The German Data Protection Conference ('DSK') published, on 18 January 2023, its 'Opinion on fundamental issues concerning the sanctioning of data protection violations by companies - ECJ Case C-807/21', issued on 5 January 2023. In particular, the DSK stated that the opinion relates to two questions referred by the Berlin Court of Appeal ('KG') to the European Court of Justice ('ECJ'). More specifically, the DSK noted that the KG's first question should be interpreted to the effect that data protection supervisory authorities should apply the functional concept of an undertaking and the function bearer principle when imposing fines under Article 83(4) to (6) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), pursuant to Recital 150 of the same.

In this regard, the DSK highlighted that conflicting provisions in national law on the legal entity principle are not applicable, noting that as provided in EU antitrust law, Articles 101 and 102 of the Treaty on the Functioning of the European Union ('TFEU'), it is only necessary to establish that employees of the company have committed a breach of the GDPR, without having to identify the specific employees who acted or were managers of the company. Accordingly, the DSK expressed that the necessity to establish management culpability would otherwise significantly complicate the enforcement of Article 83 of the GDPR in Germany. 

Moreover, the DSK specified that with regard to the KG's second question, an objective breach of obligations attributable to the company, i.e. strict liability, is sufficient to impose a fine on the company pursuant to Article 83(4) to (6) of the GDPR. In this regard, the DSK noted that this reflects the intention of the European legislator and is a proportionate measure, since it requires data controllers and processors to comply with the GDPR obligations to protect the fundamental rights of natural persons.

You can read the full opinion, only available in German, here.