GDPRed

C-383/23

ILVA A/S

20 min read

Article 83

Provisional text

JUDGMENT OF THE COURT (Fifth Chamber)

13 February 2025 (*)

( Reference for a preliminary ruling – Protection of personal data – Regulation (EU) 2016/679 – Article 83(4) to (6) and (9) – Concept of an ‘undertaking’ – Parent company and subsidiary – Infringement of that regulation by a subsidiary – Calculation of the amount of the fine – Consideration of the total turnover of the group of which that subsidiary forms part )

In Case C-383⧸23,

REQUEST for a preliminary ruling under Article 267 TFEU from the Vestre Landsret (High Court of Western Denmark, Denmark), made by decision of 3 May 2023, received at the Court on 21 June 2023, in the criminal proceedings against

ILVA A/S,

THE COURT (Fifth Chamber),

composed of I. Jarukaitis, President of the Fourth Chamber, acting as President of the Fifth Chamber, D. Gratsias and Z. Csehi (Rapporteur), Judges,

Advocate General: L. Medina,

Registrar: C. Strömholm, Administrator,

having regard to the written procedure and further to the hearing on 19 June 2024,

after considering the observations submitted on behalf of:

– ILVA A/S, by D.B. Geary, advokat,

– the European Commission, by A. Bouchagiar, H. Kranenborg and C. Vang, acting as Agents,

after hearing the Opinion of the Advocate General at the sitting on 12 September 2024,

gives the following

Judgment

1 This request for a preliminary ruling concerns the interpretation of Article 83(4) to (6) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1; ‘the GDPR’).

2 The request has been made in criminal proceedings brought by the Anklagemyndigheden (Public Prosecutor’s Office, Denmark) against ILVA A/S for alleged infringements of that company’s obligations under the GDPR in its capacity as controller of personal data concerning former customers.

Legal context

European Union law

3 Recitals 150 and 151 of the GDPR are worded as follows:

‘(150) In order to strengthen and harmonise administrative penalties for infringements of this Regulation, each supervisory authority should have the power to impose administrative fines. This Regulation should indicate infringements and the upper limit and criteria for setting the related administrative fines, which should be determined by the competent supervisory authority in each individual case, taking into account all relevant circumstances of the specific situation, with due regard in particular to the nature, gravity and duration of the infringement and of its consequences and the measures taken to ensure compliance with the obligations under this Regulation and to prevent or mitigate the consequences of the infringement. Where administrative fines are imposed on an undertaking, an undertaking should be understood to be an undertaking in accordance with Articles 101 and 102 TFEU for those purposes. …

(151) The legal systems of Denmark and Estonia do not allow for administrative fines as set out in this Regulation. The rules on administrative fines may be applied in such a manner that in Denmark the fine is imposed by competent national courts as a criminal penalty and in Estonia the fine is imposed by the supervisory authority in the framework of a misdemeanour procedure, provided that such an application of the rules in those Member States has an equivalent effect to administrative fines imposed by supervisory authorities. Therefore the competent national courts should take into account the recommendation by the supervisory authority initiating the fine. In any event, the fines imposed should be effective, proportionate and dissuasive.’

4 Article 5 of the GDPR lays down the principles relating to the processing of personal data.

5 Article 6 of the GDPR determines the conditions under which the processing of personal data is regarded as being lawful.

6 Article 58 of the GDPR, entitled ‘Powers’, provides, in paragraph 2 thereof:

‘Each supervisory authority shall have all of the following corrective powers:

(i) to impose an administrative fine pursuant to Article 83, in addition to, or instead of measures referred to in this paragraph, depending on the circumstances of each individual case;

… ’

7 Article 83 of the GDPR, entitled ‘General conditions for imposing administrative fines’, states, in paragraphs 1, 2, 4 to 6 and 9 thereof:

‘1. Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article in respect of infringements of this Regulation referred to in paragraphs 4, 5 and 6 shall in each individual case be effective, proportionate and dissuasive.

  1. Administrative fines shall, depending on the circumstances of each individual case, be imposed in addition to, or instead of, measures referred to in points (a) to (h) and (j) of Article 58(2). When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following:

(a) the nature, gravity and duration of the infringement taking into account the nature[, scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;

(b) the intentional or negligent character of the infringement;

(c) any action taken by the controller or processor to mitigate the damage suffered by data subjects;

(d) the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32;

(e) any relevant previous infringements by the controller or processor;

(f) the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;

(g) the categories of personal data affected by the infringement;

(h) the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement;

(i) where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same [subject matter], compliance with those measures;

(j) adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and

(k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.

