Choose the experimental features you want to try

This document is an excerpt from the EUR-Lex website

Document 62021CC0807

Opinion of Advocate General Campos Sánchez-Bordona delivered on 27 April 2023.
Deutsche Wohnen SE v Staatsanwaltschaft Berlin.
Request for a preliminary ruling from the Kammergericht Berlin.
Reference for a preliminary ruling – Protection of personal data – Regulation (EU) 2016/679 – Article 4(7) – Concept of ‘controller’ – Article 58(2) – Powers of supervisory authorities to apply corrective measures – Article 83 – Imposition of administrative fines on a legal person – Conditions – Discretion of the Member States – Requirement that the infringement be intentional or negligent.
Case C-807/21.

Court reports – general

ECLI identifier: ECLI:EU:C:2023:360

 OPINION OF ADVOCATE GENERAL

CAMPOS SÁNCHEZ-BORDONA

delivered on 27 April 2023 ( 1 )

Case C‑807/21

Deutsche Wohnen SE

v

Staatsanwaltschaft Berlin

(Request for a preliminary ruling
from the Kammergericht Berlin (Higher Regional Court, Berlin, Germany))

(Reference for a preliminary ruling – Protection of personal data – Regulation (EU) 2016/679 – Infringements – Imputation to an undertaking of an infringement committed by its employees – Possible strict liability – Transposition of concepts developed in the field of competition law)

1.

This reference for a preliminary ruling affords the Court of Justice an opportunity to rule on the conditions under which an administrative fine may be imposed on a legal person for infringement of Regulation (EU) 2016/679. ( 2 )

2.

In particular, it will be necessary to determine:

whether a penalty can be imposed on a legal person without it first being necessary to establish the liability of a natural person;

whether the infringement in respect of which the penalty is imposed must in all cases have been committed intentionally or negligently, or whether the mere objective fact of breach of an obligation is sufficient.

I. Legal context

A.   European Union law. The GDPR

3.

Recital 74 reads:

‘The responsibility and liability of the controller for any processing of personal data carried out by the controller or on the controller’s behalf should be established. In particular, the controller should be obliged to implement appropriate and effective measures and be able to demonstrate the compliance of processing activities with this Regulation, including the effectiveness of the measures. Those measures should take into account the nature, scope, context and purposes of the processing and the risk to the rights and freedoms of natural persons.’

4.

Recital 150 states:

‘In order to strengthen and harmonise administrative penalties for infringements of this Regulation, each supervisory authority should have the power to impose administrative fines. This Regulation should indicate infringements and the upper limit and criteria for setting the related administrative fines, which should be determined by the competent supervisory authority in each individual case, taking into account all relevant circumstances of the specific situation, with due regard in particular to the nature, gravity and duration of the infringement and of its consequences and the measures taken to ensure compliance with the obligations under this Regulation and to prevent or mitigate the consequences of the infringement. Where administrative fines are imposed on an undertaking, an undertaking should be understood to be an undertaking in accordance with Articles 101 and 102 TFEU for those purposes. … The consistency mechanism may also be used to promote a consistent application of administrative fines. …’

5.

Under Article 4 (‘Definitions’):

‘For the purposes of this Regulation:

(7)

“controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

(8)

“processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

(18)

“enterprise” means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;

…’

6.

Article 58 (‘Powers’) provides in paragraph 2:

‘Each supervisory authority shall have all of the following corrective powers:

(a)

to issue warnings to a controller or processor that intended processing operations are likely to infringe provisions of this Regulation;

(b)

to issue reprimands to a controller or a processor where processing operations have infringed provisions of this Regulation;

(c)

to order the controller or the processor to comply with the data subject’s requests to exercise his or her rights pursuant to this Regulation;

(d)

to order the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period;

(i)

to impose an administrative fine pursuant to Article 83, in addition to, or instead of measures referred to in this paragraph, depending on the circumstances of each individual case;

…’

7.

Article 83 (‘General conditions for imposing administrative fines’) provides:

‘1.   Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article in respect of infringements of this Regulation referred to in paragraphs 4, 5 and 6 shall in each individual case be effective, proportionate and dissuasive.

2.   Administrative fines shall, depending on the circumstances of each individual case, be imposed in addition to, or instead of, measures referred to in points (a) to (h) and (j) of Article 58(2). When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following:

(a)

the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;

(b)

the intentional or negligent character of the infringement;

(c)

any action taken by the controller or processor to mitigate the damage suffered by data subjects;

(d)

the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32;

(e)

any relevant previous infringements by the controller or processor;

(f)

the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;

(g)

the categories of personal data affected by the infringement;

(h)

the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement;

(i)

where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject matter, compliance with those measures;

(j)

adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and

(k)

any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.

