GDPR – fines – the Advocate General’s opinion in the ILVA case

On 12 September 2024, the Advocate General issued his opinion on the “Ilva” case relating to an infringement of Article 5(1)(e), Article 5(2) and Article 6 of the General Data Protection Regulation (GDPR) regarding the retention of approximately 385,000 former customers personal details in outdated customer information system.

In 2019 the Danish Data Protection Authority (DPA) fined the company Ilva (IDdesign A/S) DKK 1.5 million for breaches of the GDPR, and at the same time reported them to the police. Prior to an inspection visit by the DPA, Ilva had informed them that an older system was being used in some stores to process the data of approximately 385,000 former customers including their name, address, telephone number, e-mail, and purchase history. Ilva was replacing the older system with a new system that was already operating in many stores. During the inspection visit, Ilva also stated that there were no deletion deadlines in the older system, and that personal data in this system had never been deleted and had therefore been stored for significantly longer than necessary.

In calculating the fine, the DPA and the prosecution had taken the net turnover for the entire Lars Larsen Group group, of which ILVA is a part, and thus not just the net turnover for ILVA. This principle follows from preamble recital 150 of the GDPR which states that where administrative fines are imposed on an undertaking, an undertaking should be understood to be an undertaking in accordance with EU competition law.

Ilva appealed the decision of the DPA to the city court in Aarhus which significantly reduced the fine to DKK 100,000. The city court held that the violation had been committed negligently (not intentionally) and found that the lack of deletion was an oversight due to a too one-sided focus on the company’s new active IT systems. In addition, the court also found that it was only Ilva’s own turnover that should be used as a basis for calculating the size of the fine and note that of the entire Lars Larsen Group, which the court considered would be contrary to the principle of the Danish Administration of Justice Act,

The public prosecutor appealed the judgment to the Western High Court, which has asked two preliminary questions to the Court of Justice of the European Union (CJEU). The first question is about how the term “undertaking” in section 83, subsection 4-6 of the GDPR must be understood in the light of recital 150 i.e., whether the term “undertaking” covers any entity engaged in an economic activity, regardless of that entity’s legal status and the way in which it is financed. If the answer to this first question is yes, the court has also asked for clarification on whether regard must be had to the total worldwide annual turnover of the economic entity of which the undertaking form’s part, or only the total worldwide annual turnover of the undertaking itself when fines pursuant to the GDPR are imposed.

On 12 September 2024, the Advocate General gave his opinion on the case. The Advocate Generals assist the CJEU by writing an impartial and independent opinion on a case that the CJEU judges consider before giving judgment.

The Advocate General’s opinion

It is the opinion of the Advocate General that the GDPR must be interpreted such that when a fine is imposed on a data controller or data processor that is part of a group, the term “undertaking must be understood in accordance with TFEU articles 101 and 102. In particular, it is “entity engaged in an economic activity,” no matter its legal form. In this case, the Advocate General drew attention to the parent company’s influence on the companies within the group. That influence, as defined in the CJEU case law, amounts, for example, to appointing members of the board of directors or calling shareholders meetings. If the parent company “exercise decisive influence” over the controller, then the undertaking under Article 83(5) GDPR would consist of: 1) the controller, 2) the parent company, 3) other companies under decisive influence of the parent company.

However, the Advocate General pointed out that the rules for calculating the maximum fine do not have to be applied as “the main or only reference for setting the actual fine” and when determining the fine the national court, must ensure that the principle of proportionality is respected. Therefore, the fine should reflect all the facts of the case including all aggravating and extenuating circumstances.

The Advocate Gerneral determined in conclusion when using the concept of undertaking to determine the level of the actual level of fine pursuant to Artice 83 of GDPR its should firstly be evaluated whether the parent company has exercised its decision-making power with respect to specific activities of the controller or the processor at issue in the GDPR infringement(s). Secondly consideration should be given as to whether specific data processing infringing the GDPR relates to the company concerned and/or to the whole group. Third, it is necessary to establish whether more than one company forming part of the group was involved in the GDPR infringement(s).”

Mette Klingsten Law Firm notes

It is to be expected that the CJEU will follow the Advocate General’s proposal for a decision when answering the Western High Court’s preliminary questions.

The CJEU will not comment on specific determination of the fine and will only answer the questions that the national court specifically asked on the interpretation of the GDPR.

The Advocate General’s proposed decision of 12 September in case C-383/23 (ECLI:EU:C:2024:752) can be read in its entirety via this link