The European Court of Justice (ECJ) has ruled on whether fines for violations of the General Data Protection Regulation (GDPR) should be based on the turnover of the specific company involved or the entire corporate group. Until now, it was unclear whether only the turnover of the individual entity responsible for the violation should be considered, or that of the whole group.
What was the case about?
The Danish furniture retailer ILVA was accused of processing former customers’ personal data in violation of the GDPR. The Danish public prosecutor demanded a fine of 1.5 million Danish kroner (approx. €201,000), basing this on the turnover of ILVA’s entire corporate group.However, the Danish court only imposed a fine of 100,000 DKK (approx. €13,400), considering only ILVA’s own turnover and not that of the entire group.
The prosecution appealed, and the appeals court referred the case to the ECJ for a preliminary ruling.
What did the ECJ decide?
In its ruling on February 13, 2025 (Case C-383/23), the ECJ decided that the turnover of the entire corporate group may be used to calculate a fine. The Court justified the decision as follows:What is a “company” under the GDPR?
The ECJ clarified that the term “company” in the GDPR should be interpreted according to EU competition law, meaning the entire corporate group is considered a single economic entity—regardless of the legal structure of its individual companies. This interpretation is based on Articles 101 and 102 of the Treaty on the Functioning of the European Union (TFEU).Group-wide turnover as the basis for fines:
To determine an appropriate fine, the global annual turnover of the entire group from the previous financial year may be used. This ensures that penalties are both effective and deterrent. However, the ECJ emphasized that the actual economic capacity of the company must be taken into account to ensure the penalty is appropriate.Fines must be proportionate:
While fines should effectively penalize and deter GDPR violations, they must also be proportionate—not excessively high.
Implications for practice
This ruling has significant implications, especially for corporate groups:
Higher fines possible:
Companies must now expect significantly higher fines for GDPR violations, as the turnover of the entire corporate group can now be the basis for calculation. This poses major financial risks for groups with global revenues.
Implement data protection management group-wide:
Corporate groups should ensure they have group-wide data protection management in place. Violations by one group entity can lead to substantial fines due to group-wide liability.
