Article 58(2)(i) and Article 83(1) to (6) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) must be interpreted as precluding national legislation under which an administrative fine may be imposed on a legal person in its capacity as controller in respect of an infringement referred to in Article 83(4) to (6) only in so far as that infringement has previously been attributed to an identified natural person.
Article 83 of Regulation 2016/679must be interpreted as meaning that an administrative fine may be imposed pursuant to that provision only where it is established that the controller, which is both a legal person and an undertaking, intentionally or negligently committed an infringement referred to in Article 83(4) to (6) thereof.
Article 83 of Regulation 2016/679must be interpreted as meaning that (i) an administrative fine may be imposed pursuant to that provision only where it is established that the controller has intentionally or negligently committed an infringement referred to in paragraphs 4 to 6 of that article, and (ii) such a fine may be imposed on a controller in respect of personal data processing operations performed by a processor on behalf of that controller, unless, in the context of those operations, that processor has carried out processing for its own purposes or has processed such data in a manner incompatible with the framework of, or detailed arrangements for, the processing as determined by the controller, or in such a manner that it cannot reasonably be considered that that controller consented to such processing.