  1. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to [EUR 10 000 000], or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher:

  1. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to [EUR 20 000 000], or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher:

  1. Non-compliance with an order by the supervisory authority as referred to in Article 58(2) shall, in accordance with paragraph 2 of this Article, be subject to administrative fines up to [EUR 20 000 000], or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

  1. Where the legal system of the Member State does not provide for administrative fines, this Article may be applied in such a manner that the fine is initiated by the competent supervisory authority and imposed by competent national courts, while ensuring that those legal remedies are effective and have an equivalent effect to the administrative fines imposed by supervisory authorities. In any event, the fines imposed shall be effective, proportionate and dissuasive. Those Member States shall notify to the [European] Commission the provisions of their laws which they adopt pursuant to this paragraph by 25 May 2018 and, without delay, any subsequent amendment law or amendment affecting them. ’

Danish law

8 Lov nr. 502 om supplerende bestemmelser til forordning om beskyttelse af fysiske personer i forbindelse med behandling af personoplysninger og om fri udveksling af sådanne oplysninger (Law No 502 on supplementary provisions to the [GDPR]) of 23 May 2018 provides, in Paragraph 41 thereof:

‘1. Unless a greater penalty is justified under other legislation, a fine or a term of imprisonment of up to six months shall be imposed on anyone who infringes the provisions on:

(4) the basic principles of processing, including the conditions for consent, in Article 5 to 7 and 9 of the [GDPR],

  1. Article 83(2) of the [GDPR] must be followed when imposing a penalty according to subparagraphs 1 and 2.

  1. Companies and so forth (legal persons) may be held criminally liable in accordance with the rules set out in Chapter 5 of the [straffeloven (Criminal Code)]. … ’

The dispute in the main proceedings and the questions referred for a preliminary ruling

9 ILVA operates a chain of furniture stores and is part of the Lars Larsen Group. The total group turnover in the 2016/2017 financial year amounted to 6.57 billion Danish kroner (DKK) (approximately EUR 881 million) and ILVA’s turnover amounted to almost DKK 1.8 billion (approximately EUR 241 million) for the same financial year.

10 ILVA is charged before the Danish courts with having failed, during the period from May 2018 to January 2019, to fulfil its obligations under the GDPR in its capacity as controller of personal data in relation to the retention of the data of at least 350 000 former customers.

11 On the recommendation of the Datatilsynet (Data Protection Agency, Denmark), the Public Prosecutor’s Office sought the imposition of a fine of DKK 1.5 million (approximately EUR 201 000) on ILVA. The calculation of that amount was based not only on the turnover of ILVA, but also on the overall turnover of the Lars Larsen Group.

12 By judgment of 12 February 2021, the retten i Aarhus (Aarhus District Court, Denmark) found ILVA guilty of the acts alleged against it and ordered it to pay a fine of DKK 100 000 (approximately EUR 13 400). That court held that ILVA had acted negligently, contrary to what was alleged by the Public Prosecutor’s Office. It also considered that, since charges had been brought only against ILVA, it was not necessary to take into account the turnover of the Lars Larsen Group in order to determine the amount of the fine. Furthermore, the court noted that ILVA was engaged in an independent retail activity and that it had not been set up by the parent company of that group for the sole purpose of processing the group’s data.

13 The Public Prosecutor’s Office brought an appeal against that judgment before the Vestre Landsret (High Court of Western Denmark, Denmark), which is the referring court. The Public Prosecutor’s Office maintains that the term ‘undertaking’ in Article 83(4) to (6) of the GDPR must be understood as meaning that, in order to set a fine in the event of an infringement of the GDPR by a company, it is necessary to refer to the turnover of the group of which that company forms part. According to the Public Prosecutor’s Office, it follows from recital 150 of the GDPR that that term must be understood in accordance with Articles 101 and 102 TFEU.

14 ILVA, on the other hand, contends that, in order to set a fine for an infringement of the GDPR by a company, it is not necessary to take into account the overall turnover of the group of which it forms part. In the present case, charges were brought only against ILVA, and not also against its parent company.

15 The referring court considers that the answer to that question is not clear from the GDPR.

16 In those circumstances, the Vestre Landsret (High Court of Western Denmark) decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling:

‘(1) Must the term “undertaking” in Article 83(4) to (6) of the [GDPR] be understood as an undertaking within the meaning of Articles 101 and 102 TFEU, in conjunction with recital 150 of the [GDPR], and the case-law of the Court concerning EU competition law, so that the term “undertaking” covers any entity engaged in an economic activity, regardless of that entity’s legal status and the way in which it is financed?

