ThinkTank_Logo_black
The wait is over
Ailance™ ThinkTank is here!
Learn more

What is a company according to the GDPR? ECJ tightens calculation of fines

What is a company according to the GDPR?
Categories:
, ,

On February 13, 2025, the European Court of Justice (ECJ) issued a ruling in case C-383/23 that could have far-reaching consequences for the calculation of fines under the General Data Protection Regulation (GDPR). At the heart of the decision was the question of whether the term "undertaking" in Art. 83 (4) to (6) GDPR should be interpreted in the sense of EU competition law. If so, the total turnover of a group of companies could be taken into account when assessing a fine if a subsidiary violates the GDPR.

Background to the case

The case concerns the Danish furniture store chain ILVA A/S, a subsidiary of the Lars Larsen Group. ILVA has been charged by the Danish public prosecutor's office with a breach of the General Data Protection Regulation (GDPR). The company is alleged to have stored personal data of at least 350,000 former customers for an unreasonably long period of time. This is alleged to have been done without a lawful basis and contrary to the requirements of the GDPR regarding data minimization and storage limitation.

Following an investigation, the Danish Data Protection Agency Datatilsyn came to the conclusion that the breach was serious. It recommended a fine of DKK 1.5 million (approx. 201,000 euros). The calculation of this fine was not only based on ILVA's turnover, but included the total turnover of the parent company Lars Larsen Group. The authority argued that the economic unit was decisive for the amount of the fine. A deterrent effect could only be guaranteed if the fine was based on the entire group turnover.

However, the court of first instance, Ret i Aarhus (Aarhus Court, Denmark), significantly reduced the fine to DKK 100,000 (approx. EUR 13,400). It based this decision on the fact that only ILVA as a legal entity was the subject of the proceedings and not the entire group. The court also assumed that ILVA had acted negligently but not intentionally in this case.

The Danish public prosecutor appealed against this judgment to the Vestre Landsret (Regional Court for Western Denmark). It argued that the term "undertaking" in Art. 83 (4) to (6) GDPR should be interpreted in accordance with the concept of undertaking under EU law. Accordingly, the total turnover of the economic entity, i.e. the group, must be taken into account when calculating the fine. This ultimately led to the case being referred to the ECJ in order to obtain a binding clarification of this legal issue.

These legal issues came before the ECJ

The Vestre Landsret referred two key questions to the ECJ for a preliminary ruling:

  1. Is the term "undertaking" in Art. 83 (4) to (6) GDPR to be understood in accordance with EU competition law, i.e. does it include any economic entity regardless of its legal form?
  2. If so, must the entire annual turnover of the economic entity be taken into account when calculating the fine or only the turnover of the specific subsidiary?

Reading tip: ECJ ruling on GDPR fines - what discretion does a data protection authority have

ECJ: Companies to be interpreted in accordance with competition law

The ECJ ruled that the term "undertaking" in Art. 83 (4) to (6) GDPR must be interpreted in accordance with competition law. The Court thus follows its previous case law on corporate liability under competition law in accordance with Art. 101 and 102 TFEU.

In its detailed grounds for the ruling, the ECJ emphasized that the GDPR should not be viewed in isolation. It must be understood in the context of EU economic legislation. This means that the term "undertaking" is not limited to individual legal entities, but encompasses the entire economic entity, which may also include parent companies and subsidiaries.

The ECJ also clarified that a fine for a GDPR infringement cannot be calculated solely on the basis of the turnover of the directly responsible subsidiary. Rather, the total turnover of the group is relevant if the company concerned is an integral part of the economic unit and the parent company influences its business decisions.

A central aspect of the ruling was the question of whether and to what extent the economic reality overrides the legal consideration. The Court confirmed that the principle of the "economic unit" is already enshrined in EU competition law and applies equally to the application of the GDPR. This prevents companies from avoiding lower fines through complex internal structuring.

Finally, the ECJ addressed the impact on the deterrent effect of fines under the GDPR. A fine that only takes into account the turnover of a subsidiary could represent a relatively low sanction for large groups and therefore not have the desired deterrent effect. A group-wide approach is therefore necessary to ensure that fines are proportionate and effective.

ECJ is pragmatic in its reasoning

With its ruling, the ECJ is pursuing a pragmatic approach that is intended to ensure effective implementation of the GDPR without neglecting the rights of the companies concerned.