3.   If a controller or processor intentionally or negligently, for the same or linked processing operations, infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement.

4.   Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 10000000 EUR, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher:

5.   Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20000000 EUR, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher:

6.   Non-compliance with an order by the supervisory authority as referred to in Article 58(2) shall, in accordance with paragraph 2 of this Article, be subject to administrative fines up to 20000000 EUR, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

8.   The exercise by the supervisory authority of its powers under this Article shall be subject to appropriate procedural safeguards in accordance with Union and Member State law, including effective judicial remedy and due process.

…’

B.   National law. Ordnungswidrigkeitengesetz (Law on administrative offences) ( 3 )

8.

Paragraph 9(1) provides that a person acting as (a) a body (or member thereof) authorised to represent a legal person, (b) a partner authorised to represent a partnership having legal capacity, or (c) a legal representative of a third party, is to be subject to any law under which the duties, relationships or circumstances of a personal, individual nature justify a possible penalty where those circumstances arise not in the case of that person but in the case of the person represented.

9.

Under Paragraph 9(2), the same applies in the case of the owner of a business (undertaking) who entrusts another person with all or part of the management of that business or the performance, under his or her own responsibility, of the duties incumbent on the owner.

10.

Paragraph 30(1) allows for an administrative fine to be imposed on a legal person where the natural person who represents or directs it or who is responsible for its management has committed a criminal offence or has failed to fulfil the legal person’s obligations.

11.

Under Paragraph 30(4), the prerequisite for the autonomous imposition of a fine on a legal person is that no proceedings have been initiated against the executive body or representatives of the legal person or, if such proceedings have been initiated, they have been discontinued.

12.

In accordance with Paragraph 130(1), a person who, as owner of a business or undertaking, intentionally or negligently fails to take the necessary supervisory measures to prevent, within the business or undertaking, breach of the obligations to which the owner is subject and infringement of which is punishable by a penalty or a fine, will be deemed to have committed an administrative offence if such breach could have been prevented or made more difficult by means of appropriate supervisory measures, including the appointment, careful selection and monitoring of those responsible for performing controls.

II. Facts, dispute and questions referred for a preliminary ruling

13.

Deutsche Wohnen SE (‘Deutsche Wohnen’) is a listed real estate company with registered office in Berlin (Germany). It holds indirect participating interests in approximately 163000 housing units and 3000 commercial units.

14.

The owners of those units are subsidiaries related to Deutsche Wohnen (‘holding companies’) which carry on the operational side of the business, while Deutsche Wohnen is responsible for the group’s central management. The holding companies lease the housing and commercial units which are managed by other companies in the group, known as service companies.

15.

As part of their business activities, Deutsche Wohnen and the companies in the group process the personal data of the tenants of the housing and commercial units. Those data include proof of identity, tax, social security and health insurance data, and data relating to previous tenancies.

16.

On 23 June 2017, the Berliner Beauftragte für den Datenschutz (Berlin Data Protection Authority; ‘the data protection authority’) informed Deutsche Wohnen during an on-the-spot check that companies within its group were storing the personal data of tenants in an electronic filing system in respect of which it could not be ascertained whether storage was necessary or whether there were safeguards to ensure the erasure of data which were no longer required.

17.

The data protection authority ordered Deutsche Wohnen to erase – henceforth and by the end of 2017 at the latest – certain documents from the electronic filing system.

18.

Deutsche Wohnen refused to do so, stating that erasure was impossible for technical and legal reasons. That refusal was discussed at a meeting between Deutsche Wohnen and the data protection authority, during which the latter stated that there were technical solutions for data erasure. Discussions continued and Deutsche Wohnen announced that it intended to implement a new system to replace the one censured by the data protection authority.

19.

On 5 March 2020, the data protection authority carried out an inspection at the corporate headquarters of the group, during which a total of 16 random samples were taken from the data pool. At the same time, Deutsche Wohnen informed the authority that the filing system at issue had already been decommissioned and that the data would be migrated to the new system immediately.

20.

On 30 October 2020, the data protection authority imposed a penalty on Deutsche Wohnen for:

having deliberately failed, between 25 May 2018 and 5 March 2019, to take the necessary measures to enable the regular deletion of tenant data which no longer had to be stored or which were otherwise wrongly stored;

having continued to store personal data of at least 15 named tenants, despite knowing that the storage of those data was not or was no longer necessary.

21.

Fines were imposed in the amount of EUR 14385000 for the deliberate infringement of Article 25(1) and Article 5(1)(a), (c) and (e) of the GDPR and between EUR 3000 and EUR 17000 for the 15 infringements of Article 6(1) of the GDPR.

22.

Deutsche Wohnen challenged those penalties before the Landgericht Berlin (Regional Court, Berlin, Germany), which upheld Deutsche Wohnen’s action.

23.

The Staatsanwaltschaft Berlin (Berlin Public Prosecutor’s Office, Germany) brought an appeal against the first-instance decision before the Kammergericht Berlin (Higher Regional Court, Berlin, Germany), which has referred the following questions to the Court of Justice for a preliminary ruling:

‘(1)

Is Article 83(4) to (6) of the GDPR to be interpreted as incorporating into national law the functional concept of an undertaking and the principle of an economic entity, as defined in Articles 101 and 102 TFEU, as a result of which, by broadening the principle of a legal entity underpinning Paragraph 30 of the [OWiG], proceedings for an administrative fine may be brought against an undertaking directly and a fine imposed without requiring a finding that a natural and identified person committed an administrative offence, if necessary, in satisfaction of the objective and subjective elements of tortious liability?

(2)

If Question 1 is answered in the affirmative: Is Article 83(4) to (6) of the GDPR to be interpreted as meaning that the undertaking must have intentionally or negligently committed the breach of an obligation vicariously (see Article 23 of Council Regulation (EC) No 1/2003 [ ( 4 )]), or is the objective fact of breach caused by it sufficient, in principle, for a fine to be imposed on that undertaking (“strict liability”)?’

III. Procedure before the Court

24.

The request for a preliminary ruling was received at the Court on 23 December 2021.

25.

Written observations were submitted by Deutsche Wohnen, the German, Estonian and Norwegian Governments and the European Commission.

26.

On 9 November 2022, pursuant to Article 101(1) of the Rules of Procedure of the Court of Justice, the Court asked the referring court to clarify:

the possible effect of Paragraph 130 of the OWiG on the first question referred;

the reasons for its view that an answer to the second question referred is necessary, given that, according to the order for reference, the penalties were imposed for the deliberate infringement of several provisions of the GDPR.

27.

The requested clarifications were received at the Court on 11 January 2023.

28.

In addition to the parties who submitted written observations, the Netherlands Government, the European Parliament and the Council of the European Union attended the hearing held on 17 January 2023.

IV. Analysis

A.   First question referred

1. Preliminary remarks

29.

By its first question, the referring court asks, in essence, whether, in the light of EU law, a penalty may be imposed on a legal person for infringement of the GDPR without it first being necessary to impute that infringement to a natural person.

30.

However, the referring court’s question contains some complex features:

it points to Article 83(4) to (6) of the GDPR as the provision whose interpretation could provide an answer to its question;

it refers to what it describes as ‘the functional concept of an undertaking and the principle of an economic entity, as defined in Articles 101 and 102 TFEU’.

31.

The referring court states that domestic law allows a fine to be imposed on an undertaking only if certain administrative offences committed (solely) by its managers acting in a representative capacity can be imputed to it. ( 5 )

32.

Deutsche Wohnen and the German Government disagree. In their view, Paragraph 30 of the OWiG must be read in conjunction with Paragraphs 9 and 130 thereof, alongside which it forms a coherent system of penalties. Under that system, an administrative penalty may be imposed on an undertaking without it being necessary for proceedings to have been initiated against the natural person who acted on its behalf. ( 6 )

33.

Upon being asked by the Court to comment on the possible effect of Paragraph 130 of the OWiG, the referring court replied that it is not relevant to the first question submitted for a preliminary ruling. It puts forward the following arguments in support of its position.

Even though that provision, together with Paragraphs 9 and 30 of the OWiG, allows fines to be imposed on an undertaking, the protection of legal interests afforded by it is very limited compared with the system of liability under Articles 101 and 102 TFEU.

Paragraph 130 of the OWiG applies to the owner of an undertaking who has failed to comply with an obligation of supervision. Proof of non-compliance with the obligations incumbent on the undertaking’s owner goes beyond a finding that the undertaking committed an infringement affecting legal interests. It requires investigation and clarification of (general and specific) internal structures and procedures that are extremely complex, not only in this case but in all cases involving groups, which is very often an impossible task. In that respect, it is unclear whether groups may in fact be classified as undertakings or owners of undertakings for the purposes of Paragraph 130 of the OWiG.

34.

Those clarifications demonstrate that the referring court’s first question reflects an interpretation of national law which, contrary to the German Government’s view, establishes a system of liability of legal persons the characteristics of which might render it incompatible with EU law.

35.

The Court must have regard to the national legal framework as described by the referring court, ( 7 ) which is the authoritative interpreter of its domestic law. Questions on the interpretation of EU law referred by a national court must be answered in the light of the factual and legislative context which that court is responsible for defining and the accuracy of which is not a matter for the Court to determine. ( 8 )

36.

It is therefore on the basis of those premisses that I will address the first question referred.

2. Legal persons who may be subject to a penalty under the GDPR

37.

