On 4 May 2016, the long awaited General Data Protection Regulation (GDPR) was published in the Official Journal of the European Union. With an ‘enforced from date’ of 25 May 2018, the potential high penalties for breach of the GDPR are becoming an increasing area of concern for multi-national businesses.
Under the GDPR, supervisory authorities will be given significantly more powers to enforce compliance and will have the power to impose administrative fines, in the case of an undertaking, of up to 4% of the total worldwide annual turnover of the preceding financial year.
Key to understanding the impact of these new penalties will be establishing what, within the GDPR context, amounts to ‘an undertaking’.
Meaning of an ‘undertaking’
Recital 150 of the GDPR states that where administrative fines are imposed on an undertaking, an ‘undertaking’ should be understood in accordance with Articles 101 and 102 Treaty on the Functioning of the European Union (TFEU).
The meaning of undertaking in the relation to Articles 101 and 102 of TFEU has frequently been examined in case law, which has concluded that where one company exercises “control” over another company, they form a single economic entity and, hence, are part of the same undertaking.
Control has been defined in case law as “the ability to exercise decisive influence” over another entity, with the result that the latter does not enjoy real autonomy in determining its commercial policy on the market. This includes where a parent has a majority shareholding in a subsidiary – the parent is in the position to exercise control over that subsidiary and so there is a rebuttable presumption (with the burden of proof resting on the parent company) that the parent does exercise such control. Where the parent is a minority shareholder, there is no presumption of control, and a range of factors will be taken into account to assess whether they have control, including: the size of the parent’s shareholding; representation on the board of directors of the subsidiary; the ability to influence the commercial policy of the subsidiary; and evidence of efforts to do so.
What does this mean for multi-national companies processing personal data?
It is clear from case law relating to Articles 101 and 102 of TFEU, that the term ‘undertaking’ is construed very broadly.
With the risk of ‘getting it wrong’ significantly higher under the GDPR, the prudent approach is to assume that group revenues could be used by supervisory authorities when calculating administrative fines. However, case law under Articles 101 and 102 of TFEU has demonstrated that what amounts to an ‘undertaking’ will turn on the facts of each case. By assessing group structures now, there may be an opportunity for group companies involved in the processing of personal data to reduce the revenues at risk of administrative fines.