The ECJ's reasoning is based on the following arguments:

  1. Harmonization purpose of the GDPR: The GDPR pursues the goal of uniform application of data protection law throughout the European Union. To ensure this, fines must not only be effective and proportionate, but also have a deterrent effect. The ECJ emphasized that it must be prevented that large corporations circumvent the application of the fine regulations through clever corporate structuring and thus receive lower fines.
  2. Parallels under competition law: The ECJ based its decision on the concept of an undertaking under EU law in accordance with Art. 101 and 102 TFEU. According to this understanding, an economic entity is regarded as a whole, regardless of how many legal persons it consists of. This means that the economic reality is placed above the formal legal structure. This is intended to prevent companies from evading liability by dividing responsibility internally.
  3. Deterrent effect of sanctions: The Court emphasized that a fine based solely on the turnover of the directly affected subsidiary often represents a negligible economic burden for large multinational companies. In order to ensure a sufficient deterrent effect, the turnover of the entire economic unit must therefore be taken into account. This would also prevent groups from undermining the GDPR sanction mechanisms by creating numerous small subsidiaries.
  4. Principle of proportionality: At the same time, the ECJ clarified that the principle of proportionality must always be observed when calculating the fine. This means that the highest fine is not automatically applied, but that all individual circumstances of the case must be taken into account, such as the type, severity and duration of the infringement as well as the company's willingness to cooperate with the supervisory authorities.

Effects on corporate practice

The ECJ's decision has far-reaching implications for the calculation and imposition of fines under the GDPR. It entails significant changes, particularly for internationally operating companies and groups. The main consequences can be divided into several key aspects:

  1. Extended liability for corporate groups: The confirmation of the economic unity principle means that parent companies are potentially more liable for data protection breaches committed by their subsidiaries. This means that breaches are not only considered at company level, but also at group level, which significantly increases the risk exposure for groups of companies.
  2. Increased fines: As the total turnover of the economic entity can be used as the basis for calculating fines, penalties could be significantly higher in practice than before. This can have considerable financial consequences, particularly for large multinational companies with high total turnover.
  3. New compliance strategies: Companies must pay greater attention to ensuring that all subsidiaries comply with strict data protection guidelines. This means that data protection management must be systematically extended to entire corporate groups. Internal audit mechanisms and control structures will become increasingly important in order to prevent group-wide breaches.
  4. Increased pressure on corporate structures: Corporate groups need to define their internal responsibilities more clearly and ensure that GDPR compliance is not limited to a single legal entity. The case law could lead companies to rethink their group structure in order to better manage risks.
  5. Harmonization of sanctions within the EU: By referring to competition law, the ECJ is creating greater harmonization of sanctions for GDPR violations throughout the European Union. This ensures a more uniform application of the provisions and prevents individual member states from imposing more lenient sanctions through different interpretations.
  6. Stronger deterrent for companies: The decision ensures that data protection violations can no longer be compensated with comparatively low penalties. Companies must now ensure that data protection compliance remains a central element of corporate governance in order to avoid high financial penalties.

Conclusion

The ECJ ruling in case C-383/23 represents a significant milestone in the enforcement of the GDPR and considerably strengthens the effectiveness of data protection regulations in the European Union. The decision shows that the principles of competition law can also be applied to data protection sanctions in order to ensure effective and fair punishment of infringements.

The inclusion of group turnover as a basis for calculating fines ensures that even large corporate groups are held appropriately accountable for data protection violations. This prevents groups from being able to avoid or minimize penalties through clever internal structuring. The decision therefore helps to establish a uniform and fair application of the GDPR throughout the EU.

In addition, the ruling sends a clear signal to companies that data protection violations can have serious financial consequences. The deterrent effect of this ruling will motivate companies to integrate data protection compliance even more strongly into their business strategies and ensure that all subsidiaries comply with the requirements of the GDPR.

Overall, the ruling helps to strengthen the enforcement of the GDPR by setting clear standards for the assessment of fines and encouraging companies to view data protection as a key legal and ethical obligation. This decision will undoubtedly have a long-term impact on the design of data protection policies and corporate structures.

Source: ECJ ruling of February 13, 2025 (C-383/23)

Contact us
Tags:
,
Share this post :

Popular categories

Newsletter

Subscribe to our data protection newsletter to receive the latest updates, tips and insights straight to your inbox.
Subscribe

Latest posts

en_USEnglish
de_DEGerman it_ITItalian fr_FRFrench en_USEnglish