Background of the CJEU Decision
On December 5, 2023, the Court of Justice of the European Union (CJEU) delivered a landmark judgment in the Deutsche Wohnen case (C‑807/21), which clarifies significant aspects of the General Data Protection Regulation (GDPR) fines. This decision, following Advocate General Campos Sánchez-Bordona’s Opinion from April 2023, brings to light two critical points:
- GDPR Fines Independent of Individual Infringement: GDPR fines on a legal entity, acting as a controller, are not contingent on an infringement previously attributed to a natural person.
- Intention or Negligence as Criteria for Fines: A controller, whether a legal person or an undertaking, can be fined under GDPR if the penalized conduct was intentional or negligent.
The CJEU’s Perspective on “Enterprise”
The judgment emphasizes the definition of “undertaking,” referring to any entity engaged in economic activity, regardless of its legal status or funding. This concept aligns with previous case-law (Case Sumal C-882/19) and includes a unitary organization of personal, tangible, and intangible elements with a specific long-term economic aim. Consequently, GDPR fines are calculated based on the worldwide annual turnover of this “undertaking.”
Implications for GDPR Compliance
The CJEU’s decision underscores the importance of intentionality and negligence in determining GDPR fines. This approach deviates from a strict liability standard, where the mere fact of a breach could lead to penalties. Controllers must be aware of the infringing nature of their conduct to be liable under this ruling.
The Role of Internal Documentation and Decision-Making
A key takeaway from the Court’s judgment is the significance of thorough internal documentation. Organizations should focus on:
- Data protection impact assessments
- Legitimate interest assessments
- Documentation of data breaches
- Assessments on data storage
- Choosing appropriate legal grounds for data processing
Well-documented decision-making processes can significantly reduce the risk of being sanctioned for unintentional non-compliance.
How Xiphos Can Assist in GDPR Compliance
At Xiphos, we understand the complexities and nuances of GDPR compliance, especially in light of this recent CJEU ruling. Our specialized GDPR compliance consulting services include a comprehensive compliance roadmap, risk management strategies, support for Data Protection Officer (DPO) needs, and staff training in GDPR best practices. The goal is to ensure comprehensive data protection and regulatory compliance for organizations of all sizes that manage EU citizen data. Additional features include gap analysis, policy development, data processing audits, and incident response planning, all aimed at providing expert guidance on GDPR best practices.
For more detailed information, please visit ConsultX GDPR Compliance Consulting.
Conclusion
The CJEU’s ruling in the Deutsche Wohnen case is a pivotal moment in GDPR enforcement, highlighting the need for intentional and well-documented compliance efforts. For businesses looking to fortify their GDPR compliance and data protection strategies, Xiphos offers expert services to navigate these complex legal landscapes.
Ensure your business’s protection against data protection non-compliance with Xiphos’s expert services. Connect with us for comprehensive GDPR compliance solutions.
References:
