Search
Contact
Symbolbild zu BGH Aufklärungspflichten: Gewerbeimmobilie
28.04.2023 | KPMG Law Insights

ECJ: Advocate General rejects strict liability for data protection breaches

On the controversial issue of strict liability of companies for breaches of the General Data Protection Regulation (GDPR), the Advocate General at the ECJ delivered his opinion on April 27, 2023 (C-807/21). In it, he rejects strict liability.

Previously, fines were imposed regardless of fault

As a rule, fines can only be imposed on companies if executives commit negligent or intentional acts that can be attributed to the company. This is based on “Rechtsträgerprinzip” according to. § 30 OWiG.

On February 18, 2021, the Berlin Regional Court took the view that in fine proceedings pursuant to Article 83 of the GDPR, a legal entity cannot itself be considered a “data subject,” but only a secondary party. This follows from the fact that administrative offenses can only be committed by natural persons. A legal entity, on the other hand, can only be held responsible for the actions of its members or representatives. Because § 30 para. 1 OWiG always links the imposition of fines to culpable misconduct on the part of natural persons, for which the legal person is only liable on the legal consequences side.

The Regional Court of Bonn and the German data protection authorities, on the other hand, assume the application of the “function bearer principle” known from European antitrust law in connection with strict liability in the context of Art. 83 GDPR. Accordingly, the company would be the directly materially liable addressee for sanctions. Violations by employees (not only management personnel) would then already be sufficient for the imposition of a fine. It should not depend on fault.

On January 17, 2023, the Grand Chamber of the ECJ addressed two questions referred for a preliminary ruling during the oral proceedings. A fine of approximately EUR 14.5 million was imposed on a German housing company. The questions of the applicability of the function bearer principle and the requirement of proof of culpable conduct were submitted to the ECJ for consideration.

Advocate General: Violations of all employees attributable, fault is a prerequisite

In his opinion of April 27, 2023, Advocate General Campos Sánchez-Bordona argues against strict liability of companies.

However, it also takes the view that a legal person must bear the consequences of GDPR infringements not only “if committed by their representatives, managers or directors, but also if the violations were committed by natural persons (employees in the broad sense) acting within the scope of the company’s business activities and under the supervision of the first-mentioned persons.”

As a result, violations of supervisory duties must at least be proven so that the culpable actions of employees outside the management level can be attributed to the legal entity. The Berlin Regional Court will have to clarify whether German administrative offence law adequately implements the GDPR in this respect.

In addition, the Advocate General also takes a position on the assessment of the amount of the fine. Accordingly, “thereference for the determination of this amount must not be the formal legal personality of a company, but the ‘economic entity ‘ “. It can be deduced from this that the assessment of fines should be based on the group’s turnover – and not just the turnover of the company. This could lead to a substantial increase in fines.

Significance of the dispute in terms of practical law

The state of the dispute has serious implications for the conduct of fine proceedings.

Data protection authorities are demanding that they be allowed to impose fines on companies for data protection violations, irrespective of the principle of fault. The principle of fault would lead to a considerable restriction of fine proceedings against companies. The recitals to the GDPR show that this was not the intention of the European legislator.

This view would make it easier for the data protection authorities to impose GDPR fines and would thus mean a significant increase in the liability risk for companies, as they can become the addressee of a fine regardless of any specific fault.

Admittedly, the Advocate General has rejected a corresponding strict liability and the chambers of the ECJ regularly follow the Opinion of the Advocate General in their decision-making. Nevertheless, a different outcome of the proceedings remains possible.

Explore #more

06.06.2025 | KPMG Law Insights

Business Travel and Assignment in the USA: What you need to know about US immigration

The recent changes in US immigration rules are causing uncertainty worldwide. In particular, since the new US government took office, processes regarding entry into the…

02.06.2025 | Deal Notifications

KPMG Law and KPMG advise Diehl Defence on the acquisition of e.sigma

KPMG Law Rechtsanwaltsgesellschaft mbH (KPMG Law) and KPMG AG Wirtschaftsprüfungsgesellschaft (KPMG) advised Diehl Defence GmbH & Co. KG (Diehl Defence) on the complete acquisition of…

27.05.2025 | KPMG Law Insights

Cell Phone Inspections at US Border and Beyond: What to Expect

Key facts: U.S. immigration officials monitor public social media data and travelers should be prepared to share details about their personal social media accounts. All…

14.05.2025 | KPMG Law Insights

BGH on customer installations: Decision orders application in line with the directive

In a ruling dated May 13, 2025, the BGH classified the supply infrastructure in the specific case of a residential complex in Zwickau as a…

13.05.2025 | In the media

KPMG Law expert in Spiegel article on energy policy

Dirk-Henning Meier, Senior Manager in the energy law department at KPMG Law, is quoted in a recent article on energy policy in Der Spiegel.…

13.05.2025 | Career, In the media

azur Karriere Magazin – All AI or what?

Artificial intelligence has long since arrived in law firms and legal departments. But dealing with it is a skill that needs to be learned. Many…

13.05.2025 | KPMG Law Insights

Initial experience with the Single-Use Plastics Fund Act: what manufacturers should bear in mind

Beverage cups, foil and plastic cigarette filters litter streets, parks and sidewalks. The cleaning costs are borne by the local authorities. The Disposable Plastics Fund…

07.05.2025 | KPMG Law Insights

Termination of fixed-term rental agreements in the case of pre-leasing

In the case of a pre-leasing, the tenancy only begins at a later date, usually the handover date. In such cases, the contracting parties usually…

06.05.2025 | In the media

Wirtschaftswoche honors KPMG Law

KPMG Law was named “TOP Law Firm 2025” in the field of M&A by WirtschaftsWoche. Ian Maywald, Partner at KPMG Law in Munich, was…

Contact

Francois Heynike, LL.M. (Stellenbosch)

Partner
Head of Technology Law

THE SQUAIRE Am Flughafen
60549 Frankfurt am Main

Tel.: +49-69-951195770
fheynike@kpmg-law.com

© 2024 KPMG Law Rechtsanwaltsgesellschaft mbH, associated with KPMG AG Wirtschaftsprüfungsgesellschaft, a public limited company under German law and a member of the global KPMG organisation of independent member firms affiliated with KPMG International Limited, a Private English Company Limited by Guarantee. All rights reserved. For more details on the structure of KPMG’s global organisation, please visit https://home.kpmg/governance.

 KPMG International does not provide services to clients. No member firm is authorised to bind or contract KPMG International or any other member firm to any third party, just as KPMG International is not authorised to bind or contract any other member firm.

Scroll