New Criteria for GDPR Fines Determined by the CJEU

December 18th, 2023

The European Court of Justice has refined the application of the GDPR, offering important insights for data protection enforcement.

🔹 𝐊𝐞𝐲 𝐔𝐩𝐝𝐚𝐭𝐞𝐬:

• Fine Issuance Criteria: Clear parameters for when GDPR fines are applicable. • Fine Calculation Methods: A new formula to determine monetary penalties. • Joint Controllership Conditions: Guidelines for establishing shared data management responsibilities. • Fine Amounts: A structured approach to decide on penalty figures.

🔍 𝐂𝐚𝐬𝐞 𝐁𝐚𝐜𝐤𝐠𝐫𝐨𝐮𝐧𝐝:

• Triggered by queries from Lithuanian and German courts concerning Covid-19 data handling and tenant information storage, the CJEU’s interpretation of Article 83 of the GDPR has led to these updates.

💡 𝐂𝐉𝐄𝐔’𝐬 𝐈𝐧𝐬𝐢𝐠𝐡𝐭𝐬:

• Fines for Misconduct: Only applicable if data controllers act with malice or negligence. • Broad Liability: Inclusivity of legal entities, regardless of individual breach awareness. • Subcontractor Responsibility: Fines reflect the entire enterprise group’s turnover.

These developments are crucial for GDPR-compliant entities, underscoring the importance of adherence for effective compliance and risk management.