CJEU Holds German Provisions for Imposing Fines on Companies for GDPR Violations Invalid
In a judgment dated 5 December 2023 (Case C-807/21 – Deutsche Wohnen) presented by the Higher Regional Court Berlin (Kammergericht), the Court of Justice for the European Union (CJEU) held that a German law permitting administrative fines against corporate entities where an identified legal representative of that entity was proven to have committed a criminal or administrative offence, which at the same time led to the corporate entity breaching its obligations, is not in line with GDPR.
The respective provision of the German Act on Administrative Fines (OWiG) must consequently not be applied by German Data Protection Supervisory Authorites when imposing an administrative fine for GDPR violation against an entity. However, the court emphasized that such fine may still be imposed if and to the extent the entity is acting intentionally or negligently. As legal entities are not able to act on their own but only by their representatives and personnel, it will be interesting to see how Data Protection Authorities will address this requirement going forward. Full text here.