The CJEU has decided that the maximum thresholds for GDPR fines should be calculated using the global turnover of the broader corporate group, not solely the infringing entity.
By Gail Crawford, Fiona M. Maclean, Myria Saarinen, Tim Wybitul, Isabelle Brams, and Amy Smyth
The penalties provisions of the EU General Data Protection Regulation (GDPR) include a framework for the calculation of the fines that may be imposed on infringing organisations by national supervisory authorities and national courts. This framework sets out various factors that authorities must account for when calculating fines for GDPR violations, and sets maximum fine thresholds. According to the provisions, these maximum fine thresholds are determined by reference to the total worldwide annual turnover of an “undertaking”. For instance, fines may go up to the greater of €10 million or 2% of the undertaking’s total worldwide annual turnover, or €20 million or 4% of the undertaking’s total worldwide annual turnover, depending on the specific violations. The meaning of an undertaking — referring either solely to the legal entity/entities against which the fine is imposed or to a broader corporate group concept — is therefore a material element in the determination of the maximum fine.
CJEU Decision
In case C-383/23 ILVA A/S, the Court of Justice of the European Union (CJEU) confirmed that an undertaking for the purposes of calculating GDPR fines should be interpretated in line with EU competition law. Therefore, an undertaking can encompass the entire economic unit1 and not only the legal entity/entities in respect of whom the fine is imposed. The CJEU has primarily based this decision on recital 150(3) of the GDPR, which states that the term “undertaking” should be interpreted in line with Articles 101 and 102 of the Treaty on the Functioning of the European Union for fine determination purposes. According to the CJEU, this interpretation applies regardless of the level of involvement or responsibility of the other entities within the group in relation to the GDPR violation. In this regard, the CJEU deviates from the opinion of the Advocate General, who opined that group liability could only be considered if the parent company was involved in the relevant GDPR violation. The judgment affirms the approach indicated by the CJEU in obiter comments in case C-807/21 Deutsche Wohnen.
Calculation of Fines
The CJEU makes a distinction between the calculation of the maximum fine threshold and the determination of the final amount of the fine. The undertaking concept is relevant to that maximum fine threshold, with the court confirming that the calculation should be based on the worldwide annual turnover of the entire economic unit. Calculation of the maximum fine threshold is, however, only one of a number of steps/considerations in determining the final fine. Supervisory authorities are also required to take into account the various factors set out in the GDPR in relation to the specific GDPR infringement, including the nature, gravity, and duration of the violation; the level of damage suffered by the impacted individuals; and whether the infringement was committed deliberately or negligently. They must also ensure that the final fine amount is effective, proportionate, and dissuasive; the CJEU emphasizes the need for supervisory authorities to consider the economic standing of the undertaking (the entire economic unit) when assessing this aspect of the final fine amount.
Impact on Organisations
The CJEU’s conclusions may raise concerns for organisations subject to the GDPR that are part of corporate groups with large global revenues, and may ultimately result in larger fines being issued against individual members of high-revenue corporate groups in respect of GDPR violations.
Competent authorities and national courts enforcing other EU digital regulations, such as the Artificial Intelligence Act, Digital Services Act, and Data Act — which refer to the concept of an undertaking in various contexts — could also potentially seek to follow the CJEU’s approach and rely on the EU competition law concept of an undertaking (the entire economic unit) for fining purposes. However, unlike the GDPR, those other EU digital regulations do not contain references to EU competition law in relation to the meaning of an undertaking or determining fines.