JUDGMENT OF THE COURT (Grand Chamber)
5 December 2023 (*)
(Reference for a preliminary ruling – Protection of personal data – Regulation (EU) 2016/679 – Article 4(7) – Concept of ‘controller’ – Article 58(2) – Powers of supervisory authorities to apply corrective powers – Article 83 – Imposition of administrative fines on a legal person – Conditions – Discretion of the Member States – Requirement that the infringement be intentional or negligent)
In Case C-807/21,
REQUEST for a preliminary ruling under Article 267 TFEU from the Kammergericht Berlin (Higher Regional Court, Berlin, Germany), made by decision of 6 December 2021, received at the Court on 21 December 2021, in the proceedings
Deutsche Wohnen SE
v
Staatsanwaltschaft Berlin,
THE COURT (Grand Chamber),
composed of K. Lenaerts, President, L. Bay Larsen, Vice-President, A. Arabadjiev, C. Lycourgos, E. Regan, T. von Danwitz, Z. Csehi, O. Spineanu–Matei, Presidents of Chambers, M. Ilešič, J.-C. Bonichot, L.S. Rossi, A. Kumin, N. Jääskinen (Rapporteur), N. Wahl and M. Gavalec, Judges,
Advocate General: M. Campos Sánchez-Bordona,
Registrar: D. Dittert, Head of Unit,
having regard to the written procedure and further to the hearing on 17 January 2023,
after considering the observations submitted on behalf of:
– Deutsche Wohnen SE, by O. Geiss, K. Mertens, N. Venn and T. Wybitul, Rechtsanwälte,
– the German Government, by J. Möller and P.-L. Krüger, acting as Agents,
– the Estonian Government, by M. Kriisa, acting as Agent,
– the Netherlands Government, by C.S. Schillemans, acting as Agent,
– the Norwegian Government, by L.-M. Moen Jünge, M. Munthe-Kaas and T. Westhagen Edell, acting as Agents,
– the European Parliament, by G.C. Bartram and P. López-Carceller, acting as Agents,
– the Council of the European Union, by J. Bauerschmidt and K. Pleśniak, acting as Agents,
– the European Commission, by A. Bouchagiar, F. Erlbacher, H. Kranenborg and G. Meessen, acting as Agents,
after hearing the Opinion of the Advocate General at the sitting on 27 April 2023,
gives the following
Judgment
1 This request for a preliminary ruling concerns the interpretation of Article 83(4) to (6) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1) (‘the GDPR’).
2 The request has been made in proceedings between Deutsche Wohnen SE (‘DW’) and the Staatsanwaltschaft Berlin (Berlin Public Prosecutor’s Office, Germany) concerning an administrative fine imposed on DW pursuant to Article 83 of the GDPR in respect of an infringement of Article 5(1)(a), (c) and (e), Article 6 and Article 25(1) of that regulation.
Legal context
European Union law
3 Recitals 9, 10, 11,13, 74, 129 and 150 of the GDPR state:
‘(9) … Differences in the level of protection of the rights and freedoms of natural persons, in particular the right to the protection of personal data, with regard to the processing of personal data in the Member States may prevent the free flow of personal data throughout the Union. Those differences may therefore constitute an obstacle to the pursuit of economic activities at the level of the Union, distort competition and impede authorities in the discharge of their responsibilities under Union law. …
(10) In order to ensure a consistent and high level of protection of natural persons and to remove the obstacles to flows of personal data within the Union, the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States. Consistent and homogenous application of the rules for the protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal data should be ensured throughout the Union. Regarding the processing of personal data for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, Member States should be allowed to maintain or introduce national provisions to further specify the application of the rules of this Regulation. … This Regulation also provides a margin of manoeuvre for Member States to specify [their] rules, including for the processing of special categories of personal data … To that extent, this Regulation does not exclude Member State law that sets out the circumstances for specific processing situations, including determining more precisely the conditions under which the processing of personal data is lawful.
(11) Effective protection of personal data throughout the Union requires the strengthening and setting out in detail of the rights of data subjects and the obligations of those who process and determine the processing of personal data, as well as equivalent powers for monitoring and ensuring compliance with the rules for the protection of personal data and equivalent sanctions for infringements in the Member States.
…
(13) In order to ensure a consistent level of protection for natural persons throughout the Union and to prevent divergences hampering the free movement of personal data within the internal market, a Regulation is necessary to provide legal certainty and transparency for economic operators, including micro, small and medium-sized enterprises, and to provide natural persons in all Member States with the same level of legally enforceable rights and obligations and responsibilities for controllers and processors, to ensure consistent monitoring of the processing of personal data, and equivalent sanctions in all Member States as well as effective cooperation between the supervisory authorities of different Member States. …
…
(74) The responsibility and liability of the controller for any processing of personal data carried out by the controller or on the controller’s behalf should be established. In particular, the controller should be obliged to implement appropriate and effective measures and be able to demonstrate the compliance of processing activities with this Regulation, including the effectiveness of the measures. Those measures should take into account the nature, scope, context and purposes of the processing and the risk to the rights and freedoms of natural persons.
…
(129) In order to ensure consistent monitoring and enforcement of this Regulation throughout the Union, the supervisory authorities should have in each Member State the same tasks and effective powers, including powers of investigation, corrective powers and sanctions … In particular each measure should be appropriate, necessary and proportionate in view of ensuring compliance with this Regulation, taking into account the circumstances of each individual case, respect the right of every person to be heard before any individual measure which would affect him or her adversely is taken and avoid superfluous costs and excessive inconveniences for the persons concerned. Investigatory powers as regards access to premises should be exercised in accordance with specific requirements in Member State procedural law, such as the requirement to obtain a prior judicial authorisation. Each legally binding measure of the supervisory authority should be in writing, be clear and unambiguous, indicate the supervisory authority which has issued the measure, the date of issue of the measure, bear the signature of the head, or a member of the supervisory authority authorised by him or her, give the reasons for the measure, and refer to the right of an effective remedy. This should not preclude additional requirements pursuant to Member State procedural law. …
…
(150) In order to strengthen and harmonise administrative penalties for infringements of this Regulation, each supervisory authority should have the power to impose administrative fines. This Regulation should indicate infringements and the upper limit and criteria for setting the related administrative fines, which should be determined by the competent supervisory authority in each individual case, taking into account all relevant circumstances of the specific situation, with due regard in particular to the nature, gravity and duration of the infringement and of its consequences and the measures taken to ensure compliance with the obligations under this Regulation and to prevent or mitigate the consequences of the infringement. Where administrative fines are imposed on an undertaking, an undertaking should be understood to be an undertaking in accordance with Articles 101 and 102 TFEU for those purposes. …’
4 Article 4 of that regulation provides as follows:
‘For the purposes of this Regulation:
…
(7) “controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
(8) “processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
…
(18) “enterprise” means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;
…’
5 Article 58 of that regulation, entitled ‘Powers’, provides, in paragraphs 2 and 4:
‘2. Each supervisory authority shall have all of the following corrective powers:
(a) to issue warnings to a controller or processor that intended processing operations are likely to infringe provisions of this Regulation;
(b) to issue reprimands to a controller or a processor where processing operations have infringed provisions of this Regulation;
…
(d) to order the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period;
…
(f) to impose a temporary or definitive limitation including a ban on processing;
…
(i) to impose an administrative fine pursuant to Article 83, in addition to, or instead of measures referred to in this paragraph, depending on the circumstances of each individual case;
…
4. The exercise of the powers conferred on the supervisory authority pursuant to this Article shall be subject to appropriate safeguards, including effective judicial remedy and due process, set out in Union and Member State law in accordance with the [Charter of Fundamental Rights of the European Union].’
6 Article 83 of that regulation, entitled ‘General conditions for imposing administrative fines’, provides:
‘1. Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article in respect of infringements of this Regulation referred to in paragraphs 4, 5 and 6 shall in each individual case be effective, proportionate and dissuasive.
2. Administrative fines shall, depending on the circumstances of each individual case, be imposed in addition to, or instead of, measures referred to in points (a) to (h) and (j) of Article 58(2). When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following:
(a) the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;
(b) the intentional or negligent character of the infringement;
(c) any action taken by the controller or processor to mitigate the damage suffered by data subjects;
(d) the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32;
(e) any relevant previous infringements by the controller or processor;
(f) the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;
(g) the categories of personal data affected by the infringement;
(h) the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement;
(i) where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject matter, compliance with those measures;
(j) adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and
(k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.
3. If a controller or processor intentionally or negligently, for the same or linked processing operations, infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement.
4. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to [EUR 10 000 000], or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher:
(a) the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39 and 42 and 43;
…
5. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to [EUR 20 000 000], or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher:
(a) the basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7 and 9;
(b) the data subjects’ rights pursuant to Articles 12 to 22;
…
(d) any obligations pursuant to Member State law adopted under Chapter IX;
(e) non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority pursuant to Article 58(2) or failure to provide access in violation of Article 58(1).
6. Non-compliance with an order by the supervisory authority as referred to in Article 58(2) shall, in accordance with paragraph 2 of this Article, be subject to administrative fines up to [EUR 20 000 000], or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
7. Without prejudice to the corrective powers of supervisory authorities pursuant to Article 58(2), each Member State may lay down the rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State.
8. The exercise by the supervisory authority of its powers under this Article shall be subject to appropriate procedural safeguards in accordance with Union and Member State law, including effective judicial remedy and due process.
…’
German law
7 The first sentence of Paragraph 41(1) of the Bundesdatenschutzgesetz (Federal Law on data protection) of 30 June 2017 (BGBl. 2017 I, p. 2097), provides that, unless otherwise provided for in that law, the provisions of the Gesetz über Ordnungswidrigkeiten (Law on administrative offences) of 24 May 1968 (BGBl. 1968 I, p. 481) in the version in the Communication of 19 February 1987 (BGBl. 1987 I, p. 602), as amended by the Law of 19 June 2020 (BGBl. 2020 I, p. 1350; ‘the OWiG’), are applicable to the infringements referred to in Article 83(4) to (6) of the GDPR.
8 Paragraph 30 of the OWiG, entitled ‘Fines imposed on legal persons and associations of persons’, provides:
‘(1) Where a person acting
1. as a body authorised to represent a legal person or as a member of such a body,
2. as chairperson of an association which does not have legal capacity or as a member of its executive board,
3. as a partner authorised to represent a partnership having legal capacity,
4. as Generalbevollmächtigte (holder of a commercial power of attorney) or in the performance of a management function as Prokurist (holder of a general commercial power of attorney) or as Handlungsbevollmächtigte (person authorised to conduct certain commercial transactions) of a legal person or of an association of persons referred to in points 2 or 3 above, or
5. As a person otherwise responsible for the management of the business or undertaking of a legal person or of an association of persons referred to in points 2 or 3 above, which includes supervision of the management of the business or any other exercise of supervisory powers in a senior function,
has committed a criminal or administrative offence, as a result of which the obligations incumbent on the legal person or association of persons have been contravened or that legal person or association of persons has been enriched or was intended to be enriched, a fine may be imposed on such legal person or association of persons.
…
(4) If criminal proceedings or administrative proceedings involving the imposition of fines are not initiated in respect of the criminal offence or administrative offence, or if such proceedings are discontinued, or if a penalty is not sought, the fine may be determined independently. Statutory provision may also be made to the effect that a fine may be determined independently in further cases. However, a fine shall not be determined independently in respect of the legal person or association of persons where the criminal or administrative offence cannot for any legal reason be penalised …’
9 Paragraph 130 of the OWiG provides:
‘1. A person who, as owner of a business or undertaking, intentionally or negligently fails to take the necessary supervisory measures to prevent, within the business or undertaking, breach of the obligations to which the owner is subject and infringement of which is punishable by a criminal penalty or a fine, shall be deemed to have committed an administrative offence if such breach could have been prevented or made more difficult by means of appropriate supervision. The necessary supervisory measures shall also include the appointment, careful selection and monitoring of the persons responsible for supervision.
…
(3) Where the breach of an obligation is punishable by a criminal penalty, the administrative offence may be punished by a fine of up to EUR 1 million. The third sentence of Paragraph 30(2) shall apply. Where the breach of the obligation is punishable by a fine, the maximum amount of the fine imposed for the breach of the obligation to supervise shall be determined by reference to the maximum amount of the fine incurred for that breach. …’
The dispute in the main proceedings and the questions referred for a preliminary ruling
10 DW is a listed real estate company, constituted in the legal form of a European company, with its registered office in Berlin (Germany). It holds, indirectly via participating interests in various companies, approximately 163 000 housing units and 3 000 commercial units.
11 The owners of those units are subsidiaries of DW (‘holding companies’) which carry on the operational side of the business, while DW is responsible for the central management of the group of which it forms part, together with, inter alia, those subsidiaries. The holding companies lease the housing and commercial units which are managed by other companies in the group, known as ‘service companies’.
12 As part of their business activities, DW and the group companies which it manages process personal data of tenants of the commercial and housing units, such as, for example, proof of identity, tax, social security and health insurance data of those tenants, as well as data relating to previous tenancies.
13 On 23 June 2017, the Berliner Beauftragte für den Datenschutz (Berlin Data Protection Authority, Germany; ‘the supervisory authority’) informed DW during an on-the-spot inspection that companies within its group were storing the personal data of tenants in an electronic filing system in respect of which it could not be ascertained whether storage was necessary or whether there were safeguards to ensure the erasure of data which were no longer required.
14 The supervisory authority requested DW to erase those documents from its electronic filing system by the end of 2017 at the latest. In response to that request, DW stated that it was not possible for technical and legal reasons to erase those documents.
15 Following exchanges between DW and the supervisory authority concerning whether it was possible to erase the documents at issue, DW informed that authority that it intended to introduce a new storage system to replace the system which contained those documents.
16 On 5 March 2019, the supervisory authority carried out an inspection at the corporate headquarters of the group managed by DW. During that inspection, DW informed that authority that the electronic filing system in question had already been decommissioned and that the data would be migrated to the new storage system imminently.
17 By decision of 30 October 2019, the supervisory authority imposed on DW an administrative fine of EUR 14 385 000 for intentional infringement of Article 5(1)(a), (c) and (e) and of Article 25(1) of the GDPR (‘the decision at issue’). By that decision, that authority also imposed 15 other fines on DW of between EUR 3 000 and EUR 17 000 in respect of the infringement of Article 6(1) of the GDPR.
18 In the decision at issue, the supervisory authority found, more specifically, that DW had intentionally failed, between 25 May 2018 and 5 March 2019, to take the measures necessary to allow personal data relating to tenants regularly to be erased where such data were no longer necessary or had, for some other reason, erroneously been stored. It also stated that DW had continued to store the personal data of at least 15 named tenants where such storage was not necessary.
19 DW brought an action against that decision before the Landgericht Berlin (Regional Court, Berlin, Germany). That court closed the proceedings without taking further action, holding that the decision at issue was vitiated by such serious defects that it could not serve as a basis for the imposition of a fine.
20 That court stated, inter alia, that the imposition of a fine on a legal person is exhaustively regulated by Paragraph 30 of the OWiG which, pursuant to Paragraph 41(1) of the Federal Law on data protection, applies to the infringements referred to in Article 83(4) to (6) of the GDPR. Under Paragraph 30 of the OWiG, a finding of an administrative infringement can be made only against a natural person and not against a legal person. In addition, only the actions of representatives of the legal person or of members of bodies thereof can be attributed to that legal person. While Paragraph 30(4) of the OWiG makes it possible, subject to certain conditions, to initiate independent proceedings for an administrative fine against a legal person, the fact remains that, also in those circumstances, it is necessary that a finding of an administrative infringement can be made against the members of bodies or representatives of the legal person concerned.
21 The Staatsanwaltschaft Berlin (Berlin Public Prosecutor’s Office) brought an appeal against the first-instance decision before the Kammergericht Berlin (Higher Regional Court, Berlin, Germany), which is the referring court.
22 The referring court asks, in the first place, whether, pursuant to Article 83 of the GDPR, it must be possible to impose an administrative fine on a legal person without the infringement of that regulation first being attributed to an identified natural person. In that context, the referring court considers, in particular, the relevance of the concept of an ‘undertaking’ within the meaning of Articles 101 and 102 TFEU.
23 In that regard, the referring court explains that, according to national case-law, the limited liability regime of legal persons under national law conflicts with the regime of direct liability of undertakings laid down in Article 83 of the GDPR. According to that case-law, it is apparent, in particular, from the wording of Article 83 of the GDPR, which, in accordance with the principle of primacy of EU law, prevails over the national regime, that administrative fines may be imposed on undertakings. It is therefore not necessary for the imposition of such fines to be linked to a wrongful act on the part of the bodies or directors of legal persons, contrary to the requirements of the applicable national law.
24 According to the referring court, that case-law, like the majority of national academic legal literature, attaches particular importance to the concept of an ‘undertaking’, within the meaning of Articles 101 and 102 TFEU, and therefore to the idea that liability is attributed to the economic entity within which the undesirable conduct, for example anticompetitive conduct, occurred. Under that ‘functional’ interpretation, all acts of all employees authorised to act on behalf of an undertaking are attributable to the undertaking, including in relation to administrative proceedings.
25 In the second place, were the Court to find that an administrative fine must be able to be imposed directly on a legal person, the referring court raises the question of the criteria which must be applied in order to establish the liability of a legal person, as an undertaking, for an infringement of the GDPR. It wishes to ascertain, in particular, whether an administrative fine may be imposed pursuant to Article 83 of that regulation on a legal person without it being established that the infringement of that regulation attributed to that legal person was committed wrongfully.
26 In those circumstances, the Kammergericht Berlin (Higher Regional Court, Berlin) decided to stay proceedings and to refer the following questions to the Court of Justice for preliminary ruling:
‘(1) Is Article 83(4) to (6) of the GDPR to be interpreted as incorporating into national law the functional concept of an undertaking and the principle of an economic entity, as defined in Articles 101 and 102 TFEU, as a result of which, by broadening the principle of a legal entity underpinning Paragraph 30 of the [OWiG], proceedings for an administrative fine may be brought against an undertaking directly and a fine imposed without requiring a finding that a natural and identified person committed an administrative offence, if necessary, in satisfaction of the objective and subjective elements of tortious liability?
(2) If Question 1 is answered in the affirmative: is Article 83(4) to (6) of the GDPR to be interpreted as meaning that the undertaking must have intentionally or negligently committed the breach of an obligation vicariously through an employee (see Article 23 of Council Regulation (EC) No 1/2003 of 16 December 2002 on the implementation of the rules on competition laid down in Articles 81 and 82 of the Treaty (OJ 2003 L 1, p. 1)) or, is the objective fact of breach caused by it sufficient, in principle, for a fine to be imposed on that undertaking (“strict liability”)?’
The request to have the written procedure reopened
27 Following the hearing held on 17 January 2023, DW, by a document lodged at the Court Registry on 23 March 2023, applied for an order that the oral part of the procedure be reopened, pursuant to Article 83 of the Rules of Procedure of the Court of Justice.
28 In support of its request, DW maintains, in essence, that the replies given by the referring court to the request for clarification addressed to it under Article 101 of the Rules of Procedure provide the Court with incorrect information concerning the applicable provisions of national law. A comprehensive debate concerning that issue was not possible at the hearing on 17 January 2023 because the parties had become aware of those replies only three working days before that hearing. Such a time period did not have allow for thorough preparation for the hearing.
29 It is true that, in accordance with Article 83 of the Rules of Procedure, the Court may at any time, after hearing the Advocate General, order the reopening of the oral part of the procedure, in particular if it considers that it lacks sufficient information, or where a party has, after the close of that part of the procedure, submitted a new fact which is of such a nature as to be a decisive factor for the decision of the Court, or where the case must be decided on the basis of an argument which has not been debated between the interested persons.
30 However, in the present case, the Court has all the information necessary to give a ruling and the present case does not have to be decided on the basis of arguments which have not been debated by the interested persons. In addition, the request that the oral part of the procedure be reopened does not disclose any new fact which is of such a nature as to be capable of being a decisive factor for the decision which the Court is called upon to make in that case.
31 In those circumstances, the Court considers, after hearing the Advocate General, that there is no need to order that the oral part of the procedure be reopened.
Consideration of the questions referred
The first question
32 By its first question, the referring court asks, in essence, whether Article 58(2) and Article 83(1) to (6) of the GDPR must be interpreted as precluding national legislation under which an administrative fine may be imposed on a legal person in its capacity as controller in respect of an infringement referred to in Article 83(4) to (6) only in so far as that infringement has previously been attributed to an identified natural person.
33 As a preliminary point, it should be noted that, in its written observations, the German Government expressed doubts as to that interpretation of national law by the referring court, on the ground that Paragraph 130 of the OWiG also allows a fine to be imposed on a legal person outside the cases covered by Paragraph 30 of the OWiG. Furthermore, those two provisions make it possible to impose an ‘anonymous’ fine in the context of proceedings brought against the undertaking, without it being necessary to identify the natural person who committed the infringement in question.
34 In response to a request for clarification sent to the referring court, referred to in paragraph 28 of the present judgment, that court stated that Paragraph 130 of the OWiG has no bearing on the first question referred.
35 According to the referring court, that provision concerns the owner of a business or of an undertaking, who must have wrongfully failed to fulfil an obligation to supervise. Evidence of such a failure to fulfil obligations attributable to the owner of the undertaking is, however, extremely complex and often impossible to adduce, and the question whether a group of undertakings may be classified as an ‘undertaking’ or ‘owner of undertakings’ in accordance with that provision is the subject of divergent opinions at national level. In any event, the first question referred for a preliminary ruling is also relevant in that context.
36 It should be recalled that, as far as the interpretation of provisions of national law is concerned, the Court is in principle required to rely on the description given in the order for reference. According to settled case-law, the Court does not have jurisdiction to interpret the internal law of a Member State (judgment of 26 January 2021, Hessischer Rundfunk, C-422/19 and C-423/19, EU:C:2021:63, paragraph 31 and the case-law cited).
37 Consequently, the answer to the first question referred for a preliminary ruling takes as a premiss that, under the applicable national law, an administrative fine may be imposed on a legal person in its capacity as controller in respect of an infringement referred to in Article 83(4) to (6) of the GDPR only subject to the conditions laid down in Paragraph 30 of the OWiG, as set out by the referring court.
38 In order to answer the first question referred for a preliminary ruling, it must be stated, first of all, that the principles, prohibitions and obligations laid down by the GDPR are directed, in particular, at ‘controllers’ whose responsibility extends, as stated in recital 74 of the GDPR, to any processing of personal data which they carry out themselves or which is carried out on their behalf, and who are required, on that basis, not only to implement appropriate and effective measures, but also to be able to demonstrate the compliance of processing activities with the GDPR, including the effectiveness of the measures adopted to ensure such compliance. It is that responsibility which forms, in the event of one of the infringements referred to in Article 83(4) to (6) of that regulation, the basis for the imposition of an administrative fine on the controller pursuant to Article 83 of that regulation.
39 Article 4(7) of the GDPR defines the concept of ‘controller’ broadly, as referring to the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
40 The objective of that broad definition in Article 4(7) of the GDPR – which expressly includes legal persons – is, in a manner consistent with the objective of the GDPR, to ensure effective protection of the fundamental rights and freedoms of natural persons and, in particular, to ensure a high level of protection of the right of every person to the protection of personal data concerning him or her (see, to that effect, judgments of 29 July 2019, Fashion ID, C-40/17, EU:C:2019:629, paragraph 66, and of 28 April 2022, Meta Platforms Ireland, C-319/20, EU:C:2022:322, paragraph 73 and the case-law cited).
41 Furthermore, the Court has previously held that a natural or legal person who exerts influence over the processing of personal data, for his own purposes, and who participates, as a result, in the determination of the purposes and means of that processing, may be regarded as a controller (see, to that effect, judgment of 10 July 2018, Jehovan todistajat, C-25/17, EU:C:2018:551, paragraph 68).
42 It therefore follows from the wording and purpose of Article 4(7) of the GDPR that the EU legislature did not distinguish, for the purposes of determining liability under that regulation, between natural persons and legal persons, that liability being subject to the sole condition that those persons, alone or jointly with others, determine the purposes and means of processing of personal data.
43 Consequently, subject to what is provided for in Article 83(7) of the GDPR concerning public authorities and bodies, any person meeting that condition – regardless of whether a natural person, a legal person, a public authority, a service or another body – is responsible, inter alia, for any infringement referred to in Article 83(4) to (6) which is committed by that person or on behalf of that person.
44 As regards legal persons, that implies, first, as the Advocate General observed, in essence, in points 57 to 59 of his Opinion, that legal persons are liable not only for infringements committed by their representatives, directors or managers, but also by any other person acting in the course of the business of those legal persons and on their behalf. Second, the administrative fines provided for in Article 83 of the GDPR in respect of such infringements must be capable of being imposed directly on legal persons where they may be classified as the controllers in question.
45 Next, it must be stated that Article 58(2) of the GDPR sets out in detail the supervisory authorities’ corrective powers, without referring to the law of the Member States or leaving any discretion to those States. First, those powers, which include, under Article 58(2)(i) of the GDPR, the power to impose an administrative fine, relate to the controller and, second, such a controller may, as is apparent from paragraph 39 of the present judgment, be a natural person or a legal person. The substantive conditions which a supervisory authority must satisfy when imposing such a fine are, for their part, laid down in Article 83(1) to (6), in precise terms and without leaving any discretion to the Member States.
46 It thus follows from a combined reading of Article 4(7), Article 83 and Article 58(2)(i) of the GDPR that an administrative fine in respect of an infringement referred to in Article 83(4) to (6) may also be imposed on legal persons where they are controllers. By contrast, no provision of the GDPR permits the inference that the imposition of an administrative fine on a legal person as a controller is subject to a previous finding that that infringement was committed by an identified natural person.
47 It is true that it is apparent from Article 58(4) and Article 83(8) of the GDPR, read in the light of recital 129 of that regulation, that the exercise by the supervisory authority of its powers under those articles is to be subject to appropriate procedural safeguards in accordance with EU and Member State law, including effective judicial remedy and due process.
48 However, the fact that that regulation accordingly provides Member States with the possibility to lay down requirements concerning the procedure to be followed by the supervisory authorities in order to impose an administrative fine in no way means that they are also authorised to lay down, in addition to such procedural requirements, substantive conditions over and above those set by Article 83(1) to (6). In addition, the fact that the EU legislature took care to make express provision for that possibility but not the possibility to lay down such additional substantive conditions confirms that it did not provide the Member States with a margin of discretion in that regard. Those substantive conditions therefore fall solely within the scope of EU law.
49 The literal interpretation of Article 58(2) and Article 83(1) to (6) of the GDPR set out above is borne out by the purpose of that regulation.
50 It is apparent, in particular, from recital 10 of the GDPR that the objectives of the provisions of that regulation are, inter alia, to ensure a consistent and high level of protection of natural persons with regard to the processing of personal data within the European Union and, to that end, to ensure consistent and homogeneous application of the rules for the protection of the fundamental rights and freedoms of those persons with regard to the processing of personal data throughout the European Union. Recitals 11 and 129 of the GDPR emphasise, moreover, the need to ensure, in order to ensure consistent application of that regulation, that supervisory authorities have equivalent powers for monitoring and ensuring compliance with the rules for the protection of personal data and that they can impose equivalent sanctions where that regulation is infringed.
51 To allow Member States to make it a requirement, unilaterally and as a necessary condition for the imposition of an administrative fine pursuant to Article 83 of the GDPR on a controller who is a legal person, that the infringement in question is first attributed or attributable to an identified natural person, would be contrary to that purpose of the GDPR. In addition, such an additional requirement would, ultimately, risk weakening the effectiveness and deterrent effect of administrative fines imposed on legal persons as controllers, contrary to Article 83(1) of the GDPR.
52 In that regard, it should be recalled that the second paragraph of Article 288 TFEU provides that an EU regulation is to be binding in its entirety and directly applicable in all Member States, which precludes, unless otherwise provided, Member States from taking steps which are intended to alter the scope of such a regulation. In addition, the Member States are under a duty, by virtue of the obligations arising from the FEU Treaty, not to obstruct the direct applicability inherent in regulations. In particular, they must not adopt a measure by which the nature of EU law and the consequences which arise from it are concealed from the persons concerned (judgment of 15 November 2012, Al-Aqsa v Council and Netherlands v Al-Aqsa, C-539/10 P and C-550/10 P, EU:C:2012:711, paragraphs 86 and 87 and the case-law cited).
53 Lastly, in view of the referring court’s questions, it should be stated that the concept of an ‘undertaking’, within the meaning of Articles 101 and 102 TFEU, has no bearing on whether and under what conditions an administrative fine may be imposed pursuant to Article 83 of the GDPR on a controller who is a legal person, since that question is exhaustively regulated by Article 58(2) and Article 83(1) to (6) of that regulation.
54 That concept is relevant only for the purpose of determining the amount of the administrative fine imposed under Article 83(4) to (6) of the GDPR on a controller.
55 As the Advocate General observed in point 45 of his Opinion, the reference in recital 150 of the GDPR to the concept of an ‘undertaking’, within the meaning of Articles 101 and 102 TFEU, is to be understood in that specific context of the calculation of administrative fines imposed in respect of the infringements referred to in Article 83(4) to (6) of the GDPR.
