–

Deutsche Wohnen SE, by O. Geiss, K. Mertens, N. Venn and T. Wybitul, Rechtsanwälte,

–

the German Government, by J. Möller and P.-L. Krüger, acting as Agents,

–

the Estonian Government, by M. Kriisa, acting as Agent,

–

the Netherlands Government, by C.S. Schillemans, acting as Agent,

–

the Norwegian Government, by L.-M. Moen Jünge, M. Munthe-Kaas and T. Westhagen Edell, acting as Agents,

–

the European Parliament, by G.C. Bartram and P. López-Carceller, acting as Agents,

–

the Council of the European Union, by J. Bauerschmidt and K. Pleśniak, acting as Agents,

–

the European Commission, by A. Bouchagiar, F. Erlbacher, H. Kranenborg and G. Meessen, acting as Agents,

1

This request for a preliminary ruling concerns the interpretation of Article 83(4) to (6) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1) (‘the GDPR’).

2

The request has been made in proceedings between Deutsche Wohnen SE (‘DW’) and the Staatsanwaltschaft Berlin (Berlin Public Prosecutor’s Office, Germany) concerning an administrative fine imposed on DW pursuant to Article 83 of the GDPR in respect of an infringement of Article 5(1)(a), (c) and (e), Article 6 and Article 25(1) of that regulation.

3

Recitals 9, 10, 11,13, 74, 129 and 150 of the GDPR state:

…

…

…

…

4

Article 4 of that regulation provides as follows:

‘For the purposes of this Regulation:

…

…

…’

5

Article 58 of that regulation, entitled ‘Powers’, provides, in paragraphs 2 and 4:

‘2.   Each supervisory authority shall have all of the following corrective powers:

…

…

…

…

4.   The exercise of the powers conferred on the supervisory authority pursuant to this Article shall be subject to appropriate safeguards, including effective judicial remedy and due process, set out in Union and Member State law in accordance with the [Charter of Fundamental Rights of the European Union].’

6

Article 83 of that regulation, entitled ‘General conditions for imposing administrative fines’, provides:

‘1.   Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article in respect of infringements of this Regulation referred to in paragraphs 4, 5 and 6 shall in each individual case be effective, proportionate and dissuasive.

2.   Administrative fines shall, depending on the circumstances of each individual case, be imposed in addition to, or instead of, measures referred to in points (a) to (h) and (j) of Article 58(2). When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following:

3.   If a controller or processor intentionally or negligently, for the same or linked processing operations, infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement.

4.   Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to [EUR 10000000], or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher:

…

5.   Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to [EUR 20000000], or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher:

6.   Non-compliance with an order by the supervisory authority as referred to in Article 58(2) shall, in accordance with paragraph 2 of this Article, be subject to administrative fines up to [EUR 20000000], or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

7.   Without prejudice to the corrective powers of supervisory authorities pursuant to Article 58(2), each Member State may lay down the rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State.

8.   The exercise by the supervisory authority of its powers under this Article shall be subject to appropriate procedural safeguards in accordance with Union and Member State law, including effective judicial remedy and due process.

…’

7

The first sentence of Paragraph 41(1) of the Bundesdatenschutzgesetz (Federal Law on data protection) of 30 June 2017 (BGBl. 2017 I, p. 2097), provides that, unless otherwise provided for in that law, the provisions of the Gesetz über Ordnungswidrigkeiten (Law on administrative offences) of 24 May 1968 (BGBl. 1968 I, p. 481) in the version in the Communication of 19 February 1987 (BGBl. 1987 I, p. 602), as amended by the Law of 19 June 2020 (BGBl. 2020 I, p. 1350; ‘the OWiG’), are applicable to the infringements referred to in Article 83(4) to (6) of the GDPR.

8

Paragraph 30 of the OWiG, entitled ‘Fines imposed on legal persons and associations of persons’, provides:

‘(1)   Where a person acting

has committed a criminal or administrative offence, as a result of which the obligations incumbent on the legal person or association of persons have been contravened or that legal person or association of persons has been enriched or was intended to be enriched, a fine may be imposed on such legal person or association of persons.

…

(4)   If criminal proceedings or administrative proceedings involving the imposition of fines are not initiated in respect of the criminal offence or administrative offence, or if such proceedings are discontinued, or if a penalty is not sought, the fine may be determined independently. Statutory provision may also be made to the effect that a fine may be determined independently in further cases. However, a fine shall not be determined independently in respect of the legal person or association of persons where the criminal or administrative offence cannot for any legal reason be penalised …’

9

Paragraph 130 of the OWiG provides:

‘1.   A person who, as owner of a business or undertaking, intentionally or negligently fails to take the necessary supervisory measures to prevent, within the business or undertaking, breach of the obligations to which the owner is subject and infringement of which is punishable by a criminal penalty or a fine, shall be deemed to have committed an administrative offence if such breach could have been prevented or made more difficult by means of appropriate supervision. The necessary supervisory measures shall also include the appointment, careful selection and monitoring of the persons responsible for supervision.

…

(3)   Where the breach of an obligation is punishable by a criminal penalty, the administrative offence may be punished by a fine of up to EUR 1 million. The third sentence of Paragraph 30(2) shall apply. Where the breach of the obligation is punishable by a fine, the maximum amount of the fine imposed for the breach of the obligation to supervise shall be determined by reference to the maximum amount of the fine incurred for that breach. …’

10

DW is a listed real estate company, constituted in the legal form of a European company, with its registered office in Berlin (Germany). It holds, indirectly via participating interests in various companies, approximately 163000 housing units and 3000 commercial units.

11

The owners of those units are subsidiaries of DW (‘holding companies’) which carry on the operational side of the business, while DW is responsible for the central management of the group of which it forms part, together with, inter alia, those subsidiaries. The holding companies lease the housing and commercial units which are managed by other companies in the group, known as ‘service companies’.

12

As part of their business activities, DW and the group companies which it manages process personal data of tenants of the commercial and housing units, such as, for example, proof of identity, tax, social security and health insurance data of those tenants, as well as data relating to previous tenancies.

13

On 23 June 2017, the Berliner Beauftragte für den Datenschutz (Berlin Data Protection Authority, Germany; ‘the supervisory authority’) informed DW during an on-the-spot inspection that companies within its group were storing the personal data of tenants in an electronic filing system in respect of which it could not be ascertained whether storage was necessary or whether there were safeguards to ensure the erasure of data which were no longer required.

14

The supervisory authority requested DW to erase those documents from its electronic filing system by the end of 2017 at the latest. In response to that request, DW stated that it was not possible for technical and legal reasons to erase those documents.

15

Following exchanges between DW and the supervisory authority concerning whether it was possible to erase the documents at issue, DW informed that authority that it intended to introduce a new storage system to replace the system which contained those documents.

16

On 5 March 2019, the supervisory authority carried out an inspection at the corporate headquarters of the group managed by DW. During that inspection, DW informed that authority that the electronic filing system in question had already been decommissioned and that the data would be migrated to the new storage system imminently.

17

By decision of 30 October 2019, the supervisory authority imposed on DW an administrative fine of EUR 14385000 for intentional infringement of Article 5(1)(a), (c) and (e) and of Article 25(1) of the GDPR (‘the decision at issue’). By that decision, that authority also imposed 15 other fines on DW of between EUR 3000 and EUR 17000 in respect of the infringement of Article 6(1) of the GDPR.

18

In the decision at issue, the supervisory authority found, more specifically, that DW had intentionally failed, between 25 May 2018 and 5 March 2019, to take the measures necessary to allow personal data relating to tenants regularly to be erased where such data were no longer necessary or had, for some other reason, erroneously been stored. It also stated that DW had continued to store the personal data of at least 15 named tenants where such storage was not necessary.

19

DW brought an action against that decision before the Landgericht Berlin (Regional Court, Berlin, Germany). That court closed the proceedings without taking further action, holding that the decision at issue was vitiated by such serious defects that it could not serve as a basis for the imposition of a fine.

20

That court stated, inter alia, that the imposition of a fine on a legal person is exhaustively regulated by Paragraph 30 of the OWiG which, pursuant to Paragraph 41(1) of the Federal Law on data protection, applies to the infringements referred to in Article 83(4) to (6) of the GDPR. Under Paragraph 30 of the OWiG, a finding of an administrative infringement can be made only against a natural person and not against a legal person. In addition, only the actions of representatives of the legal person or of members of bodies thereof can be attributed to that legal person. While Paragraph 30(4) of the OWiG makes it possible, subject to certain conditions, to initiate independent proceedings for an administrative fine against a legal person, the fact remains that, also in those circumstances, it is necessary that a finding of an administrative infringement can be made against the members of bodies or representatives of the legal person concerned.

21

The Staatsanwaltschaft Berlin (Berlin Public Prosecutor’s Office) brought an appeal against the first-instance decision before the Kammergericht Berlin (Higher Regional Court, Berlin, Germany), which is the referring court.

22

The referring court asks, in the first place, whether, pursuant to Article 83 of the GDPR, it must be possible to impose an administrative fine on a legal person without the infringement of that regulation first being attributed to an identified natural person. In that context, the referring court considers, in particular, the relevance of the concept of an ‘undertaking’ within the meaning of Articles 101 and 102 TFEU.

23

In that regard, the referring court explains that, according to national case-law, the limited liability regime of legal persons under national law conflicts with the regime of direct liability of undertakings laid down in Article 83 of the GDPR. According to that case-law, it is apparent, in particular, from the wording of Article 83 of the GDPR, which, in accordance with the principle of primacy of EU law, prevails over the national regime, that administrative fines may be imposed on undertakings. It is therefore not necessary for the imposition of such fines to be linked to a wrongful act on the part of the bodies or directors of legal persons, contrary to the requirements of the applicable national law.

24

According to the referring court, that case-law, like the majority of national academic legal literature, attaches particular importance to the concept of an ‘undertaking’, within the meaning of Articles 101 and 102 TFEU, and therefore to the idea that liability is attributed to the economic entity within which the undesirable conduct, for example anticompetitive conduct, occurred. Under that ‘functional’ interpretation, all acts of all employees authorised to act on behalf of an undertaking are attributable to the undertaking, including in relation to administrative proceedings.

25

In the second place, were the Court to find that an administrative fine must be able to be imposed directly on a legal person, the referring court raises the question of the criteria which must be applied in order to establish the liability of a legal person, as an undertaking, for an infringement of the GDPR. It wishes to ascertain, in particular, whether an administrative fine may be imposed pursuant to Article 83 of that regulation on a legal person without it being established that the infringement of that regulation attributed to that legal person was committed wrongfully.

26

In those circumstances, the Kammergericht Berlin (Higher Regional Court, Berlin) decided to stay proceedings and to refer the following questions to the Court of Justice for preliminary ruling:

27

Following the hearing held on 17 January 2023, DW, by a document lodged at the Court Registry on 23 March 2023, applied for an order that the oral part of the procedure be reopened, pursuant to Article 83 of the Rules of Procedure of the Court of Justice.

28

In support of its request, DW maintains, in essence, that the replies given by the referring court to the request for clarification addressed to it under Article 101 of the Rules of Procedure provide the Court with incorrect information concerning the applicable provisions of national law. A comprehensive debate concerning that issue was not possible at the hearing on 17 January 2023 because the parties had become aware of those replies only three working days before that hearing. Such a time period did not have allow for thorough preparation for the hearing.

29

It is true that, in accordance with Article 83 of the Rules of Procedure, the Court may at any time, after hearing the Advocate General, order the reopening of the oral part of the procedure, in particular if it considers that it lacks sufficient information, or where a party has, after the close of that part of the procedure, submitted a new fact which is of such a nature as to be a decisive factor for the decision of the Court, or where the case must be decided on the basis of an argument which has not been debated between the interested persons.

30

However, in the present case, the Court has all the information necessary to give a ruling and the present case does not have to be decided on the basis of arguments which have not been debated by the interested persons. In addition, the request that the oral part of the procedure be reopened does not disclose any new fact which is of such a nature as to be capable of being a decisive factor for the decision which the Court is called upon to make in that case.

31

In those circumstances, the Court considers, after hearing the Advocate General, that there is no need to order that the oral part of the procedure be reopened.

32

By its first question, the referring court asks, in essence, whether Article 58(2) and Article 83(1) to (6) of the GDPR must be interpreted as precluding national legislation under which an administrative fine may be imposed on a legal person in its capacity as controller in respect of an infringement referred to in Article 83(4) to (6) only in so far as that infringement has previously been attributed to an identified natural person.

33

As a preliminary point, it should be noted that, in its written observations, the German Government expressed doubts as to that interpretation of national law by the referring court, on the ground that Paragraph 130 of the OWiG also allows a fine to be imposed on a legal person outside the cases covered by Paragraph 30 of the OWiG. Furthermore, those two provisions make it possible to impose an ‘anonymous’ fine in the context of proceedings brought against the undertaking, without it being necessary to identify the natural person who committed the infringement in question.

34

In response to a request for clarification sent to the referring court, referred to in paragraph 28 of the present judgment, that court stated that Paragraph 130 of the OWiG has no bearing on the first question referred.

35

According to the referring court, that provision concerns the owner of a business or of an undertaking, who must have wrongfully failed to fulfil an obligation to supervise. Evidence of such a failure to fulfil obligations attributable to the owner of the undertaking is, however, extremely complex and often impossible to adduce, and the question whether a group of undertakings may be classified as an ‘undertaking’ or ‘owner of undertakings’ in accordance with that provision is the subject of divergent opinions at national level. In any event, the first question referred for a preliminary ruling is also relevant in that context.

36

It should be recalled that, as far as the interpretation of provisions of national law is concerned, the Court is in principle required to rely on the description given in the order for reference. According to settled case-law, the Court does not have jurisdiction to interpret the internal law of a Member State (judgment of 26 January 2021, Hessischer Rundfunk, C‑422/19 and C‑423/19, EU:C:2021:63, paragraph 31 and the case-law cited).

37

Consequently, the answer to the first question referred for a preliminary ruling takes as a premiss that, under the applicable national law, an administrative fine may be imposed on a legal person in its capacity as controller in respect of an infringement referred to in Article 83(4) to (6) of the GDPR only subject to the conditions laid down in Paragraph 30 of the OWiG, as set out by the referring court.

38

In order to answer the first question referred for a preliminary ruling, it must be stated, first of all, that the principles, prohibitions and obligations laid down by the GDPR are directed, in particular, at ‘controllers’ whose responsibility extends, as stated in recital 74 of the GDPR, to any processing of personal data which they carry out themselves or which is carried out on their behalf, and who are required, on that basis, not only to implement appropriate and effective measures, but also to be able to demonstrate the compliance of processing activities with the GDPR, including the effectiveness of the measures adopted to ensure such compliance. It is that responsibility which forms, in the event of one of the infringements referred to in Article 83(4) to (6) of that regulation, the basis for the imposition of an administrative fine on the controller pursuant to Article 83 of that regulation.

39

Article 4(7) of the GDPR defines the concept of ‘controller’ broadly, as referring to the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

40

The objective of that broad definition in Article 4(7) of the GDPR – which expressly includes legal persons – is, in a manner consistent with the objective of the GDPR, to ensure effective protection of the fundamental rights and freedoms of natural persons and, in particular, to ensure a high level of protection of the right of every person to the protection of personal data concerning him or her (see, to that effect, judgments of 29 July 2019, Fashion ID, C‑40/17, EU:C:2019:629, paragraph 66, and of 28 April 2022, Meta Platforms Ireland, C‑319/20, EU:C:2022:322, paragraph 73 and the case-law cited).

41

Furthermore, the Court has previously held that a natural or legal person who exerts influence over the processing of personal data, for his own purposes, and who participates, as a result, in the determination of the purposes and means of that processing, may be regarded as a controller (see, to that effect, judgment of 10 July 2018, Jehovan todistajat, C‑25/17, EU:C:2018:551, paragraph 68).

42

It therefore follows from the wording and purpose of Article 4(7) of the GDPR that the EU legislature did not distinguish, for the purposes of determining liability under that regulation, between natural persons and legal persons, that liability being subject to the sole condition that those persons, alone or jointly with others, determine the purposes and means of processing of personal data.

43

Consequently, subject to what is provided for in Article 83(7) of the GDPR concerning public authorities and bodies, any person meeting that condition – regardless of whether a natural person, a legal person, a public authority, a service or another body – is responsible, inter alia, for any infringement referred to in Article 83(4) to (6) which is committed by that person or on behalf of that person.

44

As regards legal persons, that implies, first, as the Advocate General observed, in essence, in points 57 to 59 of his Opinion, that legal persons are liable not only for infringements committed by their representatives, directors or managers, but also by any other person acting in the course of the business of those legal persons and on their behalf. Second, the administrative fines provided for in Article 83 of the GDPR in respect of such infringements must be capable of being imposed directly on legal persons where they may be classified as the controllers in question.

45

Next, it must be stated that Article 58(2) of the GDPR sets out in detail the supervisory authorities’ corrective powers, without referring to the law of the Member States or leaving any discretion to those States. First, those powers, which include, under Article 58(2)(i) of the GDPR, the power to impose an administrative fine, relate to the controller and, second, such a controller may, as is apparent from paragraph 39 of the present judgment, be a natural person or a legal person. The substantive conditions which a supervisory authority must satisfy when imposing such a fine are, for their part, laid down in Article 83(1) to (6), in precise terms and without leaving any discretion to the Member States.

46

It thus follows from a combined reading of Article 4(7), Article 83 and Article 58(2)(i) of the GDPR that an administrative fine in respect of an infringement referred to in Article 83(4) to (6) may also be imposed on legal persons where they are controllers. By contrast, no provision of the GDPR permits the inference that the imposition of an administrative fine on a legal person as a controller is subject to a previous finding that that infringement was committed by an identified natural person.

47

It is true that it is apparent from Article 58(4) and Article 83(8) of the GDPR, read in the light of recital 129 of that regulation, that the exercise by the supervisory authority of its powers under those articles is to be subject to appropriate procedural safeguards in accordance with EU and Member State law, including effective judicial remedy and due process.

48

However, the fact that that regulation accordingly provides Member States with the possibility to lay down requirements concerning the procedure to be followed by the supervisory authorities in order to impose an administrative fine in no way means that they are also authorised to lay down, in addition to such procedural requirements, substantive conditions over and above those set by Article 83(1) to (6). In addition, the fact that the EU legislature took care to make express provision for that possibility but not the possibility to lay down such additional substantive conditions confirms that it did not provide the Member States with a margin of discretion in that regard. Those substantive conditions therefore fall solely within the scope of EU law.

49

The literal interpretation of Article 58(2) and Article 83(1) to (6) of the GDPR set out above is borne out by the purpose of that regulation.

50

It is apparent, in particular, from recital 10 of the GDPR that the objectives of the provisions of that regulation are, inter alia, to ensure a consistent and high level of protection of natural persons with regard to the processing of personal data within the European Union and, to that end, to ensure consistent and homogeneous application of the rules for the protection of the fundamental rights and freedoms of those persons with regard to the processing of personal data throughout the European Union. Recitals 11 and 129 of the GDPR emphasise, moreover, the need to ensure, in order to ensure consistent application of that regulation, that supervisory authorities have equivalent powers for monitoring and ensuring compliance with the rules for the protection of personal data and that they can impose equivalent sanctions where that regulation is infringed.

51

To allow Member States to make it a requirement, unilaterally and as a necessary condition for the imposition of an administrative fine pursuant to Article 83 of the GDPR on a controller who is a legal person, that the infringement in question is first attributed or attributable to an identified natural person, would be contrary to that purpose of the GDPR. In addition, such an additional requirement would, ultimately, risk weakening the effectiveness and deterrent effect of administrative fines imposed on legal persons as controllers, contrary to Article 83(1) of the GDPR.

52

In that regard, it should be recalled that the second paragraph of Article 288 TFEU provides that an EU regulation is to be binding in its entirety and directly applicable in all Member States, which precludes, unless otherwise provided, Member States from taking steps which are intended to alter the scope of such a regulation. In addition, the Member States are under a duty, by virtue of the obligations arising from the FEU Treaty, not to obstruct the direct applicability inherent in regulations. In particular, they must not adopt a measure by which the nature of EU law and the consequences which arise from it are concealed from the persons concerned (judgment of 15 November 2012, Al-Aqsa v Council and Netherlands v Al-Aqsa, C‑539/10 P and C‑550/10 P, EU:C:2012:711, paragraphs 86 and 87 and the case-law cited).

53

Lastly, in view of the referring court’s questions, it should be stated that the concept of an ‘undertaking’, within the meaning of Articles 101 and 102 TFEU, has no bearing on whether and under what conditions an administrative fine may be imposed pursuant to Article 83 of the GDPR on a controller who is a legal person, since that question is exhaustively regulated by Article 58(2) and Article 83(1) to (6) of that regulation.

54

That concept is relevant only for the purpose of determining the amount of the administrative fine imposed under Article 83(4) to (6) of the GDPR on a controller.

55

As the Advocate General observed in point 45 of his Opinion, the reference in recital 150 of the GDPR to the concept of an ‘undertaking’, within the meaning of Articles 101 and 102 TFEU, is to be understood in that specific context of the calculation of administrative fines imposed in respect of the infringements referred to in Article 83(4) to (6) of the GDPR.

56

In that regard, it should be stated that, for the purposes of applying the competition rules, referred to in Articles 101 and 102 TFEU, that concept covers any entity engaged in an economic activity, irrespective of the legal status of that entity and the way in which it is financed. The concept of an undertaking therefore defines an economic unit even if in law that economic unit consists of several persons, natural or legal. That economic unit consists of a unitary organisation of personal, tangible and intangible elements which pursues a specific economic aim on a long-term basis (judgment of 6 October 2021, Sumal, C‑882/19, EU:C:2021:800, paragraph 41 and the case-law cited).

57

Accordingly, it is apparent from Article 83(4) to (6) of the GDPR, which concerns the calculation of administrative fines in respect of the infringements listed in those paragraphs, that, where the addressee of the administrative fine is or forms part of an undertaking, within the meaning of Articles 101 and 102 TFEU, the maximum amount of the administrative fine is calculated on the basis of a percentage of the total worldwide annual turnover in the preceding business year of the undertaking concerned.

58

In short, as the Advocate General observed in point 47 of his Opinion, only an administrative fine determined on the basis of the actual or material economic capacity of the person on which it is imposed, and therefore imposed by the supervisory authority, relying, as regards the amount of that fine, on the concept of an economic unit within the meaning of the case-law cited in paragraph 56 of the present judgment, is capable of satisfying the three conditions set out in Article 83(1) of the GDPR, namely to be effective, proportionate and dissuasive.

59

Therefore, where a supervisory authority decides, by virtue of its powers under Article 58(2) of the GDPR, to impose on a controller, which is or forms part of an undertaking, within the meaning of Articles 101 and 102 TFEU, an administrative fine pursuant to Article 83 of that regulation, that authority is required to take as its basis, under Article 83 GDPR, read in the light of recital 150 of that regulation, when calculating administrative fines in respect of the infringements referred to in Article 83(4) to (6) of the GDPR, the concept of an ‘undertaking’, within the meaning of Articles 101 and 102 TFEU.

60

In the light of the foregoing, the answer to the first question must be that Article 58(2)(i) and Article 83(1) to (6) of the GDPR must be interpreted as precluding national legislation under which an administrative fine may be imposed on a legal person in its capacity as controller in respect of an infringement referred to in Article 83(4) to (6) only in so far as that infringement has previously been attributed to an identified natural person.

61

By its second question, which is asked in the event that the first question is answered in the affirmative, the referring court asks, in essence, whether Article 83 of the GDPR must be interpreted as meaning that an administrative fine may be imposed pursuant to that provision only where it is established that the controller, which is both a legal person and an undertaking, intentionally or negligently committed an infringement referred to in Article 83(4) to (6) of the GDPR.

62

In that regard, it should be recalled that it is apparent from Article 83(1) of the GDPR that administrative fines must be effective, proportionate and dissuasive. However, Article 83 of the GDPR does not expressly state that the infringements referred to in Article 83(4) to (6) thereof may be penalised by such a fine only if they were committed intentionally or, at the very least, negligently.

63

The German, Estonian and Norwegian Governments and the Council of the European Union infer therefrom, inter alia, that the EU legislature intended to leave a certain discretion to the Member States in the implementation of Article 83 of the GDPR, allowing them to provide for administrative fines to be imposed pursuant to that provision, as appropriate, without it being established that the infringement of the GDPR penalised by that fine was committed intentionally or negligently.

64

An interpretation of that nature in respect of Article 83 of the GDPR cannot be accepted.

65

In that regard, as has been observed in paragraphs 45 and 48 of the present judgment, the substantive conditions which a supervisory authority must satisfy when it imposes an administrative fine on a controller are governed solely by EU law, since those conditions are laid down, in detail and without leaving any discretion to the Member States, in Article 83(1) to (6) of the GDPR (see also judgment of 5 December 2023, Nacionalinis visuomenės sveikatos centras, C‑683/21, EU:C:2023:XXX, paragraphs 64 to 70).

66

As regards those conditions, it should be noted that Article 83(2) of the GDPR lists the factors to which the supervisory authority is to have regard when imposing an administrative fine on the controller. Those factors include, in Article 83(2)(b) thereof, ‘the intentional or negligent character of the infringement’. By contrast, none of the factors listed in Article 83(2) of the GDPR mentions any possibility that the controller will incur liability in the absence of wrongful conduct on its part.

67

In addition, Article 83(2) of the GDPR must be read in conjunction with Article 83(3) thereof, the purpose of which is to lay down the consequences of cumulative infringements of that regulation, according to which ‘if a controller or processor intentionally or negligently, for the same or linked processing operations, infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement’.

68

Accordingly, it follows from the wording of Article 83(2) of the GDPR that only infringements of the provisions of that regulation committed wrongfully by the controller, that is to say those committed intentionally or negligently, can result in a fine being imposed on the controller pursuant to that article.

69

The general scheme and purpose of the GDPR support that reading.

70

First, the EU legislature has laid down a system of penalties enabling the supervisory authorities to impose the penalties which are the most appropriate according to the circumstances of each case.

71

Indeed, Article 58(2)(i) of the GDPR provides that those authorities may impose administrative fines, pursuant to Article 83 of that regulation, ‘in addition to, or instead’ of the other corrective powers listed in Article 58(2), such as warnings, reprimands or orders. Similarly, recital 148 of the GDPR states, inter alia, that the supervisory authorities, where dealing with a minor infringement or if the administrative fine likely to be imposed would constitute a disproportionate burden to a natural person, the supervisory authorities are permitted to refrain from imposing an administrative fine and, instead, to issue a reprimand.

72

Second, as has been stated in paragraph 50 of the present judgment, the objectives of the provisions of the GDPR are, inter alia, to ensure a consistent and high level of protection of natural persons with regard to the processing of personal data within the European Union and, to that end, to ensure consistent and homogeneous application of the rules for the protection of the fundamental rights and freedoms of those persons with regard to the processing of personal data throughout the European Union. In addition, in order to ensure consistent application of the GDPR, supervisory authorities must have equivalent powers for monitoring and ensuring compliance with the rules for the protection of personal data, so that they can impose equivalent sanctions where that regulation is infringed.

73

The existence of a system of penalties making it possible to impose, where justified by the specific circumstances of each individual case, an administrative fine pursuant to Article 83 of the GDPR creates an incentive for controllers and processors to comply with that regulation. Through their deterrent effect, administrative fines contribute to strengthening the protection of natural persons with regard to the processing of personal data and therefore constitute a key element in ensuring respect for the rights of those persons, in accordance with the purpose of that regulation of ensuring a high level of protection of such persons with regard to the processing of personal data.

74

However, the EU legislature did not find it necessary, in order to ensure such a high level of protection, to provide for administrative fines to be imposed in the absence of wrongdoing. In view of the fact that the GDPR aims for a level of protection which is both equivalent and homogeneous, and that it must, to that end, be applied consistently throughout the European Union, it would be contrary to that purpose to allow Member States to provide for such a system for the imposition of a fine under Article 83 of the GDPR. Such a freedom of choice would, additionally, be liable to distort competition between economic operators within the European Union, which would run counter to the stated objectives of the EU legislature, in particular, those in recitals 9 and 13 of that regulation.

75

Accordingly, it must be observed that Article 83 of the GDPR does not allow an administrative fine to be imposed in respect of an infringement referred to in paragraphs 4 to 6 thereof, without it being established that that infringement was committed intentionally or negligently by the controller and that, consequently, a culpable infringement constitutes a condition for such a fine to be imposed.

76

In that regard, it must be clarified, as regards the question whether an infringement has been committed intentionally or negligently and is, therefore, liable to be penalised by an administrative fine pursuant to Article 83 of the GDPR, that a controller can be penalised for conduct falling within the scope of the GDPR where that controller could not be unaware of the infringing nature of its conduct, whether or not it is aware that it is infringing the provisions of the GDPR (see, by analogy, judgments of 18 June 2013, Schenker & Co. and Others, C‑681/11, EU:C:2013:404, paragraph 37 and the case-law cited; of 25 March 2021, Lundbeck v Commission, C‑591/16 P, EU:C:2021:243, paragraph 156; and of 25 March 2021, Arrow Group and Arrow Generics v Commission, C‑601/16 P, EU:C:2021:244, paragraph 97).

77

Where the controller is a legal person, it should also be clarified that for Article 83 GDPR to apply, it is not necessary for there to have been action by or even knowledge on the part of the management body of that legal person (see, by analogy, judgments of 7 June 1983, Musique Diffusion française and Others v Commission, 100/80 to 103/80, EU:C:1983:158, paragraph 97, and of 16 February 2017, Tudapetrol Mineralölerzeugnisse Nils Hansen v Commission, C‑94/15 P, EU:C:2017:124, paragraph 28 and the case-law cited).

78

Having regard to the foregoing, the answer to the second question is that Article 83 of the GDPR must be interpreted as meaning that an administrative fine may be imposed pursuant to that provision only where it is established that the controller, which is both a legal person and an undertaking, intentionally or negligently committed an infringement referred to in Article 83(4) to (6) thereof.

79

Since these proceedings are, for the parties to the main proceedings, a step in the action pending before the national court, the decision on costs is a matter for that court. Costs incurred in submitting observations to the Court, other than the costs of those parties, are not recoverable.

On those grounds, the Court (Grand Chamber) hereby rules: