Deutsche Wohnen Ruling by ECJ Anticipated to Escalate GDPR Fines

A recent ruling by the European Court of Justice (ECJ) in the case of German property company Deutsche Wohnen is expected to have far-reaching financial implications for organizations found in breach of the General Data Protection Regulation (GDPR). Legal experts have deemed the decision a "landmark" ruling, altering the landscape of GDPR enforcement.

Deutsche Wohnen was initially slapped with a €14.5 million ($15.7 million) fine by the Berlin Data Protection Commissioner in 2019 for unlawfully retaining tenant data beyond the necessary duration. However, this penalty was overturned by a local court two years later, asserting that the company could only be held accountable if blame could be attributed to a specific individual or executive.

The recent ECJ ruling favored Deutsche Wohnen, stating that an organization can only face an administrative GDPR fine if the infringement was committed intentionally or negligently. Despite seemingly favoring the company, legal experts argue that the ruling could make it easier for authorities to impose fines in the future.

Jan Spittka, a partner at Clyde & Co, emphasized that the ruling implies a lack of knowledge by management is not a defense. Organizations are deemed liable for infringements committed by their representatives, directors, managers, or any other person acting on their behalf. The court's application of standards established under EU competition and antitrust law effectively lowers the threshold for supervisory authorities to levy fines.

Spittka commented, "The overall context of the decision will make it way easier for the data protection supervisory authorities of the EU member states to sanction legal entities and is also likely to result in significantly higher fines on average."

One key aspect of the ruling is the allowance for fines based not only on the infringing organization's turnover but also on the turnover of its parent company. This could lead to substantially higher fines being imposed. Importantly, the ruling extends its applicability beyond organizations operating within the EU, encompassing those outside, such as the US and UK, as long as they have a subsidiary within the region and process personal data on EU citizens or offer goods and services within the EU.

As organizations grapple with the evolving regulatory landscape, the Deutsche Wohnen ruling serves as a pivotal moment that may reshape the enforcement dynamics of GDPR, potentially resulting in more stringent penalties for non-compliance.

The GRC Report is the first word in governance, risk, and compliance news. As your trusted source for comprehensive coverage, the GRC Report keeps you informed and equipped to navigate the evolving landscape of governance, risk, and compliance. And remember, the GRC Report isn't just a news source; it's a community of professionals who share your passion for GRC excellence. Don't miss out on our insightful articles and breaking news – join the conversation and empower your GRC journey.