The European Court of Justice (ECJ) has issued a ruling that simplifies the criteria for imposing fines for breaches of EU data protection regulations. This development could lead to an increase in both the frequency and the size of penalties for such infringements. The ruling came as a response to requests for guidance from national courts in Lithuania and Germany regarding the conditions under which data controllers can be sanctioned for violating EU data protection laws. In one of the highlighted cases, the Berlin Commissioner for Data Protection and Freedom of Information fined Deutsche Wohnen, a German real estate company, €14.5 million in 2020.
German Attorney-at-Law Stefan Hessel commented on the significance of this decision for the enforcement of the General Data Protection Regulation (GDPR), stating that it lays down fundamental requirements for imposing fines on companies. In another case, Lithuania’s National Public Health Centre under the Ministry of Health contested a €12,000 fine related to a mobile application used for registering and monitoring data of individuals exposed to COVID-19. Jan Spittka, a GDPR expert and partner at Clyde & Co, a global law firm, noted that the ECJ’s decision lowers the requirements for imposing fines, strengthening the enforcement of the GDPR. According to the ECJ’s ruling, fines can be levied for infringements committed either intentionally or negligently. Hessel added that this threshold is surpassed if a company, as a data controller, objectively had the ability to recognize the unlawfulness of its actions.
The ruling also states that controllers can be fined for operations carried out by processors, to the extent that the controllers are responsible for those operations. The company’s lack of knowledge about the infringement does not exempt it from liability, especially for infringements committed by individuals acting on its behalf. Hessel further explained that the imposition of a fine does not require any specific action or awareness by the company’s management. This interpretation by the ECJ is expected to facilitate the process for data protection supervisory authorities in member states to impose fines, potentially leading to more substantial penalties in the future. Additionally, the fines can be calculated based on the turnover of the company or its parent company. The scope of these fines extends beyond EU member states, affecting countries with establishments in the EU that are subject to the GDPR, such as the UK and the US. To minimize future liability risks, companies are advised to provide clearer data protection instructions to employees and ensure close monitoring of compliance, as concluded by Hessel.
Breaking supply chain news is just a click away at The Supply Chain Report. Enhance your knowledge of international trade at ADAMftd.com with free tools.
#EuropeanCourtOfJustice #GDPRCompliance #DataProtection #EUDataRegulations #DeutscheWohnenFine #DataPrivacy #ClydeCo #BerlinDataProtection #GDPRPenalties #EUDataPrivacy
