The European Court of Justice (CJEU) has issued a landmark ruling in a case involving Squire Patton Boggs client Deutsche Wohnen SE.
In a complex matter concerning the liability of undertakings for data protection breaches, the Grand Chamber of the European Court of Justice held that a fine may only be imposed by data protection authorities if it is proven that the controller has intentionally or negligently committed an infringement. This flatly contradicts the views held by certain data protection authorities that there is a strict liability for GDPR violations. The CJEU was very clear in its judgment: none of the criteria listed in Article 83 of the GDPR indicates a possibility of holding the controller liable regardless of fault. It therefore follows that only infringements of the provisions of the GDPR committed by the controller culpably, i.e., intentionally or negligently, can lead to the imposition of a fine against the controller. The Court said further that the general scheme and purpose of the GDPR confirm this reading.
Deutsche Wohnen was represented before the European Court of Justice by partners Kai Mertens (Berlin) and Oliver Geiss (Brussels) as well as Nikolai Venn from Freyschmidt Frings Pananis Venn and Tim Wybitul from Latham Watkins.
Deutsche Wohnen is part of Vonovia Group, a leading publicly listed real estate company in Germany and Europe, whose operations focus on the management and development of residential real estate.
The case concerned a significant fine, amounting to €14.5 million, imposed by the Berlin Data Protection Commissioner in 2019 against Deutsche Wohnen for alleged violations of the GDPR. The Berlin Regional Court (Landgericht Berlin) discontinued the proceedings in February 2021 because the German authority did not comply with German rules for the assessment of an undertaking’s intention or negligence. After the Berlin Public Prosecutor's Office filed an immediate appeal against the decision of the Berlin Regional Court, the Court of Appeal (Kammergericht) in December 2021 decided to refer questions on the interpretation of Article 83 of the GDPR with respect to national procedures for the assessment of an undertaking’s liability for data protection breaches to the European Court of Justice.
“The case raised important questions about the application of GDPR,” said Kai Mertens. “We are pleased that European Court of Justice has now clarified that only an intentional or negligent infringement of the GDPR may result in an administrative fine.”