Symbolbild zu BGH Aufklärungspflichten: Gewerbeimmobilie
28.04.2023 | KPMG Law Insights

ECJ: Advocate General rejects strict liability for data protection breaches

On the controversial issue of strict liability of companies for breaches of the General Data Protection Regulation (GDPR), the Advocate General at the ECJ delivered his opinion on April 27, 2023 (C-807/21). In it, he rejects strict liability.

Previously, fines were imposed regardless of fault

As a rule, fines can only be imposed on companies if executives commit negligent or intentional acts that can be attributed to the company. This is based on “Rechtsträgerprinzip” according to. § 30 OWiG.

On February 18, 2021, the Berlin Regional Court took the view that in fine proceedings pursuant to Article 83 of the GDPR, a legal entity cannot itself be considered a “data subject,” but only a secondary party. This follows from the fact that administrative offenses can only be committed by natural persons. A legal entity, on the other hand, can only be held responsible for the actions of its members or representatives. Because § 30 para. 1 OWiG always links the imposition of fines to culpable misconduct on the part of natural persons, for which the legal person is only liable on the legal consequences side.

The Regional Court of Bonn and the German data protection authorities, on the other hand, assume the application of the “function bearer principle” known from European antitrust law in connection with strict liability in the context of Art. 83 GDPR. Accordingly, the company would be the directly materially liable addressee for sanctions. Violations by employees (not only management personnel) would then already be sufficient for the imposition of a fine. It should not depend on fault.

On January 17, 2023, the Grand Chamber of the ECJ addressed two questions referred for a preliminary ruling during the oral proceedings. A fine of approximately EUR 14.5 million was imposed on a German housing company. The questions of the applicability of the function bearer principle and the requirement of proof of culpable conduct were submitted to the ECJ for consideration.

Advocate General: Violations of all employees attributable, fault is a prerequisite

In his opinion of April 27, 2023, Advocate General Campos Sánchez-Bordona argues against strict liability of companies.

However, it also takes the view that a legal person must bear the consequences of GDPR infringements not only “if committed by their representatives, managers or directors, but also if the violations were committed by natural persons (employees in the broad sense) acting within the scope of the company’s business activities and under the supervision of the first-mentioned persons.”

As a result, violations of supervisory duties must at least be proven so that the culpable actions of employees outside the management level can be attributed to the legal entity. The Berlin Regional Court will have to clarify whether German administrative offence law adequately implements the GDPR in this respect.

In addition, the Advocate General also takes a position on the assessment of the amount of the fine. Accordingly, “thereference for the determination of this amount must not be the formal legal personality of a company, but the ‘economic entity ‘ “. It can be deduced from this that the assessment of fines should be based on the group’s turnover – and not just the turnover of the company. This could lead to a substantial increase in fines.

Significance of the dispute in terms of practical law

The state of the dispute has serious implications for the conduct of fine proceedings.

Data protection authorities are demanding that they be allowed to impose fines on companies for data protection violations, irrespective of the principle of fault. The principle of fault would lead to a considerable restriction of fine proceedings against companies. The recitals to the GDPR show that this was not the intention of the European legislator.

This view would make it easier for the data protection authorities to impose GDPR fines and would thus mean a significant increase in the liability risk for companies, as they can become the addressee of a fine regardless of any specific fault.

Admittedly, the Advocate General has rejected a corresponding strict liability and the chambers of the ECJ regularly follow the Opinion of the Advocate General in their decision-making. Nevertheless, a different outcome of the proceedings remains possible.

Explore #more

21.02.2024 | KPMG Law Insights, KPMG Law Insights

The Digital Services Act – what does it mean for companies?

The Digital Services Act (DSA) is a key component of the EU’s digital strategy and came into force on November 16, 2022. As a regulation,…

15.02.2024 | KPMG Law Insights

Data compliance management: How to implement it in practice

Part 3 of the article series “Professional tips for data compliance management”   The third part of this series of articles deals with data compliance

14.02.2024 | PR Publications

Guest article in ZURe: Monitoring the implementation of the LkSG

The current issue of ZURe (p. 20 ff.) contains a guest article by KPMG Law Partner Thomas Uhlig (Head of General Business and Commercial Law),…

14.02.2024 | KPMG Law Insights

The AI Act is coming: EU wants to get a grip on AI risks

For many people, artificial intelligence (AI) is the great hope for business, healthcare and science. But there are also plenty of critics who fear the…

09.02.2024 | KPMG Law Insights

Podcast series “KPMG Law on air”: The employment law function

In almost all German companies, the employment law function is located in the HR department and not in the legal department. One of the reasons…

02.02.2024 | KPMG Law Insights

CSDDD: Provisional agreement on the EU Supply Chain Directive

On December 14, 2023, the Council and the European Parliament reached a provisional political agreement on the EU Corporate Sustainability Due Diligence Directive (CSDDD). This…

01.02.2024 | KPMG Law Insights

Podcast series “KPMG Law on air”: Fair play in eSports

eSports is a billion-dollar market that is growing rapidly. This makes it all the more important for the economic players involved to comply with applicable…

24.01.2024 | KPMG Law Insights

How the new unitary patent works – ten facts

The new unitary patent can be applied for at the European Patent Office (EPO) from June 1, 2023. The Implementing Regulations and the Schedule of

22.01.2024 | PR Publications

Guest article in the Börsen-Zeitung on the subject of EU antitrust regulations

Agreements with competitors on sustainability efforts may violate antitrust law. Which legal interest should then take precedence? KPMG Law expert Jonas Brueckner discusses this question…

18.01.2024 | KPMG Law Insights

AI and copyright – what is permitted when using LLMs?

A few months ago, new players entered the legal scene and have since caused numerous legal discussions: Large Language Models (LLM), better known as…


Francois Heynike, LL.M. (Stellenbosch)

Head of Technology Law

THE SQUAIRE Am Flughafen
60549 Frankfurt am Main

tel: +49-69-951195770

© 2024 KPMG Law Rechtsanwaltsgesellschaft mbH, associated with KPMG AG Wirtschaftsprüfungsgesellschaft, a public limited company under German law and a member of the global KPMG organisation of independent member firms affiliated with KPMG International Limited, a Private English Company Limited by Guarantee. All rights reserved. For more details on the structure of KPMG’s global organisation, please visit

 KPMG International does not provide services to clients. No member firm is authorised to bind or contract KPMG International or any other member firm to any third party, just as KPMG International is not authorised to bind or contract any other member firm.