Symbolbild zu BGH Aufklärungspflichten: Gewerbeimmobilie
28.04.2023 | KPMG Law Insights

ECJ: Advocate General rejects strict liability for data protection breaches

On the controversial issue of strict liability of companies for breaches of the General Data Protection Regulation (GDPR), the Advocate General at the ECJ delivered his opinion on April 27, 2023 (C-807/21). In it, he rejects strict liability.

Previously, fines were imposed regardless of fault

As a rule, fines can only be imposed on companies if executives commit negligent or intentional acts that can be attributed to the company. This is based on “Rechtsträgerprinzip” according to. § 30 OWiG.

On February 18, 2021, the Berlin Regional Court took the view that in fine proceedings pursuant to Article 83 of the GDPR, a legal entity cannot itself be considered a “data subject,” but only a secondary party. This follows from the fact that administrative offenses can only be committed by natural persons. A legal entity, on the other hand, can only be held responsible for the actions of its members or representatives. Because § 30 para. 1 OWiG always links the imposition of fines to culpable misconduct on the part of natural persons, for which the legal person is only liable on the legal consequences side.

The Regional Court of Bonn and the German data protection authorities, on the other hand, assume the application of the “function bearer principle” known from European antitrust law in connection with strict liability in the context of Art. 83 GDPR. Accordingly, the company would be the directly materially liable addressee for sanctions. Violations by employees (not only management personnel) would then already be sufficient for the imposition of a fine. It should not depend on fault.

On January 17, 2023, the Grand Chamber of the ECJ addressed two questions referred for a preliminary ruling during the oral proceedings. A fine of approximately EUR 14.5 million was imposed on a German housing company. The questions of the applicability of the function bearer principle and the requirement of proof of culpable conduct were submitted to the ECJ for consideration.

Advocate General: Violations of all employees attributable, fault is a prerequisite

In his opinion of April 27, 2023, Advocate General Campos Sánchez-Bordona argues against strict liability of companies.

However, it also takes the view that a legal person must bear the consequences of GDPR infringements not only “if committed by their representatives, managers or directors, but also if the violations were committed by natural persons (employees in the broad sense) acting within the scope of the company’s business activities and under the supervision of the first-mentioned persons.”

As a result, violations of supervisory duties must at least be proven so that the culpable actions of employees outside the management level can be attributed to the legal entity. The Berlin Regional Court will have to clarify whether German administrative offence law adequately implements the GDPR in this respect.

In addition, the Advocate General also takes a position on the assessment of the amount of the fine. Accordingly, “thereference for the determination of this amount must not be the formal legal personality of a company, but the ‘economic entity ‘ “. It can be deduced from this that the assessment of fines should be based on the group’s turnover – and not just the turnover of the company. This could lead to a substantial increase in fines.

Significance of the dispute in terms of practical law

The state of the dispute has serious implications for the conduct of fine proceedings.

Data protection authorities are demanding that they be allowed to impose fines on companies for data protection violations, irrespective of the principle of fault. The principle of fault would lead to a considerable restriction of fine proceedings against companies. The recitals to the GDPR show that this was not the intention of the European legislator.

This view would make it easier for the data protection authorities to impose GDPR fines and would thus mean a significant increase in the liability risk for companies, as they can become the addressee of a fine regardless of any specific fault.

Admittedly, the Advocate General has rejected a corresponding strict liability and the chambers of the ECJ regularly follow the Opinion of the Advocate General in their decision-making. Nevertheless, a different outcome of the proceedings remains possible.

Explore #more

12.07.2024 | Business Performance & Resilience, In the media

Guest article in the IPE Dach: Necessary contract adjustments for DORA implementation

Deadline January 17, 2025: Financial companies and other service providers should start implementing the rules of the “Digital Operational Resilience Act” today, because the preparations,…

08.07.2024 | In the media

Article in In-house Counsel with KPMG Law Statement: Have software modules delivered, assemble, fine-tune, done

The article from 05.07.2024 contains an article with a statement by KPMG Law expert Kai Kubsch. IT applications for the legal department programmed by…

05.07.2024 | In the media

Guest article in Deutscher AnwaltsSpiegel: Transformation in legal departments

The KPMG Legal Department Report, now in its tenth edition (see here), has established itself as the standard work for general counsel since 2005…

03.07.2024 | KPMG Law Insights

BImSchG amendment to speed up approval procedures

On 17.05.2024, the traffic light parliamentary groups agreed on the amendment to the Federal Immission Control Act (BImSchG). The law is intended to create faster…

01.07.2024 | In the media

Guest article in Business Punk: Startup insolvency – bargain for investors or incalculable risk?

The issue of June 25, 2024 contains a guest article by KPMG Law experts Stefan Kimmel and Gunars Urdze. The Covid-19 pandemic and the…

01.07.2024 | In the media

Guest article in IT-Zoom: The path to safe and ethical AI

The June 25, 2024 issue of IT-Zoom contains a guest article by KPMG Law expert Francois Maartens Heynike and KPMG Law expert Kerstin Ohrem.…

28.06.2024 | KPMG Law Insights

Podcast series “KPMG Law on air”: ESG and employment law

Sustainable corporate governance is increasingly becoming a legal obligation. The HR department is also affected. Because “sustainable” also includes social aspects. Accordingly, companies have numerous…

25.06.2024 | In the media

Guest article in the ESGZ: Is antitrust law becoming “greener”? – An update

The June issue of ESGZ contains a guest article by KPMG Law expert Jacqueline Unkelbach. Sustainability goals and criteria – in a broader sense…

19.06.2024 | In the media

Guest article in the Börsenzeitung: Tackling succession planning for family businesses early on

Experience shows that less is better than nothing – even individual measures can have a major impact. KPMG Law expert Mark Uwe Pawlytta knows which…

13.06.2024 | In the media

Commentary on the Whistleblower Protection Act (HinSchG) published with contributions from KPMG Law

After years of wrangling, the Bundestag and Bundesrat transposed the EU Whistleblowing Directive into national law in 2023: The Whistleblower Protection Act (HinSchG), which has…


Francois Heynike, LL.M. (Stellenbosch)

Head of Technology Law

THE SQUAIRE Am Flughafen
60549 Frankfurt am Main

tel: +49-69-951195770

© 2024 KPMG Law Rechtsanwaltsgesellschaft mbH, associated with KPMG AG Wirtschaftsprüfungsgesellschaft, a public limited company under German law and a member of the global KPMG organisation of independent member firms affiliated with KPMG International Limited, a Private English Company Limited by Guarantee. All rights reserved. For more details on the structure of KPMG’s global organisation, please visit

 KPMG International does not provide services to clients. No member firm is authorised to bind or contract KPMG International or any other member firm to any third party, just as KPMG International is not authorised to bind or contract any other member firm.