European Union: Issued CJEU ruling on the interpretation of the General Data Protection Regulation (GDPR) concerning the imposition of administrative fines (Cases C-683/21 and C-807/21)

On 5 December 2023, the European Court of Justices (CJEU) clarified the interpretation of the General Data Protection Regulation (GDPR) concerning the ability of national supervisory bodies to penalise an infringement of the GDPR based on two cases from Lithuania and Germany. The CJEU ruled that fines can only be imposed for wrongful conduct committed intentionally or negligently. Furthermore, the CJEU stated that a legal person acting as a data controller is liable for infringements by representatives or any person acting on its behalf. Finally, the calculation of fines for GDPR violations should be based on the concept of an “undertaking” in competition law. The supervisory authority should determine the maximum fine by calculating a percentage of the total worldwide annual turnover of the undertaking in the preceding business year.