ECJ: Imposition of a fine only in case of wrongful infringement of the General Data Protection Regulation

In two judgments the European Court of Justice (ECJ) clarified the conditions under which national supervisory authorities may impose an administrative fine following an infringement of the General Data Protection Regulation. In particular, it held that the imposition of such a fine requires that there be wrongful conduct; in other words, that the infringement has been committed intentionally or negligently.

A Lithuanian court and a German court have asked the ECJ for an interpretation of the General Data Protection Regulation (GDPR) regarding the possibility for national supervisory authorities to penalize the infringement of that regulation by imposing an administrative fine on the data controller.

The ECJ held that a data controller may not have an administrative fine imposed for an infringement of the GDPR unless that infringement was committed wrongfully, intentionally, or negligently. That is the case where the controller could not have been unaware of the infringing nature of its conduct, regardless of whether he or she was aware of the infringement or not. Where the controller is a legal person, it is not necessary for the infringement to have been committed by its management body; nor is it necessary for that body to have had knowledge of that infringement.

More details to be found here.

Source:

ECJ, judgments in cases C-683/21 Nacionalinis visuomenės sveikatos centras and C-807/21 Deutsche Wohnen