As increasing number of GDPR fines are being handed out, they raise questions about which legal entity is ultimately bearing the liability. There is a significant risk that in addition to the infringer, statutory liability can extend to the infringer’s parental entities and entities that acquire the infringer’s assets in an M&A transaction.
No one could have missed when the EU’s General Data Protection Regulation (GDPR) entered into force in spring 2018. GDPR brought with it new responsibilities for everyone who processes and keeps records of personal data. But above all else, it was the sharply increased penalties that attracted attention, and for good reason. The new fines of potentially up to EUR 20 million or 4% of a company group’s global turnover – whichever higher – set a very new tone for the previously toothless enforcement system. These penalties are now being applied for the first time, and they have brought with them new questions concerning the attribution of liability; in other words, who ultimately pays the fine in cases where there are changes in data controllership or the entity in breach has become insolvent. What has typically not been on the radar is the surprising extent of data protection liability: there is a significant risk that in addition to the legal entity that infringes GDPR, liability can be extended to the infringer’s parental entities as well as to entities that acquire the infringer’s assets.
When GDPR entered into force, the question concerning the entity responsible for the fines went almost completely unnoticed. While the responsibilities under the GDPR are directed at processors and controllers of personal data, the fines under Article 83 GDPR mention “undertakings” as subjects of the fine. Recital 150 in GDPR further clarifies that these undertakings “should be understood to be an undertaking in accordance with Articles 101 and 102 TFEU”. This somewhat cryptic passage refers to the EU’s competition law articles. The EU’s competition rules are not directed at companies or legal entities but at “undertakings”. Over several decades, the Court of Justice of the European Union (CJEU) has provided extensive case law on how to interpret the concept of an undertaking, particularly regarding the attribution of liability for competition fines.
A highly simplified version of the CJEU’s case law on undertakings in competition law is that undertakings are ultimately not legal entities but economic entities. They are the combination of “personal, tangible and intangible” assets that are used to operate a particular business. As such, an undertaking can cover several legal entities. One well-established consequence of this concept is the so-called parental liability doctrine. It means that parental entities can quite easily be held jointly and severally liable with their infringing subsidiary, even if the parent did not participate in the infringement or was not even aware of it. Another consequence that has been created by the CJEU is the doctrine of economic continuity or economic succession, in which a company that acquires another company’s assets may under certain conditions become liable for the seller’s competition fines. As opposed to legal succession, where a company expressly takes over another company’s liabilities, economic succession may take place involuntarily. If the infringer no longer exists or is no longer able to pay the fine, but another company has acquired its assets and continues its business, then that acquiring company may become liable for the fines as the “economic successor” of the infringer. Again, this can happen even if the successor company took no part in the infringement and was not even aware of it.