(2) If the answer to … Question 1 is in the affirmative, must Article 83(4) to (6) of the [GDPR] be interpreted as meaning that, when imposing a fine on an undertaking, regard must be had to the total worldwide annual turnover of the economic entity of which the undertaking forms part, or only the total worldwide annual turnover of the undertaking itself? ’

Consideration of the questions referred

17 By its questions, which it is appropriate to examine together, the referring court asks, in essence, whether Article 83(4) to (6) of the GDPR, read in the light of recital 150 of that regulation, must be interpreted as meaning that the term ‘undertaking’ in those provisions corresponds to the concept of ‘undertaking’, within the meaning of Articles 101 and 102 TFEU, with the result that, where a fine for infringement of the GDPR is imposed on a controller of personal data which is or forms part of an undertaking, the amount of the fine is to be determined on the basis of a percentage of the undertaking’s total worldwide annual turnover in the preceding business year, within the meaning of Articles 101 and 102 TFEU.

18 At the outset, it should be noted that the Court of Justice has already had occasion to answer certain questions relating to the interpretation of Article 83 of the GDPR in the judgment of 5 December 2023, Deutsche Wohnen(C-807⧸21, EU:C:2023:950, paragraphs 53 to 59), delivered after the close of the written procedure in the present case.

19 The Court ruled that the concept of ‘undertaking’, within the meaning of Articles 101 and 102 TFEU, has no bearing on whether and under what conditions an administrative fine may be imposed pursuant to Article 83 of the GDPR on a controller who is a legal person, since that question is exhaustively regulated by Article 58(2) and Article 83(1) to (6) of that regulation (judgment of 5 December 2023, Deutsche Wohnen, C-807⧸21, EU:C:2023:950, paragraph 53).

20 That concept is relevant only for the purpose of determining the amount of the administrative fine imposed under Article 83(4) to (6) of the GDPR on a controller (judgment of 5 December 2023, Deutsche Wohnen, C-807⧸21, EU:C:2023:950, paragraph 54).

21 It is in that specific context of the calculation of administrative fines imposed in respect of the infringements referred to in Article 83(4) to (6) of the GDPR that the reference, in recital 150 of that regulation, to the concept of ‘undertaking’, within the meaning of Articles 101 and 102 TFEU, is to be understood (judgment of 5 December 2023, Deutsche Wohnen, C-807⧸21, EU:C:2023:950, paragraph 55).

22 In that regard, it should be stated that, for the purposes of applying the competition rules, referred to in Articles 101 and 102 TFEU, that concept covers any entity engaged in an economic activity, irrespective of the legal status of that entity and the way in which it is financed. The concept of an undertaking therefore designates an economic unit even if in law that economic unit consists of several persons, natural or legal. That economic unit consists of a unitary organisation of personal, tangible and intangible elements, which pursues a specific economic aim on a long-term basis (judgment of 5 December 2023, Deutsche Wohnen, C-807⧸21, EU:C:2023:950, paragraph 56 and the case-law cited).

23 Accordingly, it is apparent from Article 83(4) to (6) of the GDPR, which concerns the calculation of administrative fines in respect of the infringements listed in those paragraphs, that, where the addressee of the administrative fine is or forms part of an undertaking, within the meaning of Articles 101 and 102 TFEU, the maximum amount of the administrative fine is calculated on the basis of a percentage of the total worldwide annual turnover in the preceding business year of the undertaking concerned (judgment of 5 December 2023, Deutsche Wohnen, C-807⧸21, EU:C:2023:950, paragraph 57).

24 However, the determination of that maximum amount must be distinguished from the actual calculation of the amount of a fine to be imposed by the competent supervisory authority for the specific infringement or infringements of the GDPR penalised by that fine.

25 Thus, under Article 83(1) of the GDPR, each supervisory authority is to ensure that administrative fines imposed pursuant to Article 83 in respect of infringements of the GDPR referred to in paragraphs 4 to 6 thereof are in each individual case effective, proportionate and dissuasive.

26 In addition to complying with those three conditions, Article 83(2) of the GDPR requires that the competent supervisory authority, when deciding whether it is necessary to impose an administrative fine and when setting the amount of that fine in each individual case, have due regard to a number of factors.

27 Those factors include, in accordance with the latter provision, inter alia, the nature, gravity and duration of the infringement; the number of data subjects affected and the level of damage suffered by them; the intentional or negligent character of the infringement; the actions taken by the controller or processor of personal data to mitigate the damage suffered; the degree of responsibility of that controller or processor; and the categories of personal data affected by the infringement.

