Article summary
MLex: Conditions under which a GDPR fine can be imposed on data controllers have been clarified by the EU Court of Justice. A national authority can directly fine a company (a legal person) for a breach without first establishing that an offense had been committed by a specific natural person who worked for the company. The EU's highest court also said that a fine requires that there be wrongful conduct; in other words, ‘that the infringement has been committed intentionally or negligently.’ Where the fine is addressed to part of a group of companies, its calculation must be based on the turnover of the entire group, following competition law principles. Two judgments today follow questions referred from Lithuania and Germany to clarify aspects of GDPR enforcement. Joint press release is attached. The judgments are attached.
To continue reading this news article, as well as thousands of others like it, sign in with LexisNexis or register for a free trial