. 

It is in this context that the Court of Justice of the European Union is asked whether the concept of an undertaking should be understood as an “economic entity“, as is the case in competition law, and if so, whether this apprehension should lead the judge to calculate the amount of the fine from the total turnover of the annual financial year of the group or that of the subsidiary.   

As a reminder, the concept of “economic entity” invites to consider the company as an economic unit, even if from a legal point of view, this unit consists of several natural or legal persons. This economic unit consists of a unitary organization of personal, tangible and intangible elements pursuing a determined economic goal on a lasting basis (judgment of 5 December 2023, Deutsche Wohnen. C-807/21)

 In answering this question, the Court of Justice of the European Union held that Article 83 (4) to (6) of the GDPR, read in the light of recital 150 of that Regulation, must be interpreted as meaning that the term “undertaking” in those provisions corresponds to the concept of “undertaking”, within the meaning of Articles 101 and 102 TFEU, so that, where a fine for breach of Regulation 2016/679 is imposed on a controller of personal data, which is or forms part of an undertaking, the maximum amount of the fine is determined on the basis of a percentage of the total worldwide annual turnover of the preceding financial year of the undertaking. In this regard, the CJEU specifies that the concept of “undertaking” must be taken into account when assessing the real or material economic capacity of the recipient of the fine and thus verifying whether the fine is at the same time effective, proportionate and dissuasive (paragraph 36).