ECJ decides on upper limit for fines for data protection violations

In its judgment of 13 February 2025 in case C-383/23, the ECJ ruled on a request for a preliminary ruling from the Regional Court of Western Denmark on the determination of the upper limit of fines for data protection violations by companies.

In the underlying case, the Danish company ILVA, which belongs to the Larsen Group, was sentenced to pay a fine of DKK 100,000 for a data protection offence. The court used ILVA's turnover as the basis for determining the upper limit of the fine. Following the public prosecutor's appeal, the Regional Court for Western Denmark stayed the proceedings and referred two questions to the ECJ for a preliminary ruling, namely whether the term "undertaking" in Art. 83 (4-6) GDPR is to be understood in the sense of antitrust law and includes any economic entity and, if so, whether the annual worldwide turnover of the economic entity to which the undertaking belongs is decisive in determining the amount of the fine.

The ECJ answered both questions in the affirmative. It reiterated its considerations in the Deutsche Wohnen case (case C-807/21) that, with reference to recital 150, the GDPR's definition of an undertaking does not refer to a legal person, but corresponds to that of Art. 101, 102 TFEU and thus refers to an economic entity, even if it consists of several legal persons. Accordingly, the total annual turnover achieved worldwide in the previous financial year of the respective group is decisive for the upper limit of the fine.

However, the addressee of the fine is still the company that committed the offence. In its judgement, the ECJ emphasises this,

• that establishing the maximum amount should be distinguished from the actual determination of the fine;
• the criteria set out in Art. 83 para. 2 GDPR are decisive for the specific determination of the fine (in particular, for example, the nature, gravity and duration of the infringement, etc.);
• any fine to be imposed must also take into account the "actual and material" capacity of the actual addressee of the fine;
• the fine to be imposed must be effective and dissuasive, but also proportionate.

In practice, this means that the maximum possible fine could amount to up to 2 or 4 per cent of the total worldwide group annual turnover, but that the specific fine to be imposed must (also) take into account the economic capabilities of the sanctioned company. What exactly is meant by disproportionality remains open, however, as the ECJ notes that the affiliation of the addressee of the fine to an economic entity may also be taken into account when assessing the criteria for calculating the fine. On the other hand, fines that have a stifling effect or could put the company at risk of insolvency may be disproportionate. Therefore, it cannot be ruled out that a specific fine will be higher than 2 or 4 per cent of the turnover of the company specifically responsible.

This decision has significance beyond the area of data protection. The AI Act, the Digital Markets Act and the Digital Services Act also contain similar provisions on fines. However, a large number of other national provisions on fines based on European legal acts also have a similar mechanism of action, e.g. Section 56 (4) sentence 2 of the German Money Laundering Act, so that the principles of this judgement will also have an impact on national law.

This potentially continuing high threat of sanctions should therefore prompt companies to ensure robust compliance processes, including in particular the monitoring of adherence to these processes and their further development.