The ECJ has ruled in the Judgment C‑807/21 in the case of Deutsche Wohnen decided that companies can also be fined under the GDPR if no specific natural person was identified as the author of the infringement, and that it was also it does not matter whether the infringement was committed by an organ or representative. was committed. A pointed criticism of this ruling – still based on the ECJ’s media release – was published by Christian Franz writes.
However, it is assumed that the Violation committed culpably was:
73 A system of sanctions that makes it possible to impose a fine in accordance with Art. 83 GDPR if the specific circumstances of the individual case justify this creates an incentive for controllers and processors to comply with the GDPR. Due to their deterrent effect, fines contribute to greater protection of natural persons with regard to the processing of personal data. They are therefore a key element in ensuring that the rights of these individuals are safeguarded and are in line with the GDPR’s objective of ensuring a high level of protection for such individuals with regard to the processing of personal data.
74 However, the Union legislator has not considered it necessary to provide for fines to be imposed regardless of fault in order to ensure such a high level of protection. In view of the fact that the GDPR aims to achieve an equivalent and uniform level of protection and must therefore be applied uniformly throughout the Union, it would run counter to this objective to allow the Member States to provide for such a rule for the imposition of a fine under Art. 83 GDPR. Such freedom of choice would also be likely to distort competition between economic operators in the Union, which would run counter to the objectives set out by the Union legislator in recitals 9 and 13 of the GDPR, among others.
75 Accordingly, it should be noted that Art. 83 GDPR makes it not permitted, a Fine for an infringement referred to in Art. 83 (4) to (6), without it being proven that this infringement was committed intentionally or negligently by the person responsible. was committed. Consequently, a prerequisite for the imposition of such a fine is that the infringement was culpably committed.
However, no high requirements are placed on the proof of fault:
76 In this respect, with regard to the question of whether an infringement was committed intentionally or negligently and can therefore be punished with a fine pursuant to Art. 83 GDPR, it must be clarified that a controller is liable for conduct that falls within the scope of the GDPR, can be sanctioned if he could not have been unaware of the unlawfulness of his conduct, regardless of whether he was aware of it or not.that it violates the provisions of the GDPR […].
What the Attribution of fault Deutsche Wohnen had argued (as did the referring court) that, under German administrative offense law, a fine could only be imposed if the violation was attributable to a member of the company’s governing body or representative.
The ECJ rejects this in an extremely concise statement:
42 Thus, it follows from the wording and purpose of Art. 4 No. 7 GDPR that the Union legislator did not distinguish between natural and legal persons when determining liability under the GDPR, since the only condition for this liability is that these persons alone or jointly with others decide on the purposes and means of the processing of personal data.
43 Subject to the provisions of Art. 83 (7) GDPR regarding public authorities and bodies, any person who meets this requirement – regardless of whether they are a natural or legal person, a public authority, agency or other body – is therefore liable for, among other things, any infringement referred to in Art. 83 (4) to (6) GDPR committed by them or on their behalf.
44 With regard to legal persons, this means […] that they are not only liable for breaches committed by their representatives, managers or directors, but also for infringements committed by any other person acting in the course of business activities and on behalf of these legal entities. […]
The Advocate General had emphasized this in his motions, combined with the assertion that
58 In reality, those natural persons form and define the will of the legal person by expressing it through individual and concrete acts. These individual acts as a concrete expression of that will are ultimately attributable to the legal entity itself.
59. finally, natural persons who are not themselves representatives of a legal person but who act under the supervision of those who are representatives of the legal person and who have exercised insufficient supervision or control over the first-mentioned persons. Ultimately, imputability leads to the legal person itself, to the extent that the breach by the employee acting under the supervision of their management bodies is due to a deficiency in the control and monitoring systemfor which the management bodies are directly responsible.
The fact that the corresponding natural person is identifiedis also not required:
46 It therefore follows from the combination of Art. 4 No. 7, Art. 83 and Art. 58(2)(i) GDPR that a fine for an infringement pursuant to Art. 83(4) to (6) GDPR can also be imposed on legal persons, provided that they have the status of a controller. In contrast, there is no provision in the GDPR that makes the imposition of a fine on a legal person as the controller dependent on it being established beforehand that this infringement was committed by an identified natural person.
In doing so, the ECJ is basically Causal liability of companies includes the conduct of all employees, and probably not only for them, but for all persons acting “on their behalf” in generalas long as fault can only be assumed. The ECJ has not demanded that a lack of due diligence in the organization of the company and internal control be proven; rather, it is tacitly assumed that an infringement in the company could not come about in any other way than through a lack of organization, which is thus fictitious.
According to this logic, the person responsible would then have to also for every order processor The processor and its employees also act on behalf of the controller as long as the processor does not become its own controller in excess of its duties, and here too it can be argued that a breach is the result of a lack of a control and monitoring system. One may ask whether this is contradicted by the processor’s own liability for fines, but probably not: the processor is only liable for violations of provisions that affect him, but the controller is also liable for all others. If the controller were not liable for the conduct of the processor and all of its employees, the ECJ could easily see a legal protection gap here as well.
One way out of this overly strict liability for fines could at least be seen in the fact that the ECJ requires that the natural persons at fault – even if they cannot be identified – must act on behalf of the company. This should no longer be the case if they are the Deliberately violating data protectionIn this case, the employee in question is acting on their own initiative and no longer on behalf of the company, which is why this employee is actually the person responsible. However, the ECJ suggests that it is under the misconception that a breach within the company per se proves a deficiency in the organization, which is of course wrong.
From the above rules, the Member States naturally also do not deviate:
48 However, the fact that the GDPR allows the Member States to provide for requirements regarding the procedure to be applied by the supervisory authorities when imposing a fine does not mean that they are also authorized to provide for substantive requirements in addition to those set out in Art. 83(1) to (6) GDPR. Furthermore, the fact that the Union legislator has specifically and expressly provided for this possibility, but not for the possibility of laying down such additional substantive conditions, confirms that it has not left the Member States any discretion in this respect. Union law therefore applies exclusively to these substantive conditions.
Finally, the ECJ confirms that, for the purposes of determining the amount of the sanction, the company’s turnover must be determined by the the concept of an undertaking under antitrust law is to be assumed:
59 Therefore, if a supervisory authority, by virtue of its Powers pursuant to Art. 58 (2) GDPR decides to take legal action against a controller that is an undertaking within the meaning of Art. 101 and 102 TFEU or belongs to such an undertaking. Fine pursuant to Art. 83 GDPR, in the light of the 150th recital of the GDPR, is obliged, when calculating the fines for the infringements referred to in Art. 83 (4) to (6) GDPR dthe term “undertaking” within the meaning of Art. 101 and 102 TFEU.