GDPR fines must be calculated based on total worldwide annual turnover

In a criminal case for breach of the GDPR against a chain of furniture stores, a dispute arose over whether the fine should be based on the total turnover of the entire undertaking. The Danish Data Protection Agency initially proposed to issue a fine of DKK 1.5 million, but the District Court only imposed a fine of DKK 100,000.

The company's total turnover was DKK 1.8 billion, but the total turnover of the undertaking was about three times that. As a result, the fine would be significantly different depending on what turnover it should be based on. The Danish Western High Court asked the European Court of Justice for clarification.

The European Court of Justice determined that the term “undertaking” should be understood in the same way as in competition law. That means that fines must be calculated as a percentage based on the total worldwide annual turnover within the entire undertaking, not just the individual company. At the same time, the European Court of Justice emphasized that it is crucial that fines are effective, proportionate and dissuasive. 

IUNO’s opinion

Unsurprisingly, the case shows that a breach of the data protection rules by an individual controller can impact the entire organization. This is a good example of how important it is to have strong compliance work across the entire organization.

IUNO recommends that companies ensure proper compliance with the fundamental requirements under the data protection rules. In this specific case, the company breached the rules on data retention by unlawfully storing information on approximately 385,000 customers. We have previously written about a fine for breaching the data retention rules here.

[The European Court of Justice judgement of 13 February 2025 i case C-383/23]