ECJ Rules: Companies Can Be Fined Under GDPR Without Proof of Management Culpability
The European Court of Justice (ECJ) delivered a landmark judgment on December 5, 2023, in the case of Deutsche Wohnen SE (Case C-807/21). The court ruled that companies can be fined under Article 83 of the General Data Protection Regulation (GDPR) even if there is no proof that the company's management body acted intentionally or negligently. This decision has significant implications for companies subject to the GDPR and raises important questions about compliance and potential fines.
Lower Bar for Fines
Previously, supervisory authorities needed to demonstrate that a specific individual within the company, often a member of the management body, had acted intentionally or negligently for the company to be fined. This made it difficult for authorities to impose fines, especially in cases where the infringement originated from lower levels within the organization.
Under the new ruling, the bar for imposing fines has been lowered significantly. Supervisory authorities now only need to prove that the infringement occurred, and it is no longer necessary to identify a specific individual responsible. This will make it easier for authorities to enforce the GDPR and hold companies accountable for data protection breaches.
Increased Liability for Companies
The ECJ's judgment also clarifies that companies are now liable for the actions of anyone acting on their behalf, not just employees and management. This means that companies can be fined for data protection breaches committed by third-party vendors, contractors, and other individuals who have access to personal data on the company's behalf.
This expanded liability creates a greater incentive for companies to carefully select and monitor their third-party providers and ensure that they have robust data protection measures.
Focus on Compliance
The ECJ's ruling underscores the importance of implementing effective compliance measures to prevent data protection breaches. Companies can no longer rely on simply having a GDPR compliance program on paper; they must ensure that the program is effectively implemented and enforced throughout the organization. This includes conducting regular data protection audits, providing training to employees and contractors, and having clear procedures in place for dealing with data breaches.
Potential for Higher Fines
As it becomes easier for supervisory authorities to impose fines, we can expect to see an increase in the average fine amount. This is because authorities will likely take a stricter approach to enforcement, and they will have more discretion in determining the appropriate level of fines.
Companies should be prepared for the possibility of facing significantly higher fines for data protection breaches. This should further incentivize them to take data protection compliance seriously.
The ECJ's judgment raises several important questions that will need to be addressed by companies and data protection authorities. These include:
- How can companies effectively implement compliance measures to prevent data protection breaches?
- What role do third-party providers play in data protection compliance?
- How will data protection authorities approach enforcement in light of the ECJ's judgment?
- What are the implications of the judgment for the future of the GDPR?
Companies should closely monitor the development of guidance from data protection authorities and legal experts to ensure that they are complying with the GDPR and mitigating the risks of fines.
Source: