The Court of Justice of the European Union (CJEU) has recently provided significant guidance on the application of the GDPR. In a preliminary ruling in proceedings regarding cases from Lithuania and Germany, the CJEU clarified some key principles regarding national data protection authorities’ legal grounds for issuing fines under GDPR.

Firstly, the CJEU clarified the conditions under which national supervisory authorities may impose an administrative fine on one or more controllers for an infringement of the GDPR. According to the CJEU, administrative fines under the GDPR are reserved for instances of wrongful conduct, which means intentional or negligent violations. 
Secondly, the CJEU clarified that fines may be imposed on legal persons, extending liability not just to management bodies but to any individual acting on behalf of the organisation.

Thirdly, the CJEU also addressed the relationship between controllers and processors, highlighting that controllers may be fined for operations performed by processors, provided the controller can be held responsible for such operations. Additionally, the concept of joint control was elucidated, emphasising that it arises from participation in determining processing purposes and means, even without a formal arrangement between entities.

Finally, the CJEU found that where the infringer forms part of a group of companies, the fine must be calculated taking into account the entire group’s turnover.

This recent judgment by the Court of Justice signals a significant clarification in how data protection authorities should assess GDPR infringements and determine fines. As national data protection authorities increasingly wield their enforcement powers, organisations face a heightened need to ensure compliance.