In its judgment of 13 February 2025 (C-383/23), the Court of Justice of the European Union provided guidance on how to calculate administrative fines in respect of the infringements of the General Data Protection Regulation (GDPR) and specified factors for calculating such fines. In particular, the Court clarifies how the concept of “undertaking” as referred to in Article 83 of the GDPR must be interpreted, and whether it is necessary to refer to the turnover of the entire group of which the infringing undertaking is part when calculating the maximum fine. This judgment is a new link in the chain of judgments of the Court of Justice that further clarify the enforcement tools provided by the GDPR.
This judgment concerns criminal proceedings brought by the Public Prosecutor's Office against ILVA A/S, an undertaking that had failed to comply with the GDPR obligations regarding the personal data of former customers. It is relevant to note that this undertaking is part of a larger group called Lars Larsen Group.
Attention is drawn to the fact that the procedure to which the preliminary ruling relates is not administrative in nature, but rather criminal. The Danish legal system does not allow administrative fines for violations of the GDPR. According to recital 151 of the GDPR, such a system is permitted, provided that the criminal sanctions imposed have the same deterrent effect as the more commonly imposed administrative fines by supervisory authorities.
It was unclear to the referring court (High Court of Western Denmark, Denmark) in which way the maximum fines for GDPR violations should be calculated. The legal basis for determining the maximum fines for privacy violations, Article 83 GDPR, uses the term “undertaking”. The referring Court considers the interpretation of this term to be decisive for the calculation of the fines. The questions referred (paraphrased): Should the term “undertaking” within the meaning of Article 83(4) to (6) of the GDPR be interpreted in the sense of European competition law, and should the calculation of the maximum fine be based on the worldwide annual turnover of the entire group of undertakings (Lars Larsen Group), and not only on that of the undertaking that infringed the GDPR (ILVA A/S)?
The Court answers both questions in the affirmative, referring to recital 150 of the GDPR and an earlier judgment in Deutsche Wohnen (C-807/21). The Court, moreover, clarifies that the competition law interpretation of “undertaking” in the GDPR does not have a direct effect on whether and under what conditions the fine can be imposed, but it does influence the calculation of the amount of the fine.
Under competition law, an “undertaking” refers to an economic entity, regardless of whether it consists of several natural or legal persons from a legal point of view. The maximum fine is therefore based on the turnover of the entire group. Violations of the GDPR can consequently result in fines of up to 2% or 4% of turnover.
The above is relevant when determining the maximum fine amount. However, under the GDPR, the amount actually imposed must be effective, proportionate and dissuasive – and may therefore be significantly lower than the maxima specified in the regulation. When calculating the actual fine amount, one needs to take into account the actual or material economic capacity of the undertaking concerned and other relevant factors. Such other factors may include the nature, seriousness and duration of the infringement, the number of data subjects affected, and the intentional or negligent nature of the GDPR infringement.
The fact that an imposed fine relates to the global annual turnover of entire complex business structures, and not just to the undertaking within those structures that has failed to comply with the GDPR obligations, requires particular attention to be paid to monitoring compliance with the GDPR within large-scale and complex groups.
The relevance of this judgment extends beyond the enforcement of the GDPR. Similar penalty systems are also included in other EU legislation and regulations, such as the Artificial Intelligence Act (AI Act), the Digital Services Act (DSA) and the Digital Markets Act (DMA). The AI Act introduces a tiered penalty system whereby the calculation of the fines depends on the nature and severity of the infringement. Infringements can be punished with fines of up to 1%, 3% or 7% of the global annual turnover of the undertaking concerned. Fines for DMA violations are also explicitly tied to an undertaking’s global annual turnover, reaching up to 10% and increasing to 20% for repeated offenses. The DSA provides a legal ground for imposing fines of up to 6% of global annual turnover for non-compliance, with additional periodic fines for continuing infringements of up to 5% of average daily turnover. The judgment concerned may therefore have significant implications for how fines are calculated under other EU legislation and regulations, particularly in regard to whether they are based on the turnover of the entire corporate group or solely that of the infringing undertaking.
Furthermore, the European supervisory authority EDPB has already expressed that the term “undertaking” in the administrative fine provision must be interpreted in accordance with competition law. According to the EDPB, Article 83(4) to (6) of the GDPR must be read in the light of recital 150 of the regulation and in accordance with Articles 101 and 102 of the TFEU. This means that the policy rules of the European supervisory authority appear to be in line with the ruling of the Court of Justice. However, the Dutch supervisory authority AP does not address this issue in its guidelines. The present ruling will therefore certainly have an impact on national law.
Written by: Nika Nazarian.