Out-Law News 2 min. read
30 Aug 2023, 10:00 am
The EU’s highest court has been asked to clarify whether fines imposed on subsidiaries under the General Data Protection Regulation (GDPR) should be calculated with reference to the total revenue of the corporate group that they are a part of.
‘Undertakings’ can be fined up to €20 million, or up to 4% of their total worldwide annual turnover of the preceding financial year, whichever is higher, for infringements of the EU GDPR. A court in Denmark has asked the Court of Justice of the EU (CJEU) to determine what the meaning of ‘undertaking’ in the legislation is.
The case (8-page / 323KB PDF) has arisen following a dispute between the public prosecutor in Denmark and retailer ILVA A/S, which is part of the Lars Larsen Group.
Data protection law expert Jonathan Kirsop of Pinsent Masons said: “The decision could have a major impact for global businesses if a wide interpretation is given and the turnover of a global group is considered. There is room for doubt in the language. A wider interpretation could dramatically increase the fines that may be imposed.”
In February 2021, ILVA A/S was fined DKK 100,000 (€13,400) for negligently breaching data retention and accountability rules contained in the GDPR in respect of personal data belonging to no less than 350 000 former customers. The Aarhus District Court imposed the fine with reference to ILVA A/S’ turnover only – not that of the entire Lars Larsen Group. It considered that to fine ILVA A/S with reference to Lars Larsen Group’s turnover would run contrary to the principle of prosecution laid out in Denmark’s Administration of Justice Act.
According to a working document published by the CJEU, the Aarhus court said: “It would be contrary to the principle … to attach significance to circumstances related to another person, against whom no charges had been brought, when passing a stricter sentence. This applies in particular in a situation such as the present, where the defendant runs an independent retail business and where it is therefore not the case that the parent company has set up a subsidiary with the sole purpose of transferring the group’s data processing to it.”
The public prosecutor in Denmark has appealed that ruling to the High Court of Western Denmark. It has asserted that ILVA A/S’ GDPR infringements were intentional and believes the basis on which the Aarhus court imposed its fine is wrong. It wants the High Court of Western Denmark to impose a DKK 1.5 million (€200,000) fine on ILVA A/S based on the total turnover of the entire Lars Larsen Group, and it claims support for its arguments in the meaning of ‘undertaking’ under EU competition rules.
The High Court of Western Denmark has said that neither the Danish, English, German or French language versions of the GDPR are definitive on the meaning of ‘undertaking’ under the GDPR.
A recital in the GDPR states that “where administrative fines are imposed on an undertaking, an undertaking should be understood to be an undertaking in accordance with [EU competition law set out in] Articles 101 and 102 TFEU for those purposes”, but it is non-binding. The European Data Protection Board (EDPB) has said (48-page / 783KB PDF) that it believes both the GDPR and EU case law supports the position that “the combined turnover of such undertaking as a whole can be used to determine the dynamic upper limit of the fine” to be imposed under the GDPR.
Seeking clarity on the matter, however, the High Court of Western Denmark has asked the CJEU whether the term ‘undertaking’ “covers any entity engaged in an economic activity, regardless of that entity’s legal status and the way in which it is financed”, as is how it is interpreted under EU competition law.
If the CJEU considers the answer to that question to be yes, the Danish court has further asked it to clarify whether regard must be had to the total worldwide annual turnover of the economic entity of which the undertaking forms part, or only the total worldwide annual turnover of the undertaking itself, when fines are to be imposed on an undertaking under the GDPR.
No date has yet been set for hearings before the CJEU. A judgment of the EU court is not expected for several months.