On Tuesday, the European Court of Justice made a significant ruling, simplifying the process for imposing fines on GDPR violations. This decision is expected to streamline actions by data protection authorities, potentially leading to increased average fines. The EU court’s decision stems from queries by national courts in Lithuania and Germany seeking guidance on penalizing data controllers. One case involves Deutsche Wohnen, a German real estate firm, facing off against Staatsanwaltschaft Berlin. In 2020, the Berlin Commissioner for Data Protection and Freedom of Information levied a €14.5 million penalty. According to German Attorney Stefan Hessel, the ECJ’s ruling in the ‘Deutsche Wohnen’ case sets essential criteria for levying fines on companies for GDPR violations. The National Public Health Centre challenges a €12,000 fine for a COVID-19 data-tracking app in Lithuania. “ECJ’s decision in the ‘Deutsche Wohnen’ case bolsters GDPR enforcement by relaxing criteria for fines on legal entities,” noted Jan Spittka, partner at Clyde & Co.
In today’s ruling, fines for data controller breaches are allowed when the infringement is committed intentionally or negligently. The threshold is met if the company, as a controller, could objectively recognize the unlawfulness of its actions, explained Hessel. Additionally, a controller may face fines for operations conducted by a processor, if the controller can be deemed accountable. Lack of awareness about the infringement is not a justification, as the company is accountable for actions taken on its behalf. Imposition of fines does not depend on the company’s management body taking specific actions or having knowledge, clarified Hessel. The ruling simplifies the imposition of fines by data protection authorities, potentially leading to increased penalties. Fines may now be calculated based on the company’s turnover. Fines impact EU and non-EU establishments under GDPR. To reduce liability risks, companies should provide clear data protection instructions and closely monitor compliance, advised Hessel.