We are currently consulting on this draft guidance.
- Where a controller or processor forms part of an undertaking, for example where a controller is a subsidiary of a parent company, the Commissioner will calculate the maximum fine based on the turnover of the undertaking as a whole.23
- The UK GDPR and DPA 2018 do not define the term ‘undertaking’ in the context of imposing fines. 24 However, the recitals to the UK GDPR are clear that an ‘undertaking’ for these purposes should be understood in accordance with UK competition law.
- Recital 150 UK GDPR states that ‘an undertaking should be understood to be an undertaking in accordance with Articles 101 and 102’ of the Treaty on the Functioning of the EU (TFEU). Articles 101 and 102 TFEU set out prohibitions on anti-competitive agreements between undertakings and anti-competitive conduct by dominant undertakings. 25 In applying the EU GDPR, the European Data Protection Board (EDPB) has confirmed it considers the case law of the Court of Justice of the EU in the field of competition law to be relevant when assessing the turnover to be taken into account in the context of verification of the upper limit of the fine amount.26
- While Articles 101 and 102 TFEU and EDPB decisions no longer apply to the UK following the UK’s exit from the European Union 27, the concept of an ‘undertaking’ is well established in UK competition law through UK and retained EU case law.
- An ‘undertaking’ refers to any entity that is engaged in economic activity, regardless of its legal status or the way in which it is financed 28. An entity is engaged in an ‘economic activity’ where it conducts any activity consisting in offering goods or services on a given market 29. The fact that an entity is not motivated by profit or does not have an economic purpose does not, in itself, mean that it does not engage in economic activity 30. Public authorities, state-controlled enterprises and charities may therefore all fall within the definition of an undertaking if they are carrying on an economic activity.31
- In this context, an undertaking does not correspond to the commonly understood notion of a legal entity or a company under, for example, English commercial or tax law. 32 Instead, an undertaking may comprise one or more legal or natural persons forming a ‘single economic unit’, rather than a single entity characterised as having a legal personality.33
- Whether or not an individual controller or processor forms part of a wider undertaking depends on whether it can act autonomously or whether another legal or natural person, for example a parent company, exercises decisive influence over it. In considering whether a parent company has decisive influence over a controller or processor (and therefore forms part of the same single economic unit), the Commissioner takes into account all relevant factors about the economic, organisational and legal links which tie the relevant subsidiary to the parent company.34
- Where a parent company owns all, or nearly all, the voting shares in a subsidiary there is a presumption that the parent company exercises decisive influence over the subsidiary’s conduct. This presumption may be rebutted. However, the burden is on the parent company to provide sufficient evidence to demonstrate that the subsidiary acts independently.35
- As well as using the concept of the undertaking for determining the relevant maximum amount, the Commissioner may also hold a parent company jointly and severally liable for the payment of a fine imposed on a controller or processer over which the parent company has decisive influence.36
23 Further detail about how the Commissioner will calculate the turnover of an undertaking is set out in Determination of total worldwide annual turnover below.
24 Note that the concept of an ‘undertaking’ for the purpose of imposing a fine under UK GDPR and DPA 2018 should be distinguished from the use of the terms ‘enterprise’ and ‘group of undertakings’ defined in Article 4(18) and (19) UK GDPR, which primarily relate to provisions in Chapter V UK GDPR (Transfers of personal data to third countries or international organisations).
26 See EDPB, Binding Decision 1/2021, WhatsApp Ireland, adopted on 28 July 2021, paragraph 289.
27 Although EDPB decisions and guidance have no legal force in the UK, the Commissioner may have regard to them if the Commissioner considers it appropriate to do so. For example, where the decision or guidance is relevant to a similar matter being considered under UK data protection law.
28 See, for example, the Competition Appeal Tribunal’s judgment in Sainsbury’s Supermarkets v Mastercard Inc.  CAT 11 at paragraph 353, citing Hofner and Elser v Macrotron GmbH, C-41/90, EU:C:1991:161, paragraph 21.
29 Pavel Pavlov v Stichting Pensioenfonds Medische Specialisten, C-180/98, EU:C:2000:428, paragraph 75.
30 For example, see Laurent Piau v European Commission, T-193/02, EU:T :2005:22, paragraph 69, where the EU General Court held that football is an economic activity for football clubs and that they are therefore undertakings within the meaning of competition law.
31 See Office of Fair Trading decision, Exchange of information on future fees by certain independent fee-paying schools, (Case CA98/05/2006), 20 November 2006, paragraphs 1312 to 1320.
32 Sepia Logistics Ltd (formerly known as Double Quick Supplyline Limited) v Office of Fair Trading  CAT 13, paragraph 70.
33 Sepia Logistics Ltd (formerly known as Double Quick Supplyline Limited) v Office of Fair Trading  CAT 13, paragraph 70; Sainsbury’s Supermarkets v Mastercard Inc.  CAT 11, paragraphs 356 and 357.
36 See the Commissioner’s decision of 4 April 2023 in TikTok Information Technologies UK Limited and TikTok Inc, paragraph 190 and EDPB, Binding Decision 1/2021, WhatsApp Ireland, adopted on 28 July 2021, paragraph 290. See also, by analogy, the position under competition law as set out in, for example, Durkan v Office of Fair Trading  CAT 6, paragraph 15 and Sainsbury’s Supermarkets v Mastercard Inc.  CAT 11, paragraphs 363(22).
37  See the Commissioner’s decision of 4 April 2023 in TikTok Information Technologies UK Limited and TikTok Inc, paragraph 190 and EDPB, Binding Decision 1/2021, WhatsApp Ireland, adopted on 28 July 2021, paragraph 290. See also, by analogy, the position under competition law as set out in, for example, Durkan v Office of Fair Trading  CAT 6, paragraph 15 and Sainsbury’s Supermarkets v Mastercard Inc.  CAT 11, paragraphs 363(22).