Calculating GDPR fines for corporate groups: Lessons from the ECJ ILVA case

When it comes to fining regimes, deciding whether to set fines based on an entire group's turnover or only an infringing entity’s can have significant consequences. The ECJ’s recent ILVA A/S case (C-383/23) sends a clear message: large groups, even if operating as conglomerates, face greater risk of fines and liabilities for the actions of their subsidiaries.  This ruling broadly aligns with the Advocate General's opinion on the ILVA case, and the wider fining approach seen in cases such as the record breaking €1.2 billion fine levied by the Irish DPC against Meta for data transfers from the EU to the US without appropriate safeguards. However, it is questionable if this approach fairly takes into account how groups are organised and managed, particularly for subsidiaries with independent boards. 

Background 

ILVA, part of the Lars Larsen Group, was fined for GDPR breaches involving 350,000 customers between May 2018 and January 2019. The Public Prosecutor in Denmark recommended a fine of 1.5 million DKK based on the group's turnover, but the lower court imposed a fine of 100,000 DKK based on ILVA's turnover. This decision was appealed to the High Court of Western Denmark, which referred the matter to the ECJ for a preliminary ruling.

The ECJ ILVA A/S judgment vs the Advocate-General opinion 

The ECJ’s decision supports the Advocate-General Leila Medina’s opinion, offered in September 2024, by establishing that when setting the maximum fine “undertaking” must be interpreted in the light of recital 150 GDPR, as aligned with the meaning of “undertaking” under EU competition law (Articles 101 and 102 Treaty on the Functioning of the European Union). Namely when assessing the maximum fine, a group’s worldwide turnover should be taken into account, not just the infringing entity’s. For more detail on the meaning of “undertaking” in this context, please see our blog on the ICO’s fining guidance here. Furthermore, when assessing the actual fine, the ECJ found that the concept of “undertaking” must also be considered to assess the actual or material economic capacity of the recipient of the fine and thus to ascertain whether the fine is effective, proportionate and dissuasive. The ICO’s monetary penalty notice against TikTok takes a similar view, advocating the proportionality of the £12.7 million fine in comparison to the revenues of various TikTok entities (including ByteDance).[1]

The ECJ diverged from the AG’s view on when group turnover becomes relevant.  The AG opined that group-wide turnover is only relevant as a form of “adjustment mechanism” where there is a degree of involvement of the parent company and the infringement relates to the whole group, not only the subsidiary. By contrast, the ECJ applies the EU competition law interpretation of undertaking consistently without considering questions regarding the involvement or responsibility of group entities. 

Next steps and implications 

Both the EDPB guidelines on calculating administrative fines under GDPR and the UK ICO fining guidelines align with the ECJ's interpretation of undertaking in line with the meaning established by EU competition law. Although the ILVA A/S case is not binding on UK courts or the ICO, we expect the decision will further incentivise large corporate groups to make privacy by design a core tenet of their business practices across all subsidiaries. It will be interesting to see, however, if future ICO fines distinguish between groups with centralised management and control versus conglomerates with independent and decentralised management. 

[1] Note: this penalty is subject to appeal, for more detail see the ICO’s 2024 Annual Report.