CJEU Case C-383/23 (ILVA A/S)

On 13 February 2025, the Court of Justice of the European Union (CJEU) published a judgment in Case C-383/23 which clarified the methodology and scope of fine calculations under the EU GDPR.

Background

The case concerned a furniture retailer called ILVA A/S (ILVA) which is one of the subsidiaries of Lars Larsen Group. The case was originally heard in the Aarhus District Court in 2021 where ILVA was fined for infringing the EU GDPR due to improper retention of personal data from 350,000+ former customers. Even though the Public Prosecutor’s Office sought a fine of DKK 1.5 million (approximately USD209,000), the court ruled that ILVA was an independent entity and therefore a fine of DKK 100,000 (approximately USD14,000) was a proportionate penalty. This judgment was eventually appealed to the High Court of Western Denmark which requested a stay and a preliminary ruling from the CJEU.

Ruling

Upon review, the CJEU decided that the term ‘undertaking’ in Articles 83(4) to (6) of the General Data Protection Regulation (EU GDPR) is to be understood in line with EU competition law, specifically Article 101 and Article 102 Treaty on the Functioning of the European Union (TFEU). In this context, ‘undertaking’ means an economic unit engaged in commercial activities regardless of its legal form of structure and therefore includes entities such as companies, sole traders, partnerships, etc. The CJEU ruled that the maximum fine must be based on a percentage of the undertaking’s total worldwide annual turnover in the preceding year, in this case the annual turnover of Lars Larsen Group rather than the individual turnover of ILVA. It was emphasised that the fines should be effective, proportionate, and dissuasive. 

Implications for organisations

The decision confirmed that EU GDPR fines follow the same principles as EU competition law, meaning companies cannot avoid larger fines by structuring themselves into smaller entities or arguing that subsidiaries function separately to the larger group. Organisations must ensure compliance with EU GDPR requirements as violations by any of their subsidiaries can heavily financially impact the entire group. The ruling is also likely to lead to stricter enforcement, particularly against the larger corporations.

UK position

Interestingly, the approach of the UK Information Commissioner’s Office (ICO) aligns with the judgment of the CJEU. In their recent Data Protection Fining Guidance, the ICO highlighted that “(w)hile Articles 101 and 102 TFEU and EDPB decisions no longer apply to the UK following the UK’s exit from the European Union, the concept of an ‘undertaking’ is well established in UK competition law through UK and retained EU case law.”

Key takeaways

The decision of the lower court in Denmark is more surprising than the CJEU decision. Although this was the expected position in respect of EU GDPR fines, based on well-established principles derived from EU competition law, it is an important decision that confirms the approach to be taken. The specific test, in practice, will turn on whether a parent company exercises decisive influence over its subsidiaries which involves an assessment of myriad of general and specific factors. The decision also highlights an important distinction between the maximum amount of the fine (now clarified based on the turnover of Lars Larsen Group) and the actual calculation of the fine (for which no clarification was required as this was already established based on GDPR enforcement principles). The ruling will be of interest to parties and professional advisers involved in M&A transactions seeking to establish maximum liabilities for ongoing GDPR regulatory investigations and enforcement actions.