CJEU ruling. The CJEU confirms the first question. The term “undertaking” in Art. 83 GDPR is to be interpreted within the meaning of Art. 101 and 102 TFEU. This means that the term “undertaking” refers to an economic entity which, even if it is legally composed of several natural or legal persons, has permanent joint human, material and intangible resources to achieve a single economic purpose.. For this reason, according to the answer to the second question, the maximum amount of a GDPR fine must be calculated on the basis of the total turnover of the entire economic entity in the preceding financial year.. In addition, the CJEU emphasises that when determining the fine, a distinction must be made between the maximum amount – which is generally based on the total turnover of the group – and the specific calculation of the fine actually to be imposed. The latter is carried out in each individual case by the competent supervisory authority.. According to Art. 83(1) GDPR, each supervisory authority must ensure that the fine is effective, proportionate, and dissuasive. In addition, Art. 83(2) GDPR requires authorities to take various individual factors into account when determining the fine. These include, among other things, the nature, gravity and duration of the infringement, the number of persons affected and the extent of the damage suffered.. The CJEU acknowledges that the criteria mentioned there do not expressly refer to the concept of “undertaking” within the meaning of Art. s 101 and 102 TFEU. However, the Court emphasises that a fine is only effective, proportionate, and dissuasive if, in addition to the criteria set out in Art. 83(2) GDPR, the actual and material capacity of the undertaking concerned is also taken into account when determining the amount of the fine. This means that the authority must examine whether the addressee belongs to an undertaking within the meaning of Art. s 101 and 102 TFEU in order to determine the specific amount of the fine.. Recommendations for action for corporations and groups of companies. The ruling makes it clear that data protection risks should be considered across the entire group. It is therefore worthwhile to take a preventive and structured approach, not only to avoid GDPR violations, but also to be able to prove that all necessary steps have been taken in the event of legal proceedings.. Establish a central governance structure and define clear responsibilities. In our experience, a uniform policy with defined roles, reporting channels and reporting obligations reduces the risk of errors.. Document all evidence of technical and organisational measures, internal audits, risk assessments and incident response steps. This evidence can be helpful in the process and may influence the amount of the penalty.. Review internal group contracts and liability regulations. In practice, it is useful to establish clear contractual mechanisms for data transfers within the group.. When imposing a sanction, check the actual performance of the economic entity. A well-documented presentation of the financial circumstances is a decisive factor when it comes to demonstrating the proportionality and reasonableness of the sanction.. Conclusion. The CJEU ruling once again highlights the high financial risk for corporations: A data protection breach by individual group companies usually results in fines for the entire group. Although the proportionality test remains a protective mechanism, it only applies if companies can provide comprehensible evidence of their economic situation.. The key is to have an established data protection organisation that spans the entire group. Companies that implement data protection in a structured manner with clear responsibilities can demonstrate that they have taken the necessary measures in the event of proceedings, thereby reducing the risk of fines.
activeMind.legal