The Court of Justice of the European Union (CJEU) has clarified the conditions under which data protection authorities (DPAs) can issue monetary penalties to data controllers under Article 83(4) to (6) of the EU General Data Protection Regulation (GDPR). The CJEU ruled in (Case C-683/21) that a data controller should only receive a fine where an infringement of the GDPR is committed "intentionally or negligently."
Additionally, the CJEU clarified that fines issued to a group of companies must be calculated based on the turnover of the entire group.
In his legal analysis of the ruling, Jonathan Kirsop, Partner, Head of Technology, Media, and Telecoms at law firm Pinsent Masons, indicated that the "judgment seems to limit the scope for fines being imposed for more 'technical' or administrative breaches where a controller has acted in good faith" but that, "fines will still be imposed where a controller should have known that it had committed a breach, whether or not it did so."
He went on to argue that, in practice, DPAs tend to focus on larger GDPR violations and that, as such, "it may be that this clarification does little other than to make more explicit what was the approach of DPAs based on the resources and priorities that they have."
What is this page?
You are reading a summary article on the Privacy Newsfeed, a free resource for DPOs and other professionals with privacy or data protection responsibilities helping them stay informed of industry news all in one place. The information here is a brief snippet relating to a single piece of original content or several articles about a common topic or thread. The main contributor is listed in the top left-hand corner, just beneath the article title.
The Privacy Newsfeed monitors over 300 global publications, of which more than 4,350 summary articles have been posted to the online archive dating back to the beginning of 2020. A weekly roundup is available by email every Friday.
