• Home 
  • -
  • Privacy 
  • -
  • ECJ in the case of Deut­sche Woh­nen: Cau­sal lia­bi­li­ty of com­pa­nies for con­duct within the organization 

ECJ in the case of Deut­sche Woh­nen: Cau­sal lia­bi­li­ty of com­pa­nies for con­duct within the organization

The ECJ has ruled in the Judgment C‑807/21 in the case of Deut­sche Woh­nen deci­ded that com­pa­nies can also be fined under the GDPR if no spe­ci­fic natu­ral per­son was iden­ti­fi­ed as the aut­hor of the inf­rin­ge­ment, and that it was also it does not mat­ter whe­ther the inf­rin­ge­ment was com­mit­ted by an organ or repre­sen­ta­ti­ve. was com­mit­ted. A poin­ted cri­ti­cism of this ruling – still based on the ECJ’s media release – was published by Chri­sti­an Franz wri­tes.

Howe­ver, it is assu­med that the Vio­la­ti­on com­mit­ted cul­pa­b­ly was:

73 A system of sanc­tions that makes it pos­si­ble to impo­se a fine in accordance with Art. 83 GDPR if the spe­ci­fic cir­cum­stances of the indi­vi­du­al case justi­fy this crea­tes an incen­ti­ve for con­trol­lers and pro­ces­sors to com­ply with the GDPR. Due to their deter­rent effect, fines con­tri­bu­te to grea­ter pro­tec­tion of natu­ral per­sons with regard to the pro­ce­s­sing of per­so­nal data. They are the­r­e­fo­re a key ele­ment in ensu­ring that the rights of the­se indi­vi­du­als are safe­guard­ed and are in line with the GDPR’s objec­ti­ve of ensu­ring a high level of pro­tec­tion for such indi­vi­du­als with regard to the pro­ce­s­sing of per­so­nal data.

74 Howe­ver, the Uni­on legis­la­tor has not con­side­red it neces­sa­ry to pro­vi­de for fines to be impo­sed regard­less of fault in order to ensu­re such a high level of pro­tec­tion. In view of the fact that the GDPR aims to achie­ve an equi­va­lent and uni­form level of pro­tec­tion and must the­r­e­fo­re be applied uni­form­ly throug­hout the Uni­on, it would run coun­ter to this objec­ti­ve to allow the Mem­ber Sta­tes to pro­vi­de for such a rule for the impo­si­ti­on of a fine under Art. 83 GDPR. Such free­dom of choice would also be likely to distort com­pe­ti­ti­on bet­ween eco­no­mic ope­ra­tors in the Uni­on, which would run coun­ter to the objec­ti­ves set out by the Uni­on legis­la­tor in reci­tals 9 and 13 of the GDPR, among others.

75 Accor­din­gly, it should be noted that Art. 83 GDPR makes it not per­mit­ted, a Fine for an inf­rin­ge­ment refer­red to in Art. 83 (4) to (6), wit­hout it being pro­ven that this inf­rin­ge­ment was com­mit­ted inten­tio­nal­ly or negli­gent­ly by the per­son respon­si­ble. was com­mit­ted. Con­se­quent­ly, a pre­re­qui­si­te for the impo­si­ti­on of such a fine is that the inf­rin­ge­ment was cul­pa­b­ly committed.

Howe­ver, no high requi­re­ments are pla­ced on the pro­of of fault:

76 In this respect, with regard to the que­sti­on of whe­ther an inf­rin­ge­ment was com­mit­ted inten­tio­nal­ly or negli­gent­ly and can the­r­e­fo­re be punis­hed with a fine pur­su­ant to Art. 83 GDPR, it must be cla­ri­fi­ed that a con­trol­ler is lia­ble for con­duct that falls within the scope of the GDPR, can be sanc­tion­ed if he could not have been una­wa­re of the unlawful­ness of his con­duct, regard­less of whe­ther he was awa­re of it or not.that it vio­la­tes the pro­vi­si­ons of the GDPR […].