There is no impediment, under EU law, to Deutsche Wohnen being considered to be the perpetrator of the infringement and the party liable for the penalty imposed. That possibility is present, in abstracto, in the GDPR and, in concreto, was exercised in this case.

In abstracto, as I will explain below, the possibility of imposing a penalty directly on a legal person for breaches of data protection is not only envisaged in a number of provisions of the GDPR, but is, in fact, one of the key mechanisms for ensuring the GDPR’s effectiveness.

In concreto, according to the order for reference, the fine at issue was imposed on Deutsche Wohnen for a number of infringements of the GDPR attributed to that company as data controller. ( 9 ) Deutsche Wohnen was the addressee of the data protection authority’s order, to which it replied in the terms set out above, and subsequently continued to engage in the conduct complained of by that authority. The identification of the person subject to the penalty was therefore not problematic. ( 10 )

38.

As regards the in abstracto perspective, extensive argument is not needed to confirm the proposition that a penalty may be imposed directly on a legal person as perpetrator of an infringement of the GDPR. That proposition follows without interpretative difficulties from the wording of Articles 4, 58 and 83 of the GDPR.

Article 4 defines the concepts of controller and processor and expressly states that they may be legal persons. ( 11 )

Article 58(2) confers on supervisory authorities a number of ‘corrective powers’ over data controllers and processors (that is to say, over legal persons too). Those corrective powers include the imposition of ‘an administrative fine’ (point (i)).

In listing the criteria for setting the amount of administrative fines, Article 83 of the GDPR refers to circumstances which may easily arise in actions taken by legal persons.

39.

It follows quite naturally from those provisions as a whole that the GDPR envisages the possibility of imposing the administrative fines resulting from infringement of that regulation directly on legal persons. ( 12 ) That naturalness is mirrored by the competent national authorities in the field, which have not shirked from punishing legal persons who have infringed the GDPR with fines, sometimes very heavy ones. ( 13 )

40.

As regards the in concreto perspective, I repeat that the data protection authority contacted Deutsche Wohnen in its capacity as controller, ordering it to erase certain personal data of tenants from its files, an order which the undertaking disregarded for a time until it changed its storage systems.

3. Whether it is first necessary to impute an infringement to a natural person

41.

According to the referring court, domestic law requires the liability of a natural person to be established before a penalty can be imposed directly on an undertaking for breach of the GDPR. This follows from Paragraph 30 of the OWiG: a fine may be imposed on an undertaking only if certain infringements committed by its managers acting in a representative capacity can be imputed to it, for which purpose the representative must have infringed the relevant provision by unlawfully and culpably committing the elements of the offence. ( 14 )

42.

In response to the objection raised by the German Government, which invokes Paragraph 130 of the OWiG to challenge the interpretation of the referring court, that court states its opinion in the terms indicated above which reproduce its reply to the Court. ( 15 ) In short, it submits that the protection of legal interests afforded by that provision is very limited compared with the system of liability under Articles 101 and 102 TFEU.

43.

The rule relating to a prior finding of liability of a natural person, which the referring court relies on, would not apply, however, if Article 83(4) to (6) of the GDPR were to adopt, by incorporating it into national law, the ‘functional concept of an undertaking’ characteristic of Articles 101 and 102 TFEU.

(a) Effect of the concept used in Articles 101 and 102 TFEU

44.

The purpose of Article 83(4) to (6) of the GDPR is to calculate the penalties for the infringements of the GDPR mentioned therein. In particular, those three paragraphs provide for the possibility of a penalty being imposed on an ‘undertaking’.

45.

It is against that background that the reference in recital 150 of the GDPR to the concept of undertaking within the meaning of Articles 101 and 102 TFEU is to be understood. I note that, for the Court, ‘EU competition law refers to the activities of undertakings and … the concept of an undertaking covers any entity engaged in an economic activity, irrespective of its legal status and the way in which it is financed’. ( 16 )

46.

In so far as the upper limit of the fines for infringement of the GDPR is set, for undertakings that are data controllers or processors, at a percentage of the ‘total worldwide annual turnover of the preceding financial year’, the reference criterion for determining that amount cannot be the formal legal personality of a company, but should be the concept of ‘economic unit’, in the sense described above.

47.

This is because, under paragraph 1 of Article 83 of the GDPR, the administrative fines provided for in paragraphs 4 to 6 thereof must be ‘effective, proportionate and dissuasive’. Those three characteristics can only be attributed to a fine determined on the basis of the actual or material economic capacity of the person on whom it is imposed. In order to calculate the penalty, it is therefore necessary to apply a material or economic concept of ‘undertaking’, rather than a strictly formal notion.

48.

