On 13 February 2025, the Court of Justice of the European Union issued a landmark judgment in Case C-383/23 concerning the interpretation of Article 83 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (“GDPR”). This judgment has a major impact on clarifying how fines for breaches of the GDPR can be imposed on companies that are part of a group.

In the case at hand, the company in question was ILVA, the operator of a chain of furniture stores which is part of the Lars Larsen Group. The company was accused of violating GDPR in connection with the storage of data of at least 350,000 former customers. On the recommendation of the Danish Data Protection Authority, the public prosecutor requested that a fine of DKK 1,500,000 (approximately EUR 201,000) be imposed on the company. The calculation of this amount was based not only on the turnover of ILVA itself, but also on the total turnover of the Lars Larsen Group.

However, the competent district court concluded that, since the charges were brought only against ILVA, it was not necessary to take into account the turnover of the entire group when determining the amount of the fine. The court further held that ILVA was an independent retail business and was not established by the parent company solely for the purpose of processing group data.

The public prosecutor appealed to the High Court of Western Denmark, which decided to stay the proceedings and referred two preliminary questions to the Court of Justice of the European Union (“CJEU”). The substance of those questions concerned whether or not Article 83(4) to (6) GDPR – that is, the provisions relating to the conditions for imposing administrative fines for breaches of the GDPR – in conjunction with Recital 150 of the GDPR, must be interpreted as meaning that the term “undertaking” in those provisions corresponds to the term “undertaking” within the meaning of Articles 101 and 102 of the Treaty on the Functioning of the European Union (“TFEU”), and whether or not the total worldwide annual turnover of that undertaking is to be taken as the basis for imposing a fine on a data controller which is an undertaking or part of an undertaking.

In this case, the CJEU held that the fine for a subsidiary’s breach of the GDPR should be based on the total turnover of the entire group. Specifically, the Court clarified that for the purposes of imposing fines under the GDPR, the term “undertaking” includes the entire economic unit, including parent and subsidiary companies, as interpreted in Articles 101 and 102 TFEU.

The aforementioned court further stressed that, according to Article 83(1) of the GDPR, the competent supervisory authorities must ensure that the fines imposed for infringements of the provisions of the GDPR are effective, proportionate and dissuasive in each individual case, reiterating that only a fine which takes into account the actual or substantial economic strength of the company sanctioned is effective, proportionate and dissuasive. In the context of the case at hand, this means that, when imposing fines, account must also be taken of whether the company is part of a group as an undertaking.

In light of the CJEU judgment, it should be taken into account that when imposing a fine for a breach of the GDPR, the amount of the fine should also take into account, if the sanctioned company is part of a group (undertaking), among other things. If this is the case, the amount of the fine should be based on the total worldwide annual turnover of the group for the previous financial year, not just on the turnover of the company itself.