What the Attri­bu­ti­on of fault Deut­sche Woh­nen had argued (as did the refer­ring court) that, under Ger­man admi­ni­stra­ti­ve offen­se law, a fine could only be impo­sed if the vio­la­ti­on was attri­bu­ta­ble to a mem­ber of the company’s gover­ning body or representative.

The ECJ rejects this in an extre­me­ly con­cise statement:

42 Thus, it fol­lows from the wor­ding and pur­po­se of Art. 4 No. 7 GDPR that the Uni­on legis­la­tor did not distin­gu­ish bet­ween natu­ral and legal per­sons when deter­mi­ning lia­bi­li­ty under the GDPR, sin­ce the only con­di­ti­on for this lia­bi­li­ty is that the­se per­sons alo­ne or joint­ly with others deci­de on the pur­po­ses and means of the pro­ce­s­sing of per­so­nal data.

43 Sub­ject to the pro­vi­si­ons of Art. 83 (7) GDPR regar­ding public aut­ho­ri­ties and bodies, any per­son who meets this requi­re­ment – regard­less of whe­ther they are a natu­ral or legal per­son, a public aut­ho­ri­ty, agen­cy or other body – is the­r­e­fo­re lia­ble for, among other things, any inf­rin­ge­ment refer­red to in Art. 83 (4) to (6) GDPR com­mit­ted by them or on their behalf.

44 With regard to legal per­sons, this means […] that they are not only lia­ble for brea­ches com­mit­ted by their repre­sen­ta­ti­ves, mana­gers or direc­tors, but also for inf­rin­ge­ments com­mit­ted by any other per­son acting in the cour­se of busi­ness acti­vi­ties and on behalf of the­se legal enti­ties. […]

The Advo­ca­te Gene­ral had empha­si­zed this in his moti­ons, com­bi­ned with the asser­ti­on that

58 In rea­li­ty, tho­se natu­ral per­sons form and defi­ne the will of the legal per­son by expres­sing it through indi­vi­du­al and con­cre­te acts. The­se indi­vi­du­al acts as a con­cre­te expres­si­on of that will are ulti­m­ate­ly attri­bu­ta­ble to the legal enti­ty itself.

59. final­ly, natu­ral per­sons who are not them­sel­ves repre­sen­ta­ti­ves of a legal per­son but who act under the super­vi­si­on of tho­se who are repre­sen­ta­ti­ves of the legal per­son and who have exer­cis­ed insuf­fi­ci­ent super­vi­si­on or con­trol over the first-men­tio­ned per­sons. Ulti­m­ate­ly, impu­ta­bi­li­ty leads to the legal per­son its­elf, to the ext­ent that the breach by the employee acting under the super­vi­si­on of their manage­ment bodies is due to a defi­ci­en­cy in the con­trol and moni­to­ring systemfor which the manage­ment bodies are direct­ly responsible.

The fact that the cor­re­spon­ding natu­ral per­son is iden­ti­fi­edis also not requi­red:

46 It the­r­e­fo­re fol­lows from the com­bi­na­ti­on of Art. 4 No. 7, Art. 83 and Art. 58(2)(i) GDPR that a fine for an inf­rin­ge­ment pur­su­ant to Art. 83(4) to (6) GDPR can also be impo­sed on legal per­sons, pro­vi­ded that they have the sta­tus of a con­trol­ler. In con­trast, the­re is no pro­vi­si­on in the GDPR that makes the impo­si­ti­on of a fine on a legal per­son as the con­trol­ler depen­dent on it being estab­lished before­hand that this inf­rin­ge­ment was com­mit­ted by an iden­ti­fi­ed natu­ral person.

In doing so, the ECJ is basi­cal­ly Cau­sal lia­bi­li­ty of com­pa­nies inclu­des the con­duct of all employees, and pro­ba­b­ly not only for them, but for all per­sons acting “on their behalf” in gene­ralas long as fault can only be assu­med. The ECJ has not deman­ded that a lack of due dili­gence in the orga­nizati­on of the com­pa­ny and inter­nal con­trol be pro­ven; rather, it is taci­t­ly assu­med that an inf­rin­ge­ment in the com­pa­ny could not come about in any other way than through a lack of orga­nizati­on, which is thus fictitious.

Accor­ding to this logic, the per­son respon­si­ble would then have to also for every order pro­ces­sor The pro­ces­sor and its employees also act on behalf of the con­trol­ler as long as the pro­ces­sor does not beco­me its own con­trol­ler in excess of its duties, and here too it can be argued that a breach is the result of a lack of a con­trol and moni­to­ring system. One may ask whe­ther this is con­tra­dic­ted by the processor’s own lia­bi­li­ty for fines, but pro­ba­b­ly not: the pro­ces­sor is only lia­ble for vio­la­ti­ons of pro­vi­si­ons that affect him, but the con­trol­ler is also lia­ble for all others. If the con­trol­ler were not lia­ble for the con­duct of the pro­ces­sor and all of its employees, the ECJ could easi­ly see a legal pro­tec­tion gap here as well.

One way out of this over­ly strict lia­bi­li­ty for fines could at least be seen in the fact that the ECJ requi­res that the natu­ral per­sons at fault – even if they can­not be iden­ti­fi­ed – must act on behalf of the com­pa­ny. This should no lon­ger be the case if they are the Deli­bera­te­ly vio­la­ting data pro­tec­tionIn this case, the employee in que­sti­on is acting on their own initia­ti­ve and no lon­ger on behalf of the com­pa­ny, which is why this employee is actual­ly the per­son respon­si­ble. Howe­ver, the ECJ sug­gests that it is under the mis­con­cep­ti­on that a breach within the com­pa­ny per se pro­ves a defi­ci­en­cy in the orga­nizati­on, which is of cour­se wrong.

From the abo­ve rules, the Mem­ber Sta­tes natu­ral­ly also do not devia­te:

48 Howe­ver, the fact that the GDPR allo­ws the Mem­ber Sta­tes to pro­vi­de for requi­re­ments regar­ding the pro­ce­du­re to be applied by the super­vi­so­ry aut­ho­ri­ties when impo­sing a fine does not mean that they are also aut­ho­ri­zed to pro­vi­de for sub­stan­ti­ve requi­re­ments in addi­ti­on to tho­se set out in Art. 83(1) to (6) GDPR. Fur­ther­mo­re, the fact that the Uni­on legis­la­tor has spe­ci­fi­cal­ly and express­ly pro­vi­ded for this pos­si­bi­li­ty, but not for the pos­si­bi­li­ty of lay­ing down such addi­tio­nal sub­stan­ti­ve con­di­ti­ons, con­firms that it has not left the Mem­ber Sta­tes any dis­creti­on in this respect. Uni­on law the­r­e­fo­re applies exclu­si­ve­ly to the­se sub­stan­ti­ve conditions.

Final­ly, the ECJ con­firms that, for the pur­po­ses of deter­mi­ning the amount of the sanc­tion, the company’s tur­no­ver must be deter­mi­ned by the the con­cept of an under­ta­king under anti­trust law is to be assumed:

59 The­r­e­fo­re, if a super­vi­so­ry aut­ho­ri­ty, by vir­tue of its Powers pur­su­ant to Art. 58 (2) GDPR deci­des to take legal action against a con­trol­ler that is an under­ta­king within the mea­ning of Art. 101 and 102 TFEU or belongs to such an under­ta­king. Fine pur­su­ant to Art. 83 GDPR, in the light of the 150th reci­tal of the GDPR, is obli­ged, when cal­cu­la­ting the fines for the inf­rin­ge­ments refer­red to in Art. 83 (4) to (6) GDPR dthe term “under­ta­king” within the mea­ning of Art. 101 and 102 TFEU.