A German property company’s court win regarding a penalty levied against it for alleged violations of the General Data Protection Regulation (GDPR) carries notable ramifications for enforcement of the EU privacy law.

The Court of Justice of the European Union (CJEU) ruled Tuesday on a case related to a penalty of 14.5 million euros (U.S. $15.7 million) initially levied against Deutsche Wohnen by the Berlin Data Protection Commissioner in 2019 for alleged violations of the GDPR regarding retention of tenant data for longer than necessary. That penalty was reversed in 2021 after a Berlin regional court found that, under German law, the company could not be held responsible for violating the GDPR unless blame could be attached to a specific individual or executive.

An appeal of that determination prompted the involvement of the CJEU, which held “a data controller may not have an administrative fine imposed on it for an infringement of the GDPR unless that infringement was committed wrongfully; that is to say, intentionally or negligently.”

The case affects interpretation of Article 83 of the GDPR regarding how administrative fines should be imposed.

“The case raised important questions about the application of GDPR,” stated Kai Mertens, a Squire Patton Boggs partner representing Deutsche Wohnen in the case. “We are pleased that European Court of Justice has now clarified that only an intentional or negligent infringement of the GDPR may result in an administrative fine.”

Deutsche Wohnen offered no further comment.

The CJEU also ruled that when a GDPR penalty is levied against an affiliate of a larger group of companies, the maximum fine must be calculated based on the group’s annual turnover.