28 Those factors characterise either the behaviour of that controller or processor, accused of infringements of certain provisions of the GDPR, or the infringements themselves. They therefore serve to ensure that each of those infringements is assessed on the basis of all the relevant individual circumstances and that the objectives pursued by the system of penalties provided for in the GDPR are achieved.

29 Although those factors do not make reference to the concept of an undertaking, within the meaning of Articles 101 and 102 TFEU, the Court has already ruled that only a fine which takes into account not just all of the factors thus characterising the established infringements of the GDPR, but also, where appropriate, the actual or material economic capacity of the person on which the fine is imposed is capable of satisfying the three conditions set out in Article 83(1) of the GDPR, namely to be effective, proportionate and dissuasive. In order to assess those conditions, it is necessary to take account of whether that person forms part of an undertaking, within the meaning of Articles 101 and 102 TFEU (see, to that effect, judgment of 5 December 2023, Deutsche Wohnen, C-807⧸21, EU:C:2023:950, paragraph 58).

30 The interpretation of Article 83 of the GDPR that results from paragraphs 25 to 29 of the present judgment is also applicable where the established infringements of the GDPR are penalised not by an administrative fine but by a fine imposed by the competent national courts as a criminal penalty.

31 As stated in recital 151 of the GDPR, certain national legal systems, including that of the Kingdom of Denmark, do not allow for administrative fines as set out in the GDPR.

32 In order to resolve that situation, Article 83(9) of the GDPR provides that, where the legal system of a Member State does not provide for administrative fines, Article 83 may be applied in such a manner that, as in the present case, the fine is initiated by the competent supervisory authority and imposed by competent national courts.

33 It is further specified in Article 83(9), as in recital 151 of that regulation, that the legal remedies in question are to be effective and have an equivalent effect to the administrative fines imposed by supervisory authorities and that, in any event, the fines imposed are to be effective, proportionate and dissuasive.

34 That being said, the fact that the fine is imposed by a criminal court in criminal proceedings means that that court must at all times respect the rules applicable in criminal matters, including, in particular, the procedural rights enjoyed by the accused person and the principle of proportionality of the penalty, as guaranteed by the Charter of Fundamental Rights of the European Union.

35 In that regard, as the Advocate General stated in point 74 of her Opinion, Article 83 of the GDPR requires that the competent supervisory authorities must, without exception, ensure that the principle of proportionality is observed in the calculation of the actual amount of the fine imposed, whereby a fair balance is struck between the demands of the general interest in protecting personal data and the requirements of the protection of the rights of the controller of such data, the processor or the undertaking of which they form part. It follows that an application of the concept of ‘undertaking’, within the meaning of Articles 101 and 102 TFEU, in the context of the implementation of Article 83(4) to (6) of the GDPR, does not appear to encounter any obstacles of principle where infringements of the GDPR are penalised not by administrative fines but by fines imposed by criminal courts.

36 In the light of the foregoing considerations, the answer to the questions referred is that Article 83(4) to (6) of the GDPR, read in the light of recital 150 of that regulation, must be interpreted as meaning that the term ‘undertaking’ in those provisions corresponds to the concept of ‘undertaking’, within the meaning of Articles 101 and 102 TFEU, with the result that, where a fine for infringement of the GDPR is imposed on a controller of personal data which is or forms part of an undertaking, the maximum amount of the fine is to be determined on the basis of a percentage of the undertaking’s total worldwide annual turnover in the preceding business year. The concept of ‘undertaking’ must also be taken into account in order to assess the actual or material economic capacity of the recipient of the fine and thus to ascertain whether the fine is at the same time effective, proportionate and dissuasive.

Costs

37 Since these proceedings are, for the parties to the main proceedings, a step in the action pending before the referring court, the decision on costs is a matter for that court. Costs incurred in submitting observations to the Court, other than the costs of those parties, are not recoverable.

On those grounds, the Court (Fifth Chamber) hereby rules:

Article 83(4) to (6) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), read in the light of recital 150 of that regulation,

must be interpreted as meaning that the term ‘undertaking’ in those provisions corresponds to the concept of ‘undertaking’, within the meaning of Articles 101 and 102 TFEU, with the result that, where a fine for infringement of Regulation 2016/679 is imposed on a controller of personal data which is or forms part of an undertaking, the maximum amount of the fine is to be determined on the basis of a percentage of the undertaking’s total worldwide annual turnover in the preceding business year. The concept of ‘undertaking’ must also be taken into account in order to assess the actual or material economic capacity of the recipient of the fine and thus to ascertain whether the fine is at the same time effective, proportionate and dissuasive.

[Signatures]

* Language of the case: Danish.

Graph View

Mentioned in