56 In that regard, it should be stated that, for the purposes of applying the competition rules, referred to in Articles 101 and 102 TFEU, that concept covers any entity engaged in an economic activity, irrespective of the legal status of that entity and the way in which it is financed. The concept of an undertaking therefore defines an economic unit even if in law that economic unit consists of several persons, natural or legal. That economic unit consists of a unitary organisation of personal, tangible and intangible elements which pursues a specific economic aim on a long-term basis (judgment of 6 October 2021, Sumal, C-882/19, EU:C:2021:800, paragraph 41 and the case-law cited).
57 Accordingly, it is apparent from Article 83(4) to (6) of the GDPR, which concerns the calculation of administrative fines in respect of the infringements listed in those paragraphs, that, where the addressee of the administrative fine is or forms part of an undertaking, within the meaning of Articles 101 and 102 TFEU, the maximum amount of the administrative fine is calculated on the basis of a percentage of the total worldwide annual turnover in the preceding business year of the undertaking concerned.
58 In short, as the Advocate General observed in point 47 of his Opinion, only an administrative fine determined on the basis of the actual or material economic capacity of the person on which it is imposed, and therefore imposed by the supervisory authority, relying, as regards the amount of that fine, on the concept of an economic unit within the meaning of the case-law cited in paragraph 56 of the present judgment, is capable of satisfying the three conditions set out in Article 83(1) of the GDPR, namely to be effective, proportionate and dissuasive.
59 Therefore, where a supervisory authority decides, by virtue of its powers under Article 58(2) of the GDPR, to impose on a controller, which is or forms part of an undertaking, within the meaning of Articles 101 and 102 TFEU, an administrative fine pursuant to Article 83 of that regulation, that authority is required to take as its basis, under Article 83 GDPR, read in the light of recital 150 of that regulation, when calculating administrative fines in respect of the infringements referred to in Article 83(4) to (6) of the GDPR, the concept of an ‘undertaking’, within the meaning of Articles 101 and 102 TFEU.
60 In the light of the foregoing, the answer to the first question must be that Article 58(2)(i) and Article 83(1) to (6) of the GDPR must be interpreted as precluding national legislation under which an administrative fine may be imposed on a legal person in its capacity as controller in respect of an infringement referred to in Article 83(4) to (6) only in so far as that infringement has previously been attributed to an identified natural person.
The second question
61 By its second question, which is asked in the event that the first question is answered in the affirmative, the referring court asks, in essence, whether Article 83 of the GDPR must be interpreted as meaning that an administrative fine may be imposed pursuant to that provision only where it is established that the controller, which is both a legal person and an undertaking, intentionally or negligently committed an infringement referred to in Article 83(4) to (6) of the GDPR.
62 In that regard, it should be recalled that it is apparent from Article 83(1) of the GDPR that administrative fines must be effective, proportionate and dissuasive. However, Article 83 of the GDPR does not expressly state that the infringements referred to in Article 83(4) to (6) thereof may be penalised by such a fine only if they were committed intentionally or, at the very least, negligently.
63 The German, Estonian and Norwegian Governments and the Council of the European Union infer therefrom, inter alia, that the EU legislature intended to leave a certain discretion to the Member States in the implementation of Article 83 of the GDPR, allowing them to provide for administrative fines to be imposed pursuant to that provision, as appropriate, without it being established that the infringement of the GDPR penalised by that fine was committed intentionally or negligently.
64 An interpretation of that nature in respect of Article 83 of the GDPR cannot be accepted.
65 In that regard, as has been observed in paragraphs 45 and 48 of the present judgment, the substantive conditions which a supervisory authority must satisfy when it imposes an administrative fine on a controller are governed solely by EU law, since those conditions are laid down, in detail and without leaving any discretion to the Member States, in Article 83(1) to (6) of the GDPR (see also judgment of 5 December 2023, Nacionalinis visuomenės sveikatos centras, C-683/21, EU:C:2023:XXX, paragraphs 64 to 70).
66 As regards those conditions, it should be noted that Article 83(2) of the GDPR lists the factors to which the supervisory authority is to have regard when imposing an administrative fine on the controller. Those factors include, in Article 83(2)(b) thereof, ‘the intentional or negligent character of the infringement’. By contrast, none of the factors listed in Article 83(2) of the GDPR mentions any possibility that the controller will incur liability in the absence of wrongful conduct on its part.
67 In addition, Article 83(2) of the GDPR must be read in conjunction with Article 83(3) thereof, the purpose of which is to lay down the consequences of cumulative infringements of that regulation, according to which ‘if a controller or processor intentionally or negligently, for the same or linked processing operations, infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement’.
68 Accordingly, it follows from the wording of Article 83(2) of the GDPR that only infringements of the provisions of that regulation committed wrongfully by the controller, that is to say those committed intentionally or negligently, can result in a fine being imposed on the controller pursuant to that article.
69 The general scheme and purpose of the GDPR support that reading.
70 First, the EU legislature has laid down a system of penalties enabling the supervisory authorities to impose the penalties which are the most appropriate according to the circumstances of each case.
