The maximum fines for undertakings

Are companies exposed to fines at 2% or 4% of their worldwide annual turnover, or are they exposed to fines based on the group worldwide annual turnover, assuming that they are part of a group?

Articles 83(4) and (5) talks about ‘an undertaking’, which means a single entity. They do not talk about groups of undertakings. However, the BCR regime in Article 47 talks about groups of undertakings, which is a defined term in Article 4.

Taking these points together, it should follow that a company that is a member of a group of companies can only be fined up to the maximum percentage of its individual turnover, rather than a percentage of the group’s turnover (assuming that the percentage threshold is higher than the €10m or €20m number).

However, the language of the recitals points to a potentially different outcome. Recital 150 refers to the Treaty on the Functioning of the European Union (or “TFEU”) and Articles 101 and 102 thereof, effectively saying that the meaning of the phrase “undertaking” should be as set out in those articles. Those articles are concerned with EU competition law principles (sometimes called “anti-trust” principles). If those principles are applied in full to the GDPR, then the idea of an “undertaking” could encompass more than one distinct controller or processor, if they are effectively acting together or in concert, as might happen when one distinct legal entity has control or dominant influence over another entity. Case law confirms that this may occur within a group of companies and, indeed, there is legal authority for the idea that this outcome should actually be presumed in that situation. This presumption is not intended to be absolute or binding, however, as it can be defeated (i.e., rebutted) by evidence that the companies in the group were not acting together as one undertaking. As can be imagined, there are many group situations where such outcomes of control or dominance will not arise, for example where the companies are focussed on different market sectors, or where there are meaningful operational and/or legal barriers to control or dominance. Hence, even on a competition law analysis it does not follow that in all group situations a fine imposed on one group company member should be calculated on basis of the combined turnover of all companies in that group. That outcome could happen, but it is not bound to happen in all situations and in many it will not happen.

There might also be compelling practical reasons to construe the competition law analysis more restrictively, whilst still giving effect to the core idea within Articles 101 and 102 TFEU, namely that the idea of an undertaking means the pursuit of economic activity. The problem for enforcement is that if the idea of an undertaking should be construed in the widest and most expansive sense of competition law, then in disputed data protection enforcement cases it is foreseeable that the regulators could be dragged into very complex analysis of the scope of the undertaking that the data controller or processor that is being fined is involved in. For those familiar with competition law cases, it will be appreciated that an undertakings analysis can be hotly disputed and very costly and complex to resolve. If the data protection enforcement regime is to be interpreted in the most expansive sense, could it be stretched to breaking point, as data controllers and processors aggrieved by undertakings analysis that lead to fines based on aggregated turnovers tie up the regulators in knots of legal challenge? These are questions for tomorrow, but controllers and processors in group situations will factor in the risk of being fined on the aggregated turnover of all the entities in their groups.


To find out more about how we can help address key data protection, privacy and optimisation challenges facing your organisation, please get in touch with one of our subject leaders.