Essential Recent Clarifications Every Business Should Understand
The General Data Protection Regulation (“GDPR”) has become an inescapable reality for all companies that process personal data within the European Union. Given the recent rulings of the Court of Justice of the European Union (“CJEU”) in this domain(*), it is now more critical than ever for these companies to comprehend their obligations and the legal consequences of potential non-compliance with this legislation.
Who is Considered a Data Controller?
In recent judgments, the CJEU has reiterated that the term “controller” is broadly defined to encompass any natural or legal entity that determines the purposes and means of processing personal data, either independently or in conjunction with others. This definition is designed to ensure the effective protection of the fundamental rights and freedoms of natural persons, thereby guaranteeing a high level of personal data protection.
What does this mean in practice? Companies should be cognizant that any entity influencing the processing of data for its own objectives may be deemed a data controller. This includes not only violations committed by the company’s representatives, directors, or managers, but also violations committed by any other individual acting within the scope of the company’s business activities and on its behalf. This includes subcontractors, provided the subcontractor’s actions can be attributed to the controller.
What are the Penalties for GDPR Violations ?
Article 83 of the GDPR permits the imposition of administrative fines of up to 2% of the total global turnover of the preceding financial year for the company at fault for violations of certain provisions of the regulation, whether committed intentionally or negligently.
The CJEU clarified that for a fine to be imposed, it must nonetheless be demonstrated that the violation was committed wrongfully.
What does this mean in practice? In essence, this implies that even if a company was unaware of a GDPR violation, it could be held accountable if it could not have been ignorant of the “unlawful nature” of its actions.
Please be aware that the company will not be able to evade sanctions:
- By claiming ignorance of the offense if it was committed by an individual acting within the scope of the company’s commercial activities and on its behalf (as mentioned above);
- Even if it is not possible to precisely identify the individual who committed the offense (provided that the individual was acting within the scope of the company’s commercial activities and on its behalf).
As a result, heightened vigilance is required!
The recent CJEU rulings have significant ramifications for all companies operating within the European Union. They reinforce the responsibilities of companies in terms of data protection and elucidate the conditions under which sanctions can be levied against them.
These decisions underscore the necessity for companies to exercise increased vigilance and strict adherence to the GDPR, potentially necessitating a review and strengthening of their data processing policies and procedures.
At MELLOUK Law, we stand ready to assist you in this endeavor, offering you bespoke legal advice tailored to your specific circumstances.
Interested in Learning More?
Don’t hesitate to contact us for a consultation and discover how we can help you safeguard the future of your business in an increasingly digital and regulated world.
(*) Sources:
No Comments
Sorry, the comment form is closed at this time.