Landmark decision by the ECJ on GDPR fines | ZFZ Postcard Cases

In a long-awaited decision, the ECJ made two important clarifications regarding the conditions under which companies can be sanctioned under the GDPR.

Firstly, the ECJ clarified that only a culpable breach of the GDPR can lead to the imposition of a fine. Thus, any violation of the GDPR must have been committed intentionally or negligently. Secondly, the ECJ ruled that in case of companies, a fine can be imposed directly on the company even if the infringement cannot be attributed to the legal representatives (e.g. managing director, board member, etc).

The latter clarification means that in future, the imposition of a fine under the GDPR is not dependent on a culpable breach by the legal representatives of companies. Rather, a culpable violation of the GDPR by someone who acted on behalf of the company, for example an employee in a non-executive position, who does not even have to be identified, could be sufficient.

In light of this landmark decision of the ECJ, employers are strongly advised to review their internal data protection compliance system. It is crucial to ensure that all employees are trained comprehensively in data protection law to avoid violations and sanctions as far as possible.

For further information on this topic, please reach out to Melina Peer. The decision can be found here.