ECJ: Landmark Judgement on Corporate Accountability in Data Protection and the Obligation to Effective Compliance Controls

In a landmark judgement, the European Court of Justice (ECJ) has strengthened its prior considerations regarding the corporate liability of data controller & processors for data breaches (C-741/21/Juris).

According to the ECJ’s verdict from 11th of April, 2024, the implementation of a GDPR-compliant ruleset is not sufficient to reduce a data processing entity’s corporate accountability: the mere fact that a set of policies and procedures exists does not allow a data processing entity to exculpate itself from the liability for data protection violations, when compliance with such ruleset is not enforced effectively.

Only the implementation of a ruleset, combined with effective controls and appropriate oversight and quality assurance therefore protects data processors and data controllers from being held liable for violations of data subjects’ rights, in terms of their corporate accountability.

Corporate accountability, in terms of GDPR compliance, means the liability of a data processing entity for breaches of data subjects’ rights, conducted in the course of their operations and/or by their associates. As per the latest ruling, a data processing entity remains fully accountable, even if it had implemented a GDPR-compliant ruleset, but its employees or agents failed to follow the procedures.

As much as the ECJ did not concretise the level of oversight and enforcement necessary for a liability exculpation, it is safe to say that only steady training, awareness and effective controls can cater for a reasonable level of protection, for data processing entities.

The considerations made by the judges once again point out the importance of the operation of an effective compliance management system, consisting not only of a compliant set of policies and procedures, but also the implementation further organisational and, if applicable, technical measures and mechanisms for their effective control and enforcement, in order to really achieve the goal of regulatory risk-mitigation.

From the perspective of a risk management professional, the arguments outlined for case C-741/21 transpond easily to further compliance areas, beyond the field of privacy and data protection. Due to the similar nature and structure of risk identification and mitigation in further compliance areas, subject persons are advised to review and reflect their entire compliance and risk management framework, taking into account the principles stipulated in the Juris-case, for a sustainable and reliable protection from the consequences of regulatory breaches.

The incorporation of standardised frameworks, such as the ISO 37301-standard for compliance management systems can support obliged entities in the design and development of compliant rules and effective controls – but only close-knit and efficient control systems will provide for the required level of security.

Data protection and privacy, compliance management systems and effective control frameworks as well as risk management and how to secure your business from regulatory breaches are just the topics on top of your agenda? Have a virtual coffee and an insightful chat with Nikolas Lotz (nikolas@chevron.group) and Thees Buschmann (thees@chevron.group) from Chevron Group. Follow us on LinkedIn for more industry related news.