71 Indeed, Article 58(2)(i) of the GDPR provides that those authorities may impose administrative fines, pursuant to Article 83 of that regulation, ‘in addition to, or instead’ of the other corrective powers listed in Article 58(2), such as warnings, reprimands or orders. Similarly, recital 148 of the GDPR states, inter alia, that the supervisory authorities, where dealing with a minor infringement or if the administrative fine likely to be imposed would constitute a disproportionate burden to a natural person, the supervisory authorities are permitted to refrain from imposing an administrative fine and, instead, to issue a reprimand.
72 Second, as has been stated in paragraph 50 of the present judgment, the objectives of the provisions of the GDPR are, inter alia, to ensure a consistent and high level of protection of natural persons with regard to the processing of personal data within the European Union and, to that end, to ensure consistent and homogeneous application of the rules for the protection of the fundamental rights and freedoms of those persons with regard to the processing of personal data throughout the European Union. In addition, in order to ensure consistent application of the GDPR, supervisory authorities must have equivalent powers for monitoring and ensuring compliance with the rules for the protection of personal data, so that they can impose equivalent sanctions where that regulation is infringed.
73 The existence of a system of penalties making it possible to impose, where justified by the specific circumstances of each individual case, an administrative fine pursuant to Article 83 of the GDPR creates an incentive for controllers and processors to comply with that regulation. Through their deterrent effect, administrative fines contribute to strengthening the protection of natural persons with regard to the processing of personal data and therefore constitute a key element in ensuring respect for the rights of those persons, in accordance with the purpose of that regulation of ensuring a high level of protection of such persons with regard to the processing of personal data.
74 However, the EU legislature did not find it necessary, in order to ensure such a high level of protection, to provide for administrative fines to be imposed in the absence of wrongdoing. In view of the fact that the GDPR aims for a level of protection which is both equivalent and homogeneous, and that it must, to that end, be applied consistently throughout the European Union, it would be contrary to that purpose to allow Member States to provide for such a system for the imposition of a fine under Article 83 of the GDPR. Such a freedom of choice would, additionally, be liable to distort competition between economic operators within the European Union, which would run counter to the stated objectives of the EU legislature, in particular, those in recitals 9 and 13 of that regulation.
75 Accordingly, it must be observed that Article 83 of the GDPR does not allow an administrative fine to be imposed in respect of an infringement referred to in paragraphs 4 to 6 thereof, without it being established that that infringement was committed intentionally or negligently by the controller and that, consequently, a culpable infringement constitutes a condition for such a fine to be imposed.
76 In that regard, it must be clarified, as regards the question whether an infringement has been committed intentionally or negligently and is, therefore, liable to be penalised by an administrative fine pursuant to Article 83 of the GDPR, that a controller can be penalised for conduct falling within the scope of the GDPR where that controller could not be unaware of the infringing nature of its conduct, whether or not it is aware that it is infringing the provisions of the GDPR (see, by analogy, judgments of 18 June 2013, Schenker & Co. and Others, C-681/11, EU:C:2013:404, paragraph 37 and the case-law cited; of 25 March 2021, Lundbeck v Commission, C-591/16 P, EU:C:2021:243, paragraph 156; and of 25 March 2021, Arrow Group and Arrow Generics v Commission, C-601/16 P, EU:C:2021:244, paragraph 97).
77 Where the controller is a legal person, it should also be clarified that for Article 83 GDPR to apply, it is not necessary for there to have been action by or even knowledge on the part of the management body of that legal person (see, by analogy, judgments of 7 June 1983, Musique Diffusion française and Others v Commission, 100/80 to 103/80, EU:C:1983:158, paragraph 97, and of 16 February 2017, Tudapetrol Mineralölerzeugnisse Nils Hansen v Commission, C-94/15 P, EU:C:2017:124, paragraph 28 and the case-law cited).
78 Having regard to the foregoing, the answer to the second question is that Article 83 of the GDPR must be interpreted as meaning that an administrative fine may be imposed pursuant to that provision only where it is established that the controller, which is both a legal person and an undertaking, intentionally or negligently committed an infringement referred to in Article 83(4) to (6) thereof.
Costs
79 Since these proceedings are, for the parties to the main proceedings, a step in the action pending before the national court, the decision on costs is a matter for that court. Costs incurred in submitting observations to the Court, other than the costs of those parties, are not recoverable.
On those grounds, the Court (Grand Chamber) hereby rules:
1. Article 58(2)(i) and Article 83(1) to (6) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
must be interpreted as precluding national legislation under which an administrative fine may be imposed on a legal person in its capacity as controller in respect of an infringement referred to in Article 83(4) to (6) only in so far as that infringement has previously been attributed to an identified natural person.
2. Article 83 of Regulation 2016/679
must be interpreted as meaning that an administrative fine may be imposed pursuant to that provision only where it is established that the controller, which is both a legal person and an undertaking, intentionally or negligently committed an infringement referred to in Article 83(4) to (6) thereof.
[Signatures]
* Language of the case: German.