27.02.2025

Corporate group liability for breaches of GDPR rules by its subsidiaries

The decision of the CJEU delivered in Case C-383/23 - Anklagemyndigheden v ILVA A/S, dated February 13, 2025, clarifies the meaning of the notion of "undertaking", in the perspective of the application of the sanctions provided for by Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC 9 ("GDPR"), having in this regard the interpretation of the notion in competition law.

The main litigation concerned the fine imposed on the Danish company ILVA A/S, part of a corporate group, for failure to comply with its obligations as a data controller under the GDPR. The public prosecutor sought a fine of DKK 1.5 million, approximately €201,000, calculated on the basis of both the turnover of ILVA A/S and the overall turnover of the group. The national court decided to impose a fine of DKK 100,000 (approximately EUR 13,400), taking the view that the fine should be based only on the turnover of ILVA A/S and not on the turnover of the group as a whole, given that only the subsidiary company was the subject of the criminal prosecution, that it carries on an independent activity and that it was not set up by the parent company solely for the purpose of processing data for the group. The hearing of the appeal in this case was suspended by the Court of Appeal, which referred the matter to the CJEU for a preliminary ruling, requesting clarification of the meaning of the concept of 'undertaking' in Article 83(4) to (6) GDPR.

The purpose of the requested clarification was to ascertain whether the meaning of that concept in competition law would also be applicable to the protection of personal data and, if so, whether the imposition of a fine on a personal data controller would require the overall turnover of the whole group of which it forms part to be taken into account.

In its judgment, the CJEU started from the premise that the notion of 'undertaking ' is specific to EU competition law, having established in its previous case law that competition rules (laid down in Articles 101 and 102 of the Treaty on the Functioning of the European Union) do not influence the possibility and conditions for imposing a fine on a legal person under the GDPR (which sets out its own rules on the application of sanctions in Art. 58(2) and (3) of the GDPR). (2) and Art. 83 para. (1)-(6)). On the other hand, the notion of 'undertaking' as defined in competition law will influence the maximum threshold to which the competent court or authority will refer for the purpose of calculating the fine actually imposed for a breach of the GDPR. Thus, under the GDPR, the maximum amount of a fine to be imposed on a company which is a data controller and which is part of a group of companies will be related to the turnover of the whole group.

In so doing, the CJEU applied by analogy the interpretation of the notion of 'undertaking' in EC competition law. Therefore, strictly for the purposes of the upper limit of a fine imposed under the GDPR, the term "undertaking " will be taken to mean "any entity engaged in an economic activity, regardless of the legal status of the entity and the way in which it is financed", regardless of whether "it is made up of several natural or legal persons".

In addition to this interpretation, the Court made a distinction between the maximum threshold of a fine and the fine actually imposed, the calculation of which must take into account a complex set of aspects, such as the nature of the act of infringement of the GDPR, the form of guilt and gravity of the infringement, the number of data subjects, the damage caused and the measures taken by the data controller to mitigate the damage. It also established the need for the fine imposed on the data controller to be 'effective, proportionate and dissuasive', as required by Article 83(1) of the GDPR. The fulfillment of these conditions with regard to the fine imposed for a breach of the GDPR requires taking into account both the totality of the aspects of the sanctioned act and the real economic capacity of the data controller concerned. This capacity will be assessed, where appropriate, including the fact that the recipient is part of a corporate group.

The Advocate General's Opinion in this case also raised the question of the distinction between the maximum fine and the fine actually imposed. In this regard, as regards the interpretation of the concept of 'undertaking ' in competition law, the predominantly economic purpose of the competition rules is mentioned, where the economic value of the undertaking is important for the very purpose of determining the gravity of the infringement penalized. By contrast, in the field of data protection, the main objective of the GDPR is the protection of personal data and the economic value of the undertaking serves a different purpose. Therefore, the Court has previously limited in its case law the interference of competition law rules with data protection strictly as regards the maximum threshold of the fine that can be imposed under the GDPR.

In conclusion, the CJEU has established in its judgment that, in the case of a breach of the GDPR committed by a subsidiary belonging to a group of companies, for the purposes of calculating the maximum amount of the fine, the rules of competition law will apply by analogy, in the sense that this amount will be based on the turnover of the whole group and not on the turnover of the subsidiary. However, this ceiling is not the same as the fine that will actually be imposed, the latter having to comply with the requirement of proportionality in relation to the punishable act and to take into account a whole set of aspects relating to the act.

An article signed by Mircea-Bogdan Popescu, Partner (bpopescu@stoica-asociatii.ro) and Diana Mădălina Albu, Junior Lawyer (dalbu@stoica-asociatii.ro) - STOICA & ASOCIAȚII.