Data protection violations in companies can be subject to fines, even if no misconduct on the part of an individual employee can be proven. The company remains liable even where the legal entity itself—for example, due to inadequate compliance measures—has acted culpably.
The decision of the European Court of Justice (ECJ, judgment of December 5, 2023, Case C-807/21 – Deutsche Wohnen) was based on enforcement proceedings against the real estate company Deutsche Wohnen SE, which has been part of Vonovia SE since 2021. In 2020, the Berlin Data Protection Commissioner imposed a fine of approximately EUR 14.5 million on Deutsche Wohnen. The reason was that tenants' personal data had been stored for longer than necessary.
As part of these proceedings, the Berlin Court of Appeal (Kammergericht) referred fundamental questions to the ECJ for a preliminary ruling regarding the liability of companies for data protection violations where the misconduct cannot be attributed to a specific individual within the company.
The Court has now ruled that, unlike in the case of administrative offenses under German law (OWiG), it is not necessary to prove misconduct by a specific individual employee of the company in question for a company to be held liable for violations of European data protection law. Rather—in line with the broad liability requirements under competition law—it is sufficient for the imposition of a fine as a sanction for a violation if the responsible legal entity itself, i.e., the company, acted at least negligently. In this regard, it depends on whether the company's employees, collectively as an abstract whole, should have been aware of the essential facts of the violation based on the company's organization and compliance efforts.
In this respect, the decisive factor is whether the company's employees, as a whole, should have been aware of the essential facts of the violation due to the company's organization and compliance efforts.
It is now up to the national courts to apply the broad liability framework set forth by the ECJ in individual cases. This ruling should once again prompt companies to critically examine their data protection management as well as their measures for training and raising employee awareness regarding data protection requirements. This is not least due to the fact that the amount of any fine to be imposed is based on a company's economic capacity and, in the case of a corporate group, is determined not by the individual company but by the turnover of the entire group.
If you have any questions regarding data protection matters, our Data Protection Practice Group would be pleased to assist you.