The firm was originally hit with a €14.5m fine by the Berlin Data Protection Commissioner back in 2019, for retaining tenant data for longer than was necessary.
It was subsequently reversed two years later by a local court which ruled that the firm couldn't be held responsible unless blame could be attached to a specific individual or executive.
The ECJ actually found in favor of Deutsche Wohnen - claiming that an organization can only have an administrative GDPR fine imposed if an infringement was intentionally or negligently committed.
He claimed that the ruling effectively means a lack of knowledge by management is not a defense, and that organizations are liable both for infringements committed by their representatives, directors or managers, and for those committed by any other person acting on its behalf.
This effectively lowers the bar for supervisory authorities to impose fines, as does the fact that organizations are now liable for infringements committed by anyone acting on their behalf.
Fines may be higher because the ECJ ruled that an infringing organization can be fined based on its own turnover and also on the turnover of its parent company.
The ruling applies not only to organizations operating within the EU but also those outside, like the US and UK, as long as they have a subsidiary within the region and process personal data on EU citizens, or offer goods and services within the EU..
This Cyber News was published on www.infosecurity-magazine.com. Publication date: Wed, 06 Dec 2023 10:40:13 +0000