The EU legislature has therefore adopted the actual or material definition of ‘undertaking’, characteristic of competition law, ( 17 ) for the purposes of determining the amount of the fines for infringement of the GDPR. But, I repeat, it is for those purposes alone that the GDPR refers to that concept.

49.

In the present case, the concept of undertaking set out in Articles 101 and 102 TFEU could therefore be relevant to the quantification of the fine that may be imposed on Deutsche Wohnen. Whether or not Deutsche Wohnen has the status of penalised entity (or, more precisely, of perpetrator of the infringement) is not strictly dependent on the application of those two articles of the TFEU.

50.

That does not preclude, by analogy, the general principles governing the system of penalties under competition law (on which the Court has ruled on many occasions) from applying, mutatis mutandis, to the liability of legal persons for infringements in the field of personal data protection. ( 18 )

(b) Direct imputation to a legal person

51.

Is national legislation which makes the imposition of administrative penalties on legal persons subject to the condition that proceedings must first have been brought against a natural person compatible with the GDPR?

52.

The GDPR is, in addition to being of general application, binding and directly applicable in each Member State, in accordance with Article 288 TFEU. Those features would be undermined if Member States could depart from the definitive configuration of the requirements imposed in the GDPR by the EU legislature.

53.

It is true that, precisely because of the uniqueness and characteristics of their subject matter, a number of provisions of the GDPR give Member States a degree of leeway to maintain or adopt national rules with a view to further specifying some of them. That is the case, for example:

as regards the processing of personal data for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; ( 19 )

as regards the processing of special categories of personal data, since the GDPR does not preclude Member States from laying down the circumstances for specific processing situations, including determining more precisely the conditions for the lawfulness of such processing. ( 20 )

54.

That margin of discretion enjoyed by Member States, which was discussed at the hearing, cannot, in my view, extend to diminishing the possibility for infringements to be imputed to legal persons, as follows, according to the referring court, from Paragraph 30 of the OWiG.

55.

Configured in that way, the rules on the liability of legal persons would make it possible to exclude from the scope of the GDPR’s system of penalties infringements which, under that regulation, must be attributed to a legal person acting as controller or processor. That would be the case where those infringements did not involve natural persons who represent, direct or are responsible for managing the legal person.

56.

To the extent that, I repeat, a legal person may be a data controller and, in that capacity, the perpetrator of infringements of the GDPR imputable to it, the application of Paragraph 30 of the OWiG could lead to an unjustified weakening or shrinking of the scope of punishable conduct, which is not consistent with the general provision made in the GDPR itself.

57.

A legal person who can be classified as a data controller or processor must bear the consequences, in terms of penalties, of infringements of the GDPR committed not only by its representatives, directors or managers, but also by natural persons (employees, in the broad sense) acting in the course of the legal person’s business and under the supervision of its representatives, directors or managers.

58.

The fact of the matter is that those natural persons shape and define the intent of the legal person, giving concrete expression to it by means of individual and specific acts. Individual acts which, as an expression in concreto of that intent, are ultimately attributable to the legal person itself.

59.

In short, these are natural persons who, without themselves being representatives of a legal person, act under the authority of persons who, as representatives of the legal person, have failed to exercise supervision or control over them. Finally, imputability ultimately leads to the legal person itself, since an infringement committed by an employee acting under the authority of its managing bodies is a failure in the control and supervision system, for which those managing bodies are directly responsible.

60.

The foregoing reflects the referring court’s interpretation of its domestic law. However, the German Government argues that the combined application of Paragraphs 9, 30 and 130 of the OWiG establishes a system under which penalties may be imposed for infringements attributed to a legal person, committed by natural persons who do not perform managerial or representative duties in the legal person, without it being necessary to identify those natural persons. ( 21 )

61.

As indicated above, it is for the referring court to interpret the provisions of its domestic law. Whether or not, in accordance with national case-law and the academic legal writing relied on by the German Government, ( 22 ) those provisions enable domestic law to be interpreted in conformity with the requirements of EU law is a matter for the German courts to decide on.

62.

If such an interpretation was contra legem and it was impossible, owing to the specific structure of the national system of penalties, to give full effect to the relevant rules of the GDPR, the referring court would have to disapply the national provision incompatible with EU law in order to ensure the primacy of the GDPR.

B.   Second question referred

63.

The referring court enquires whether, under Article 83(4) to (6) of the GDPR, ‘the undertaking must have intentionally or negligently committed the breach of an obligation vicariously through an employee … or [whether] the objective fact of breach caused by it [is] sufficient, in principle, for a fine to be imposed on that undertaking (“strict liability”)’. ( 23 )

64.

As worded, the question raised is hypothetical, making it inadmissible for two reasons.

65.

