Prerequisite and assessment of fines

On 5. December 2023 the Court holds in the cases C-807/21 and respectively C-683/21 ( a data controller may not have an administrative fine imposed on it for an infringement of the GDPR unless that infringement was committed wrongfully, that is to say, intentionally or negligently. That is the case where the controller could not have been unaware of the infringing nature of its conduct, regardless of whether or not it was aware of the infringement.

Where the controller is a legal person, it is not necessary for the infringement to have been committed by its management body; nor is it necessary for that body to have had knowledge of that infringement. On the contrary, a legal person is liable both for infringements committed by its representatives, directors or managers, and for those committed by any other person acting in the course of the business of that legal person and on its behalf. Moreover, the imposition of an administrative fine on a legal person as a controller cannot be subject to a previous finding that that infringement was committed by an identified natural person.

Furthermore, a controller may also have a fine imposed on it in respect of operations performed by a processor, to the extent that the controller may be held responsible for such operations.
Lastly, as regards the calculation of the fine where the addressee is or forms part of an undertaking, the supervisory authority must take as its basis the concept of an ‘undertaking’ 2 under competition law. Thus, the maximum amount of the fine must be calculated on the basis of a percentage of the total worldwide annual turnover of the undertaking concerned, taken as a whole, in the preceding business year.
(Extract from the ECJ’s press release).