News about the imposition of fines in data protection

In the matter C 807/21 (Deutsche Wohnen SE), the ECJ ruled on 5 December 2023 that the imposition of a fine under Art. 83 GDPR required fault.

All news

In the matter C 807/21 (Deutsche Wohnen SE), the ECJ ruled on 5 December 2023 that the imposition of a fine under Art. 83 GDPR required fault. Furthermore, the ECJ clarified that, in order to impose a fine on a legal entity (company), it was not necessary for an identified natural person who actually committed the infringement to be determined so that an infringement of data protection rules can be attributed to the company. This decision is therefore essentially about the question of whether fault has to be involved so that a penalty can be imposed for data protection violations (a distinction has to be drawn between this case and our blog entry Fault or no fault in immaterial damage claims under data protection law | KWR, which dealt with the issue of fault in the context of damages).

Initial case

A fine of EUR 14.5 million was imposed on Deutsche Wohnen SE. The reason for this was a breach of erasure obligations. Deutsche Wohnen SE stored tenants' personal data for longer than necessary. Personal data such as proof of identity, data on previous tenancies, as well as tax, social security and health insurance data were stored past the prescribed retention periods (even after the tenants had moved out).

Deutsche Wohnen SE appealed. The Berlin Regional Court (as the court of appeal) discontinued the penalty proceedings because under German law administrative governing offences (sec. 30 OWiG), companies can only be punished if it has been established that the infringement was committed by an identified natural person (a company executive) and can be attributed to the company. However, this had not been the case, which is why the imposition of a fine was not possible.

The discontinuation of proceedings was appealed against before with the Berlin Court of Appeal. This court referred two questions regarding the interpretation of Art 83 GDPR to the ECJ:

  1. Can a fine be imposed on a company without the need to establish that an identified natural person in the company infringed the law?
  2. Does the imposition of a fine require fault or is an objective breach of obligations sufficient?

ECJ: The identification of a natural person is not required

The ECJ stated that companies (in their capacity as data controllers) are liable for infringements committed by representatives, managers, directors or all other persons, provided that the act happened in the course of business activities. There was no need to establish beforehand that an offence was committed by an identified natural person. The German legal provision (sec. 30 OWiG) is in conflict with Art. 83 GDPR.

ECJ: Yes to fault-based liability

As for the question of whether fault on the part of the legal entity is required for the imposition of a fine, the ECJ ruled that negligence or intent is necessary. It would not be possible to derive no-fault liability from Art. 83.

The KWR Data Protection Team will be happy to answer any questions you may have.

Your contact

This website uses cookies

For offering you the best experience possible we use various types of cookies. Please select the types of cookies you would like to allow and then click on "Agree". By clicking on „Agree to all“, you agree to the use of all cookies. You can withdraw your consent at any time by changing your browser settings, with future effect. For more information about the cookies we use click here: cookie policy. Further information about data protection can be found here: data protection.

Imprint

Operational and
functional cookies
Statistic cookies


Further information