First, according to the order for reference, the penalty was imposed on Deutsche Wohnen for intentional (deliberate) conduct and not for the mere ‘objective fact of breach’ of the GDPR. It is clear from the account of the facts reproduced above that Deutsche Wohnen knowingly and deliberately failed to comply with the data protection authority’s order and continued to engage in the data processing complained of. The fact that it cited technical and legal difficulties associated with changing its data processing systems is irrelevant to that classification.

66.

Second, when asked by the Court to clarify its question, the referring court stated that the first-instance court is not bound by the findings made in the penalty decision and that, in the future, that court would be able to adjudicate on the grounds of appeal against the penalty. If it concludes that the infringement took place, it will be necessary to determine what type of fault occurred, which will depend on the answer to the second question referred.

67.

That clarification again reveals the hypothetical nature of the second question: the determination of the classification of the conduct is not essential for the resolution of the dispute before the referring court, but may, where appropriate, be needed if the case is returned to the first-instance court, to enable it to take a decision in the future.

68.

In any event, and if the Court decides to examine the substance, I consider that the answer to that question would not depend on the interpretation of Article 83(4) to (6) of the GDPR, which concerns the quantification of administrative fines.

69.

The referring court distinguishes between (a) an infringement committed by an employee of a legal person, and (b) the presence of intent or negligence on the part of the legal person in that infringement.

70.

In my view, an ‘infringement committed by an employee’ is actually, as stated in relation to the first question, an infringement committed by the legal person under whose authority the employee acted.

71.

Properly worded, the question is therefore whether a penalty may be imposed on a legal person for the objective fact of breach (no-fault breach) of the legal person’s obligations as data controller or processor.

72.

In order to answer that question, it may be helpful to refer to the case-law of the European Court of Human Rights (ECtHR) on the principle of the legality of criminal offences and penalties, guaranteed by Article 7 of the Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR).

73.

While the ECHR does not constitute, for as long as the European Union has not acceded to it, a legal instrument which has been formally incorporated into the EU legal order, the fundamental rights recognised by the ECHR form part of EU law as general principles (Article 6(3) TEU).

74.

According to the Court, ‘Article 52(3) of the Charter, which provides that the rights contained in the Charter which correspond to rights guaranteed by the ECHR are to have the same meaning and scope as those laid down by the ECHR, is intended to ensure the necessary consistency between those respective rights without adversely affecting the autonomy of EU law and that of the Court of Justice’. ( 24 )

75.

However, the case-law of the ECtHR on the interpretation of Article 7 ECHR contains some slightly contradictory nuances.

On the one hand, although Article 7 does not expressly mention any mental link between the material element of the offence and the person deemed to have committed it, the rationale of the penalty and the very concept of guilt support an interpretation whereby that article requires, for the imposition of a penalty, an intellectual link (awareness and intent) disclosing an element of liability in the conduct of the perpetrator of the offence. ( 25 )

On the other hand, as the Norwegian Government pointed out at the hearing, the ECtHR is not against penalising objective facts. In its judgment of 7 October 1988, Salabiaku v. France, ( 26 ) it stated that that was the case only ‘in principle [and] under certain conditions’, since although the ECHR does not prohibit presumptions, ‘it does, however, require the Contracting States to remain within certain limits in this respect as regards criminal law’. ( 27 )

76.

The truth of the matter is that the importation of dogmatic categories found in criminal law (nulla poena sine culpa) into administrative law on the imposition of penalties presents considerable interpretative difficulties. The concept of culpa (in the form of negligence) may cover a mere failure to comply with a statutory provision where the person responsible for non-compliance was under a duty to know what actions were required of him or her.

77.

From that point of view, the different forms of culpa, including the least serious, as well as the different methods for attributing culpa (culpa in vigilando or in eligendo, for instance) could be applied to conduct which, from another angle, some courts would describe as involving strict liability. Where one category ends and another begins is thus not as clear in administrative law on the imposition of penalties as the order for reference suggests.

78.

It is true that, so far as EU law is concerned, the Court of Justice has, in some situations, allowed a ‘strict liability’ penalty system. It did so, for instance, in its judgment of 22 March 2017, Euro-Team and Spirál-Gép, in the following terms:

‘[concerning] the compatibility of the institution of strict liability with the principle of proportionality, the Court has already ruled on a number of occasions that such a system penalising breaches of EU law is not in itself incompatible with that law’;

‘the imposition of a system of strict liability is not disproportionate in relation to the objectives pursued if that system is such as to encourage the persons concerned to comply with the provisions of a regulation and where the objective pursued is a matter of public interest which may justify the introduction of such a system’. ( 28 )

79.

However, that precedent was set in areas other than data protection, involving the breach of positive obligations primarily in the nature of formalities: penalties imposed for the use of a section of motorway without having paid the required toll ( 29 ) and for failure to comply with provisions governing the use of record sheets for recording equipment in a heavy goods vehicle. ( 30 )

80.

