The EU General Data Protection Regulation (GDPR), in effect as of 25 May 2018, introduces a sanctions regime that includes administrative fines of up to EUR 20 million or of 4% of global annual net turnover of an undertaking. According to the European Court of Justice, an "undertaking" - in contrast to a "legal entity" - indicates an economic unit, which may be formed by a parent company and all subsidiaries involved. This means that, under certain circumstances, liability for violation of data protection rules may no longer be limited to the legal entity of the personal data controller, but may extend to the wider group.

Multinational organisations which bundle responsibility for their data processing activities in their EU subsidiaries should assess the risks of their parent company being held liable for GDPR violations by those subsidiaries, and consider adopting or revising their data compliance and cybersecurity strategies to minimise potential risks. Alternatively, they may wish to redesign their economic, organisational and legal relationships with their EU subsidiaries.

Boundaries of an "undertaking" in competition law

The notion of "undertaking" is new for data protection law; it has been transplanted from European competition law (to which the GDPR directly refers in recital 105 of its preamble). Along the same lines, European data protection authorities (DPAs) explain that "in order to impose fines that are effective, proportionate and dissuasive", the national DPAs must apply the concept of "undertaking" as this is understood in EU competition law and interpreted by the Court of Justice of the European Union (CJEU) .

Referring to landmark competition law rulings, European DPAs explain that an "undertaking" indicates an economic unit which engages in commercial/economic activities. An economic unit may be formed by the parent company and all subsidiaries involved (CJEU Höfner and Elsner, para. 21, CJEU Confederación Española de Empresarios de Estaciones de Servicio, para. 40). However, these DPAs do not provide any guidance on the two issues that are crucial to understanding how the enforcement authorities determine the boundaries of an "economic unit"; first, what constitutes an "economic activity", and second, under which circumstances a parent company can be held liable for the actions of its subsidiary or subsidiaries. The vast volume of CJEU case law addressing these issues provides useful insight.

In competition law, "economic activity" is generally understood as the offering of goods and services on the market in order to make profits. The approach to defining the boundaries of an economic unit is less clear-cut. According to the rule of thumb developed by the CJEU, the actions of a subsidiary can be attributed to a parent company if the parent company exercises "decisive influence" over the subsidiary's commercial policy and conduct (CJEU Akzo Nobel, para. 60). This would be the case where the "subsidiary does not decide independently upon its own conduct on the market, but carries out, in all material respects, the instructions given to it by the parent company" (CJEU Akzo Nobel, para. 58). In relation to wholly-owned subsidiaries, there is a rebuttable presumption that the parent company exercises decisive influence (CJEU Akzo Nobel, para. 60). This presumption also applies where a parent company owns "virtually all the shares in its subsidiary", such as more than 97% (CJEU Elf Aquitaine SA v. Commission, para. 56). To rebut the presumption, the parent company must provide "sufficient evidence" that its subsidiary acts independently on the market (CJEU Akzo Nobel, para. 61).

Simply put, the parent company has the burden of proving that it does not exercise decisive influence over its subsidiary. If the subsidiary is not wholly or majority-owned by the parent company, the burden of proof (that the latter exercises decisive influence over the subsidiary and thus forms an economic unit with it) rests with the European Commission - the enforcement authority in European competition law cases.

Irrespective of which party has the burden of proof, the presence or absence of decisive influence is determined based on the economic, organisational and legal links between the relevant subsidiary and the parent company in each particular case (CJEU Alliance One International, para. 45). Examples of those links include the extent to which the parent company controls the board of directors, the amount of the subsidiary's profits taken by the parent company, and the implementation by the subsidiary of the parent company's directions, such as those on marketing and investment. Importantly, depending on the circumstances, decisive influence may include not only explicit instructions from the parent company to its subsidiary, but also negative forms of control. For example, the parent company's failure to take measures in order to prevent the continuation of the infringement by a subsidiary, while the parent company was aware of the infringing conduct (CJEU Stora Kopparbergs Berlgslags, para. 83).

It is worth highlighting that these rules apply to parent companies even if they are located outside the EU and do not fall under EU competition law. These parent companies can still be considered an economic unit with their EU subsidiaries if their decisions were implemented in the EU as a result of their decisive influence over the subsidiaries (CJEU ICI v. Commission (Dyestuffs), paras. 125-46).

Implications of using the term "undertaking" in data protection law

Although competition-related case law is nuanced, one thing is clear: liability for violation of data protection rules may no longer be limited to the legal entity of the personal data controller. Rather, when determining the amount of administrative fines, the DPAs will look at a broader economic unit engaged in the provision of goods and services related to the data protection violation at issue. This may turn out to be a game changer for companies conducting business globally, as the concentration of responsibility for data processing activities with a dedicated EU subsidiary may no longer be sufficient to minimise liability risks.

In addition, the competition law approach of calculating the amount of administrative fines based on an undertaking's turnover reveals the broad discretion of DPAs in determining the exact amount of these administrative fines. As European DPAs note, GDPR infringements do not each have a specific "price tag"; the exact amount of an administrative fine is determined based on the list of criteria set out in Article 83(2) of the GDPR. In contrast, Guidelines of the European Commission provide a two-step methodology for determining administrative fines for competition law violations. First, the Commission determines the basic amount by looking at: the value of sales of goods or services to which the infringement relates, and the duration of infringement. This combination serves as an "appropriate proxy" that reflects the economic importance of the infringement. In the second step, the basic amount is adjusted upwards or downwards based on aggravating and mitigating circumstances in each particular case.

Unlike competition law violations, infringements of data protection rules do not always have a direct link to the value of goods or services to which a data protection violation relates. Although Article 83(2) of the GDPR does mention financial benefits or losses directly or indirectly avoided from the infringement as relevant in determining the amount of the fine, this consideration is the last in a list of eleven factors. Neither profits nor damage from data protection violation are easily measurable or quantifiable, making the task of calculating a basic amount of fine extremely challenging. Companies can turn the absence of a clear economic link between the data protection infringement and the amount of fine to their advantage in the course of the enforcement procedure.

Since powers to impose administrative fines in general, as well as the notion of "undertaking", are a novelty for national DPAs, we expect that the DPAs will only reveal a long-term approach after an initial phase of trial and error, perhaps complemented with formal guidance at the national level. As such, it is worth keeping in mind that DPA decisions to impose fines will be subject to appeal before national courts and will probably end up before the CJEU in due course.