Administrative Fines: Corporate Liability under the GDPR

Following the decision of the European Court of Justice (ECJ) in Case C-807/21 (Deutsche Wohnen) on 5 December 2023, the Berlin Court of Appeal (KG) continued the proceedings and referred the case back to the Regional Court by order of 22 January 2024.
The reasons for the decision are noteworthy: the KG very clearly implements the ECJ’s ruling and confirms that a fine can be imposed on a company if it qualifies as a controller for data processing. With reference to the ECJ, it emphasizes several times that a breach by an identified natural person is not required. The liability of associations already laid down in the ECJ ruling is fully taken up by the KG. However, the KG’s comments on fault are sparse. The ECJ had expressly upheld this requirement, even though the requirements for this already appeared to have been significantly reduced by the ECJ. The KG continues this by emphasizing that all persons who act within the framework of the entrepreneurial activity fall within the abstract scope of responsibility of the legal entity and that even an organization that complies with the standard – at least as a rule – does not lead to exculpation. This would be in line with the principle of effectiveness of European law (para. 14). The KG then later substantiates the reference to “the rule” somewhat when it speaks of “reduced possibilities of exculpation”, para. 15. It therefore remains to be seen how the case law on fault will develop within the framework of the “depersonalized” corporate liability that is now to be assumed. However, the risk of fines for companies is likely to increase further in the future.