On June 21, 2023, a request for a preliminary ruling on the scope of the term “undertaking” in Article 83(4) to (6) of the General Data Protection Regulation (GDPR) was lodged with the Court of Justice of the EU (CJEU). This concept is critical for companies facing enforcement action as it is used as a reference point to determine the cap for GDPR fines.

Background

The case involves ILVA A/S, a Danish chain of furniture stores. In 2021, ILVA was fined DKK 100,000 (approx. USD 14,592) by the Aarhus District Court for failing to comply with the GDPR’s data retention obligations for data of 350,000 former customers between May 2018 to January 2019 (i.e., infringing Art. 5(1)(e) and (2) and Article 6 of the GDPR). The court found that ILVA A/S acted negligently, but not intentionally, contrary to what was alleged by the Public Prosecutor.

The judgment was then appealed by the Public Prosecutor before a Danish High Court (Vestre Landsret), which is now hearing the case. The Prosecutor requests increasing the fine to an amount that was calculated not only based on the turnover of the defendant, but that of the entire group of which it forms part (the Lars Larsen Group).

ILVA argued that a fine cannot be calculated based on the total turnover of the group. Firstly, throughout the proceedings, charges were only brought against ILVA and not against its parent company. Secondly, ILVA considers that Article 83(5) of the GDPR only lays down the maximum limits for the amount of the fine. Whereas the Prosecutor argued that EU law provides that, for the purpose of setting fines for infringements of the competition rules, the concept of “an undertaking” is to be understood as including undertakings in the same group.

Preliminary Questions

The Vestre Landsret has now referred the following questions to the CJEU on the interpretation of Article 83 of the GDPR:

  1. Must the term “undertaking” in Article 83(4) to (6) of the GDPR be understood as an undertaking within the meaning of Articles 101 and 102 TFEU, in conjunction with Recital 150 of that regulation, and the case-law of the CJEU concerning EU competition law, so that the term “undertaking” covers any entity engaged in an economic activity, regardless of that entity’s legal status and the way in which it is financed?
  1. If the answer to the Question 1 is in the affirmative, must Article 83(4) to (6) of the GDPR be interpreted as meaning that, when imposing a fine on an undertaking, regard must be had to the total worldwide annual turnover of the economic entity of which the undertaking forms part, or only the total worldwide annual turnover of the undertaking itself?

The CJEU published the request for a preliminary ruling on August 28, 2023 (see Case C-383/23 here).

Significance

This ruling will have a significant impact on any companies subject to the GDPR. While Recital 150 of the GDPR provides that “[…] an undertaking should be understood to be an undertaking in accordance with Articles 101 and 102 TFEU for [fining purposes],” this should not mean that competition law principles should be simply applied as such.

In this case, charges were only brought against ILVA and not against its parent company. From our perspective, the general procedural and rights of defense issues implicated by then attempting to fine other group companies, including the parent entity, are clear-cut. Indeed, there are material differences between the nature of liability under the GDPR and EU competition rules:

  • Competition law focuses on the concepts of the “single economic entity” and “parental Liability,” whereby there is a presumption that the parent company guides all commercial policy, and a subsidiary carries out the instructions, that are given to it by the parent company, in all material respects (“decisive influence”). Infringements can then be imputed to a parent company, such that a fine can be imposed on the parent based on the turnover of the group it controls.
  • Under the GDPR, responsibility for compliance with the obligations imposed, and liability for sanctions, is determined by the concept of the “controller,” which is defined in Article 4(7) GDPR as the natural or legal person which, “alone or jointly with others, determines the purposes and means of the processing of personal data.”

While the GDPR does not contain a definition of “undertaking,” it does contain a definition of a group of undertakings, in Article 4(19) GDPR, which is defined as a controlling undertaking and its controller undertakings. The reference in Recital 150 to EU competition law cannot displace the system for attribution of liability under the GDPR. The latter is based on the concept of the controller as responsible for complying with the GDPR, and liable for any breach thereof. The only appropriate approach for liability attribution under the GDPR would thus be to levy fines against the infringing controller.

Therefore, this is a welcome opportunity for the CJEU to make clear that it is simply not appropriate to “copy/paste” the competition principles—on the notions of undertaking and parental liability—to a different regulatory regime.

Next Steps

We are monitoring these proceedings and will publish updates as the case develops. Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy issues and investigations in jurisdictions across the globe. For more information, please contact Cedric Burton, Deirdre Carroll, or Laura Brodahl.