As regards the obligations laid down by the GDPR – including those governing the processing of data (Article 5) and the lawfulness of such processing (Article 6) – the assessment of whether they have been complied with involves a complex process of evaluation and examination going beyond the mere finding of a formal breach.

81.

In any event, I consider that Article 83 of the GDPR supports the exclusion of a strict liability (no-fault) system in connection with the imposition of penalties, that is to say, it requires the punishable conduct to be intentional or negligent. In my view, that is clear from various paragraphs of Article 83.

Paragraph 1 requires fines in respect of infringements to be ‘proportionate’. The principle that penalties must be proportionate is guaranteed by Article 49 of the Charter and, by extension, by the case-law of the ECtHR referred to above.

Paragraph 2(b) expressly refers to ‘the intentional or negligent character of the infringement’ as a determining factor for the imposition of an administrative fine and the calculation of its amount. ( 31 ) The other factors listed in points (a) to (k) of that paragraph specify the relevant circumstances of each case and a number of them include a subjective component; ( 32 ) the mere objective nature of the infringement does not appear in that list.

Paragraph 3 provides that, if the controller or processor ‘intentionally or negligently’ infringes several provisions of the GDPR at the same time (concurrent infringements), the amount of the fine is not to exceed the amount specified for the gravest infringement. It is therefore assumed that purely objective breaches are irrelevant, for the purposes of imposing a penalty, as long as they are not committed alongside intentional or negligent breaches.

82.

The proposition set out immediately above might be moot if, as claimed by some of the governments which have intervened, the lack of express provisions on that point in the GDPR means that Member States may opt for a system of subjective liability (based on intent or negligence) or for a system which also includes strict liability.

83.

I admit that the position of those governments does have some basis in argument: in so far as Article 83(2) of the GDPR refers to intent or negligence as factors for setting the amount of the fine, and not as indispensable (essential) elements of the infringing conduct itself, it could be said that that provision leaves it open to Member States to structure the essential elements of the infringement as they see fit.

84.

However, I share the Commission’s view that, properly understood, the penalty system established by the GDPR, the direct applicability of which is undeniable, militates in favour of a unitary and consistent approach ( 33 ) for all Member States and not an approach whereby each Member State may decide for itself whether punishable infringements should cover infringements that are not intentional or negligent.

85.

In my view, the appropriateness of the unitary approach (and the unfeasibility of the ‘each to their own’ approach) is borne out by the recitals of the GDPR mentioned by the referring court in its request for a preliminary ruling, which restate the need to punish infringements with equivalent sanctions. ( 34 ) Equivalence would not be achieved if each Member State were able to penalise infringements of a disparate nature, including mere objective infringements devoid of intent or negligence.

V. Conclusion

86.

In the light of the foregoing considerations, I propose that the Court of Justice give the following reply to the Kammergericht Berlin (Higher Regional Court, Berlin, Germany):

Article 58(2)(i) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), read in conjunction with Article 4(7) and Article 83 of that regulation,

must be interpreted as meaning that the imposition of an administrative fine on a legal person as data controller is not conditional on a prior finding of an infringement committed by one or more individual natural persons in the service of that legal person.

Administrative fines which may be imposed under Regulation 2016/679 require the conduct constituting the penalised infringement to be intentional or negligent.


( 1 ) Original language: Spanish.

( 2 ) Regulation of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1) (‘the GDPR’).

( 3 ) Law of 24 May 1968 (BGBl. I 481; III 454-1), in the version of 19 February 1987 (BGBl. I, p. 602), as amended by the Law of 19 June 2020 (BGBl. I, p. 1328) (‘the OWiG’).

( 4 ) Council Regulation of 16 December 2002 on the implementation of the rules on competition laid down in Articles 81 and 82 of the Treaty (OJ 2003 L 1, p. 1).

( 5 ) Ground II(1) of the order for reference. See point 41 et seq. of this Opinion.

( 6 ) Paragraph 45 of Deutsche Wohnen’s written observations and paragraphs 24 and 25 of the German Government’s written observations.

( 7 ) In proceedings under Article 267 TFEU, which are based on a clear separation of functions between the national courts and the Court of Justice, the national court alone has jurisdiction to find and assess the facts in the case before it and to interpret and apply national law. Judgment of 26 April 2017, Farkas (C‑564/15, EU:C:2017:302, paragraph 37).

( 8 ) The Court may refuse to rule on a question referred for a preliminary ruling only where it is quite obvious that the interpretation of EU law that is sought is unrelated to the actual facts of the main action or its purpose, where the problem is hypothetical, or where the Court does not have before it the factual or legal material necessary to give a useful answer to the questions submitted to it (for example, judgment of 27 September 2017, Puškár, C‑73/16, EU:C:2017:725, paragraph 50). None of those circumstances arises here.

