The two decisions of the European Court of Justice (ECJ) of 5 December 2023 (Case C-807/21) and 8 February 2025 (Case C-383/23) are among the most important rulings on the law on fines under the General Data Protection Regulation (GDPR). They concern a question that is of enormous practical importance for companies: Who is actually considered an „undertaking“ under data protection law - just the individual company or the entire group - and what consequences does this have for data protection fines?
The judgement of 5 December 2023 concerned a very high fine imposed by the Berlin data protection authority on a large real estate company. The point of contention was not so much the underlying data protection offence as the legal basis for the sanction. Under German administrative offences law, the principle has long applied that a legal entity can only be fined if culpable conduct can be proven on the part of a specific manager. The ECJ has clearly rejected this view. It found that the GDPR's system of fines is autonomous under EU law and cannot be made dependent on national attribution rules. Rather, the decisive factor is whether an „undertaking“ within the meaning of EU law has committed a data protection offence. This concept of an undertaking is to be understood functionally and originates from EU antitrust law. It covers any economic entity, regardless of how many legally independent companies it consists of. A corporate group as a whole can therefore be the addressee of a fine without the need to prove individual fault on the part of a specific natural person.
This also touched on a second question that is particularly relevant in practice: What does the GDPR's fine limit of up to two or four per cent of annual global turnover refer to? The ECJ has clarified that this percentage can refer to the turnover of the entire company in a functional sense, i.e. the group turnover. The judgement of 2023 has thus opened the door to significantly higher fines and brought data protection sanctions law closer to antitrust law.
The ECJ ruling of 8 February 2025 follows on from this line and clarifies it further. This also concerned the interpretation of the term „undertaking“ in connection with the calculation of GDPR fines. The ECJ has confirmed its case law from December 2023 that the economic entity is decisive for determining the statutory upper limit. What is new is that the Court has made it even clearer that this approach follows from the GDPR itself, in particular from Recital 150, which states that the supervisory authorities have no discretion to limit the scope of fines to the individual subsidiary only if it is a group company. The functional concept of an undertaking is a binding standard, not merely an option.
The two judgements have significant practical consequences. Under the GDPR, it is not possible to isolate data protection risks to individual subsidiaries or to „outsource“ them organisationally. Violations at an operational level can have financial consequences that affect the entire group. This increases the pressure to establish group-wide data protection compliance structures, define clear responsibilities and enforce uniform standards.
Deutsch
English (UK)