Skip to content
English
Get started
All posts

GDPR Fines to Be Determined by Global Turnover of Corporate Group

By   ·  2 minute read

The CJEU has decided that the maximum thresholds for GDPR fines should be calculated using the global turnover of the broader corporate group, not solely the infringing entity.

The recent decision by the Court of Justice of the European Union (CJEU) to calculate GDPR fines based on the global turnover of a corporate group marks a significant shift in data protection enforcement. This blog post highlights the most important aspects of this development and what it means for companies worldwide.

Key Takeaways from the CJEU Decision

  1. Global Turnover as the Basis for Fines The CJEU has confirmed that the maximum thresholds for GDPR fines should be calculated using the global turnover of the entire corporate group, not just the infringing entity. This means that fines can be significantly higher, reflecting the financial capacity of the broader economic unit

  2. Implications for Corporate Groups The decision emphasizes that an "undertaking" for fine calculation purposes includes the entire economic unit, aligning with EU competition law. This interpretation applies regardless of the involvement or responsibility of other entities within the group in the GDPR violation

  3. Maximum Fine Thresholds The GDPR sets maximum fine thresholds at the greater of €10 million or 2% of the total worldwide annual turnover, or €20 million or 4% of the total worldwide annual turnover, depending on the specific violations. The CJEU's decision ensures that these thresholds are applied to the global turnover of the corporate group

  4. Corporate Accountability This ruling underscores the importance of corporate accountability in data protection. Companies must ensure that all entities within their group comply with GDPR requirements, as the financial penalties can now reflect the combined economic strength of the entire group

Practical Steps for Compliance

  1. Conduct Comprehensive Risk Assessments Regularly assess the data protection risks across all entities within the corporate group. Identify potential vulnerabilities and implement measures to mitigate these risks.

  2. Implement Group-Wide Data Protection Policies Develop and enforce data protection policies that apply to all entities within the corporate group. Ensure that these policies are aligned with GDPR requirements and are consistently applied.

  3. Enhance Data Protection Training Provide ongoing data protection training for employees at all levels within the corporate group. Ensure that staff are aware of their responsibilities and the potential consequences of non-compliance.

  4. Strengthen Incident Response Plans Develop robust incident response plans that cover all entities within the corporate group. Ensure that these plans are regularly tested and updated to reflect the latest threats and regulatory requirements.

  5. Monitor and Audit Compliance Regularly monitor and audit compliance with GDPR requirements across the corporate group. Use these audits to identify areas for improvement and to ensure that corrective actions are taken promptly.

Conclusion

The CJEU's decision to base GDPR fines on the global turnover of corporate groups highlights the need for comprehensive and consistent data protection practices across all entities within a group. By understanding the implications of this ruling and taking proactive steps to enhance compliance, companies can better protect themselves from significant financial penalties and ensure the privacy and security of personal data.