( 9 ) Despite Deutsche Wohnen’s reluctance to admit that status at the public hearing, the fact is that its profile matches the definition of ‘controller’ set out in Article 4 of the GDPR. That is the case irrespective of whether it is actually liable for the infringements it is alleged to have committed as ‘controller’.

( 10 ) A different matter is the fact that, in order to determine the amount of the relevant penalty, account must be taken, where appropriate, of whether Deutsche Wohnen and its subsidiaries are part of a larger economic unit. Despite appearances, the usual difficulties associated with apportioning liability between parent companies and subsidiaries or groups of companies do not, strictly speaking, arise in this reference for a preliminary ruling.

( 11 ) Article 4 of the GDPR, in point (7), defines ‘controller’, for our purposes here, as ‘the … legal person … which, alone or jointly with others, determines the purposes and means of the processing of personal data’ and, in point (8), describes ‘processor’ as ‘a … legal person … which processes personal data on behalf of the controller’.

( 12 ) Those legal persons are, of course, entitled to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them (Article 78(1) of the GDPR) and, therefore, also against any administrative fine which may be imposed on them.

( 13 ) By way of example, on 31 December 2022 the Irish data protection authority imposed fines of EUR 210 million on Facebook and EUR 180 million on Instagram.

( 14 ) Ground II(1) of the order for reference.

( 15 ) See point 32 of this Opinion.

( 16 ) Judgment of 27 April 2017, Akzo Nobel and Others v Commission (C‑516/15 P, EU:C:2017:314, paragraph 47).

( 17 ) For example, judgment of 10 April 2014, Areva and Others v Commission (C‑247/11 P and C‑253/11 P, EU:C:2014:257, paragraph 123).

( 18 ) As indicated above, the difficulties associated with the relationship between parent companies and subsidiaries for penalty purposes fall outside the scope of this preliminary ruling. The reference for a preliminary ruling also does not raise questions concerning the burden of proving the acts complained of.

( 19 ) Recital 10 of the GDPR.

( 20 ) Loc. ult. cit.

( 21 ) Paragraph 25 of the German Government’s written observations. In response to that argument, the referring court submits, in the terms reproduced above, that even in conjunction with Paragraphs 9 and 30 of the OWiG, the protection of legal interests afforded by domestic law is very limited compared with the system of liability under Articles 101 and 102 TFEU.

( 22 ) Paragraph 25 of the German Government’s written observations, footnotes 16 to 18.

( 23 ) The term ‘strict liability’ generally corresponds, in the English-language translations of the Court’s judgments, to responsabilidad objetiva (Spanish), responsabilité objective (French), responsabilità oggettiva (Italian), responsabilidade objetiva (Portuguese), objektiven Verantwortlichkeit (German) and objectieve aansprakelijkheid (Dutch).

( 24 ) For example, judgment of 2 February 2021, Consob (C‑481/19, EU:C:2021:84, paragraph 36).

( 25 ) ECtHR, 20 January 2009, Sud Fondi and Others v. Italy, CE:ECHR:2009:0120JUD007590901, § 116.

( 26 ) CE:ECHR:1988:1007JUD001051983.

( 27 ) ECtHR, 7 October 1988, Salabiaku v. France, CE:ECHR:1988:1007JUD001051983, §§ 27 and 28.

( 28 ) Judgment of 22 March 2017, Euro-Team and Spirál-Gép (C‑497/15 and C‑498/15, EU:C:2017:229, paragraphs 53 and 54), citing judgment of 9 February 2012, Urbán (C‑210/10, EU:C:2012:64, paragraphs 47 and 48), respectively.

( 29 ) Judgment of 22 March 2017, Euro-Team and Spirál-Gép (C‑497/15 and C‑498/15, EU:C:2017:229).

( 30 ) Judgment of 9 February 2012, Urbán (C‑210/10, EU:C:2012:64).

( 31 ) See, however, points 82 and 83 of this Opinion.

( 32 ) Thus, for example, point (a) refers to the purpose of the processing, point (c) to action taken to mitigate damage, point (d) to the degree of responsibility in the light of the measures taken, and point (f) to the degree of cooperation with the supervisory authority.

( 33 ) Recital 150 of the GDPR refers to the consistent application of administrative fines by Member States. By contrast, Member States may determine ‘whether and to which extent public authorities should be subject to administrative fines’. The foregoing is without prejudice to the specific provisions for Denmark and Estonia mentioned in recital 151 and to the scenarios described in recital 152.

( 34 ) Recital 10 of the GDPR calls for a ‘consistent and homogenous application of the rules for the protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal data …’ (emphasis added). Recital 11 states that infringements should be punished by equivalent sanctions, wording repeated in recital 13.

Top