CJEU case C‑383/23 ILVA (Fine for an infringement of the GDPR) – CJEU Judgment (Denmark, 2025)
CJEU judgment — not a DPA enforcement action
This is a Court of Justice ruling, not an enforcement action by a data protection authority. It is not included in cookie statistics or the Risk Calculator.
The Court of Justice ruled on a case involving ILVA, a furniture store chain, which was accused of keeping data from over 350,000 former customers longer than allowed. The court decided that the fine should not be based on the entire group's revenue but only on ILVA's own turnover. This ruling clarifies how fines should be calculated for companies that are part of larger groups.
What happened
ILVA was charged with improperly retaining data of at least 350,000 former customers.
Who was affected
Former customers of ILVA whose data was retained beyond the allowed period.
What the authority found
The court held that the fine for GDPR violations should be based on the individual company's turnover, not the entire group's revenue.
Why this matters
This decision helps define how penalties are applied to companies within larger groups, emphasizing that individual companies are responsible for their own data practices. Smaller businesses should ensure they understand their own data retention policies.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
ILVA (the controller) operates a chain of furniture stores and is part of the Lars Larsen Group (the undertaking). The total undertaking's turnover was multiple times higher than that of the controller. The controller is charged before the Danish courts with violating the GDPR in relation to the retention of the data of at least 350,000 former customers. On the recommendation of the Danish DPA, the Public Prosecutor’s Office sought the imposition of a fine of DKK1,500,000 (approximately 201,000€) on the controller. The calculation of that amount was based not only on the turnover of the controller, but also on the overall turnover of the undertaking. The Aarhus District Court (Retten i Aarhus) found that since the charges had been brought only against the controller, it was not necessary to take into account the turnover of the undertaking to determine the amount of the fine. Furthermore, the court noted that the controller was engaged in an independent retail activity and that it had not been set up by the parent company for the sole purpose of processing the undertaking's data. The Public Prosecutor’s Office appealed to the High Court of Western Denmark (Vestre Landsret), which decided to stay the proceedings and to request a preliminary ruling asking in essence, whether Article 83(4) to (6) GDPR, read in the light of Recital 150, must be interpreted as meaning that the term ‘undertaking’ in those provisions corresponds to the concept of ‘undertaking’, within the meaning of Articles 101 and 102 TFEU, with the result that, where a fine for infringement of the GDPR is imposed on a controller which is or forms part of an undertaking, the amount of the fine is to be determined on the basis of a percentage of the undertaking’s total worldwide annual turnover in the preceding business year. The AG emphasised that the notion of “undertaking” has been recently interpreted by the CJEU in C-807/21 Deutsche Wohnen. According to the CJEU, the undertaking should be understoo
Outcome
CJEU Judgment
A judgment by the Court of Justice of the European Union, typically on a preliminary reference from a national court.
Related Cases (0)
No other cases found for CJEU case C‑383/23 ILVA (Fine for an infringement of the GDPR) in DK
This is the only recorded case for this entity in this jurisdiction.
Details
Judgment Date
13 February 2025
Authority
Court of Justice of the European Union
GDPRhub ID
gdprhub-cjeu-8875About this data
Cite as: Cookie Fines. CJEU case C‑383/23 ILVA (Fine for an infringement of the GDPR) - Denmark (2025). Retrieved from cookiefines.eu
Last updated: