The Court of Justice of the European Union (the Court) delivered its judgment in Case C-383/23, Public Prosecutor’s Office v ILVA A/S in February 2025 in a reference for a preliminary ruling case sent to it by the Western High Court (Vestre Landsret) of Denmark.
The question referred to the Court was whether the concept of an ‘undertaking’ – as understood in EU competition law – should also apply when calculating fines under the General Data Protection Regulation (GDPR), particularly when those fines are imposed by national courts in criminal proceedings rather than by data protection authorities.
The Court decided that the term ‘undertaking’ in Article 83 GDPR must indeed be interpreted in line with EU competition law, meaning that fines can be based on the total turnover of the entire company group, not just the infringing subsidiary.
Background and facts
The case arose from criminal proceedings initiated in Denmark against ILVA A/S, a furniture retailer, for violations of the General Data Protection Regulation (GDPR) (Regulation 2016/679). The undertaking was accused of failing to delete personal data of approximately 350,000 former customers (retention), thereby breaching Articles 5(1)(e), 5(2), and 6 GDPR. These provisions relate to data minimisation, accountability, and the lawfulness of processing.
Previously, before Aarhus City Court (Retten i Aarhus), Denmark, ILVA A/S was fined 100,000 DKK for breaching GDPR provisions concerning the personal data of natural persons. The Public Prosecutor’s Office appealed that fine, believing that ILVA had acted ‘intentionally’, whereas the Aarhus City Court had found that ILVA had only acted ‘negligently’.
The Western High Court (Vestre Landsret) of Denmark made a reference for a preliminary ruling under Article 267 TFEU to the Court on the issue of fines for companies that have admitted to breaches of GDPR. Specifically, the referring court asked whether the concept of an ‘undertaking’ in Article 83(4)-(6) GDPR should be interpreted in line with EU competition law (namely, Articles 101-102 TFEU, and EU secondary law), meaning that fines could be based on the total turnover of the entire corporate group, not just the infringing subsidiary.
In Denmark, GDPR fines are imposed through criminal proceedings, rather than administrative enforcement. The Public Prosecutor’s Office had sought a fine of 1.5 million DKK (approx. €200,000), calculated based on the turnover of ILVA’s parent group, not just ILVA A/S itself.
ILVA A/S is part of a larger group of companies. ILVA A/S had an annual turnover of 1.8 billion DKK, whereas the group it is part of (the Lars Larsen Group) had a turnover of 6.57 billion DKK in the year concerned.
The Public Prosecutor’s Office argued that the term ‘undertaking’ in Article 83(5) of the GDPR should be understood as taking into account the turnover of the entire group of companies, in line with competition law (Articles 101-102 TFEU). ILVA A/S, on the other hand, argues that charges were only taken against it, ILVA A/S, and not the company group that it is a part of.
Opinion of the Advocate General
For Advocate General Medina, delivering her Opinion in September 2024 (see previous NIELS post here), the term ‘undertaking’ in the GDPR should be interpreted in line with EU competition law, meaning the total turnover of the economic entity should be considered when setting the maximum fine. This includes parent companies and subsidiaries if the parent exercises decisive influence over the subsidiary.
In addition, the maximum fine should be based on the total worldwide annual turnover of the entire economic entity (group) to ensure fines are effective, proportionate, and dissuasive. But for the actual fine in this case, for her, this has to consider the specific circumstances of the case, including the nature, gravity, and duration of the infringement, and any mitigating or aggravating factors.. The turnover of the economic entity can be one of the factors, but should not be the sole determinant.
This meant that, in the ILVA case, according to Advocate General Medina, the term ‘undertaking’ in Article 83(4) to (6) of the GDPR should be interpreted in line with EU competition law, considering the total turnover of the economic entity; when determining the actual fine, the concept of ‘undertaking’ should be one of several factors, ensuring the fine is effective, proportionate, and dissuasive; and in criminal proceedings, the fine must respect principles of proportionality and fairness, balancing the need to enforce GDPR compliance with the rights of the infringing entity.
Judgment of the Court
First, the Court held that the term ‘undertaking’ in Article 83 GDPR must be interpreted in accordance with EU competition law, where it refers to an economic unit, regardless of the legal entities involved. This means that a parent company and its subsidiaries can be treated as a single undertaking for the purposes of calculating fines.
Second, this interpretation of an undertaking applies even when fines are imposed by national courts in criminal proceedings, not just by data protection authorities. The Court emphasised that the GDPR – which does not harmonise fines – nonetheless aims to ensure effective, proportionate, and dissuasive penalties, and this objective would be undermined if only the turnover of the infringing subsidiary were considered.
Third, the Court also clarified that EU Member States are free to choose the procedural framework for imposing fines, including criminal proceedings, as long as the fines comply with the GDPR’s requirements and the Charter of Fundamental Rights of the EU.
Analysis
This judgment is another case where EU competition law and EU privacy and data protection law have interacted to a significant degree. In particular here in ILVA, it is significant for how the enforcement of EU data protection law has to borrow from other areas of enforcement of EU law, which in this case, was EU competition law.
Based on this, two major implications are obvious.
First, by aligning the concept of ‘undertaking’ with EU competition law, the Court in ILVA ensures some sort of uniform standard for EU privacy data protection law across the EU. This, in theory, prevents undertakings from exploiting differences in national enforcement systems to avoid higher fines. It also reinforces the idea that enforcement of EU privacy and data protection law must be effective and dissuasive, as required by Article 83(1) GDPR.
Second, the ILVA judgment clearly affects company groups. A subsidiary’s violation of EU privacy and data protection law – in this case, GDPR – can now expose the entire group to liability based on its global turnover, not just the local subsidiary’s turnover. This mirrors the approach in EU competition law, where parent companies can be held liable for their subsidiaries’ actions if they form part of the same economic unit. This interpretation of EU privacy and data protection encourages stronger internal compliance mechanisms within company groups, as parent companies now have a direct financial incentive to ensure compliance with GDPR across all subsidiaries.
Read the judgment
The judgment of the Court of Justice of the European Union in Case C-383/23, Public Prosecutor’s Office v ILVA A/S, referred to it by the Western High Court (Vestre Landsret) of Denmark, and delivered on 13 February 2025, can be read here.