Legal experts have warned that a “landmark” ruling by the European Court of Justice (ECJ) could have major financial ramifications for organizations that breach the GDPR.
The judgement handed down yesterday involved German property company Deutsche Wohnen.
The firm was originally hit with a €14.5m ($15.7m) fine by the Berlin Data Protection Commissioner back in 2019, for retaining tenant data for longer than was necessary. However, it was subsequently reversed two years later by a local court which ruled that the firm couldn’t be held responsible unless blame could be attached to a specific individual or executive.
The ECJ actually found in favor of Deutsche Wohnen – claiming that an organization can only have an administrative GDPR fine imposed if an infringement was intentionally or negligently committed. Yet in clarifying the law, the ruling could actually make it easier for authorities to levy fines in the future, argued Jan Spittka, partner at Clyde & Co.
Read more on the GDPR: WhatsApp Hit with €5.5m fine for GDPR Violations
He claimed that the ruling effectively means a lack of knowledge by management is not a defense, and that organizations are liable both for infringements committed by their representatives, directors or managers, and for those committed by any other person acting on its behalf.
Regarding whether an organization acts with negligence or intent, the court applied the standards established under EU competition and antitrust law – that it is sufficient that the organization “could not have been unaware of the unlawfulness of its conduct, regardless of whether it was aware that it was in breach of the provisions of the GDPR,” Spittka said.
This effectively lowers the bar for supervisory authorities to impose fines, as does the fact that organizations are now liable for infringements committed by anyone acting on their behalf.
“Today’s ECJ landmark decision on GDPR administrative fines in the case ‘Deutsche Wohnen’ strengthens enforcement of the EU GDPR as it lowers requirements for imposing fines on legal entities,” Spittka argued.
“The overall context of the decision will make it way easier for the data protection supervisory authorities of the EU member states to sanction legal entities and is also likely to result in significantly higher fines in average.”
Fines may be higher because the ECJ ruled that an infringing organization can be fined based on its own turnover and also on the turnover of its parent company.
The ruling applies not only to organizations operating within the EU but also those outside, like the US and UK, as long as they have a subsidiary within the region and process personal data on EU citizens, or offer goods and services within the EU.