Search
Contact
Symbolbild zu BGH Aufklärungspflichten: Gewerbeimmobilie
28.04.2023 | KPMG Law Insights

ECJ: Advocate General rejects strict liability for data protection breaches

On the controversial issue of strict liability of companies for breaches of the General Data Protection Regulation (GDPR), the Advocate General at the ECJ delivered his opinion on April 27, 2023 (C-807/21). In it, he rejects strict liability.

Previously, fines were imposed regardless of fault

As a rule, fines can only be imposed on companies if executives commit negligent or intentional acts that can be attributed to the company. This is based on “Rechtsträgerprinzip” according to. § 30 OWiG.

On February 18, 2021, the Berlin Regional Court took the view that in fine proceedings pursuant to Article 83 of the GDPR, a legal entity cannot itself be considered a “data subject,” but only a secondary party. This follows from the fact that administrative offenses can only be committed by natural persons. A legal entity, on the other hand, can only be held responsible for the actions of its members or representatives. Because § 30 para. 1 OWiG always links the imposition of fines to culpable misconduct on the part of natural persons, for which the legal person is only liable on the legal consequences side.

The Regional Court of Bonn and the German data protection authorities, on the other hand, assume the application of the “function bearer principle” known from European antitrust law in connection with strict liability in the context of Art. 83 GDPR. Accordingly, the company would be the directly materially liable addressee for sanctions. Violations by employees (not only management personnel) would then already be sufficient for the imposition of a fine. It should not depend on fault.

On January 17, 2023, the Grand Chamber of the ECJ addressed two questions referred for a preliminary ruling during the oral proceedings. A fine of approximately EUR 14.5 million was imposed on a German housing company. The questions of the applicability of the function bearer principle and the requirement of proof of culpable conduct were submitted to the ECJ for consideration.

Advocate General: Violations of all employees attributable, fault is a prerequisite

In his opinion of April 27, 2023, Advocate General Campos Sánchez-Bordona argues against strict liability of companies.

However, it also takes the view that a legal person must bear the consequences of GDPR infringements not only “if committed by their representatives, managers or directors, but also if the violations were committed by natural persons (employees in the broad sense) acting within the scope of the company’s business activities and under the supervision of the first-mentioned persons.”

As a result, violations of supervisory duties must at least be proven so that the culpable actions of employees outside the management level can be attributed to the legal entity. The Berlin Regional Court will have to clarify whether German administrative offence law adequately implements the GDPR in this respect.

In addition, the Advocate General also takes a position on the assessment of the amount of the fine. Accordingly, “thereference for the determination of this amount must not be the formal legal personality of a company, but the ‘economic entity ‘ “. It can be deduced from this that the assessment of fines should be based on the group’s turnover – and not just the turnover of the company. This could lead to a substantial increase in fines.

Significance of the dispute in terms of practical law

The state of the dispute has serious implications for the conduct of fine proceedings.

Data protection authorities are demanding that they be allowed to impose fines on companies for data protection violations, irrespective of the principle of fault. The principle of fault would lead to a considerable restriction of fine proceedings against companies. The recitals to the GDPR show that this was not the intention of the European legislator.

This view would make it easier for the data protection authorities to impose GDPR fines and would thus mean a significant increase in the liability risk for companies, as they can become the addressee of a fine regardless of any specific fault.

Admittedly, the Advocate General has rejected a corresponding strict liability and the chambers of the ECJ regularly follow the Opinion of the Advocate General in their decision-making. Nevertheless, a different outcome of the proceedings remains possible.

Explore #more

09.01.2025 | In the media

KPMG Law strengthens Legal Transformation Managed Services and Legal Corporate Services with two new senior managers

On January 1, KPMG Law strengthened its Transformation Managed Services practice with Jana Sichelschmidt and its Corporate Services practice with Dr. Michaela Lenk. Both are…

06.01.2025 | Deal Notifications

KPMG Law advises on the sale of Käppler & Pausch GmbH

Gabriel Pausch, the co-founder and main shareholder of Käppler & Pausch GmbH, a system supplier for metal assemblies as well as metal and sheet metal…

03.01.2025 | In the media

Interview in Betrieb on the EU money laundering package and its impact

The EU anti-money laundering package harmonizes anti-money laundering and counter-terrorism rules in Europe and introduces new measures such as cash limits of €10,000, identification requirements…

02.01.2025 | In the media

KPMG Law Statement in eMagazin Immobilienanwälte: Creativity meets law in trademark protection

Four Frankfurt, Elbtower, Vonovia: real estate projects and companies are backed by constructs worth millions or even billions. In order to stand out from the…

20.12.2024 | KPMG Law Insights

The EU packaging regulation sets strict requirements for packaging

The EU has adopted the Packaging Regulation. After the European Parliament adopted the Commission’s draft on April 24, 2024, the EU member states also approved…

20.12.2024 | Deal Notifications

KPMG and KPMG Law supported the sale of circular Informationssysteme to the teccle group

Together with the corporate finance/M&A advisors of KPMG AG Wirtschaftsprüfungsgesellschaft (KPMG), KPMG Law Rechtsanwaltsgesellschaft mbH (KPMG Law) advised the shareholders of circular Informationssysteme GmbH (circular)…

19.12.2024 | Press releases

KPMG Law defends Federal Motor Transport Authority against claim for damages in connection with the emissions scandal

The state is not liable to vehicle purchasers for damages. KPMG Law has defended the Federal Motor Transport Authority (KBA) against a civil plaintiff’s state…

18.12.2024 | KPMG Law Insights, KPMG Law Insights

MiCAR – What the new EU regulation means for crypto service providers and issuers

An EU regulation will soon come into force that will regulate crypto assets uniformly throughout Europe. It contains significant new obligations for issuers and crypto…

16.12.2024 | Deal Notifications

KPMG Law advises CERTANIA Holding GmbH on the acquisition of RASG Holdco Ltd.

KPMG Law Rechtsanwaltsgesellschaft mbH (KPMG Law) has provided legal advice to CERTANIA Holding GmbH, a platform of the Munich-based PE firm Greenpeak Partners, on the…

04.12.2024 | Deal Notifications

KPMG Law and KPMG advises Brain Biotech AG on license agreements and monetization of license rights

KPMG Law Rechtsanwaltsgesellschaft mbH and KPMG AG Wirtschaftsprüfungsgesellschaft (KPMG) advised Brain Biotech AG on the monetization of licensing rights with Royalty Pharma and the conclusion…

Contact

Francois Heynike, LL.M. (Stellenbosch)

Partner
Head of Technology Law

THE SQUAIRE Am Flughafen
60549 Frankfurt am Main

Tel.: +49-69-951195770
fheynike@kpmg-law.com

© 2024 KPMG Law Rechtsanwaltsgesellschaft mbH, associated with KPMG AG Wirtschaftsprüfungsgesellschaft, a public limited company under German law and a member of the global KPMG organisation of independent member firms affiliated with KPMG International Limited, a Private English Company Limited by Guarantee. All rights reserved. For more details on the structure of KPMG’s global organisation, please visit https://home.kpmg/governance.

 KPMG International does not provide services to clients. No member firm is authorised to bind or contract KPMG International or any other member firm to any third party, just as KPMG International is not authorised to bind or contract any other member firm.

Scroll