This section of the Fining Guidance explains how the ICO approaches the concept of an ‘undertaking’ for the purpose of imposing fines. The recitals to the UK GDPR are clear that an ‘undertaking’ in this context should be understood in accordance with competition law.
In summary, the Fining Guidance explains that:
-
- an ‘undertaking’ refers to any entity that is engaged in economic activity by offering goods or services on a market;
- an ‘undertaking’ may comprise one or more legal or natural persons forming a single economic unit; and
- whether or not an individual controller or processor forms part of a wider undertaking depends on whether it can act autonomously or whether another legal or natural person (for example a parent company) exercises decisive influence over it.
Summary of responses
Respondents provided a range of views on the ICO’s approach to the concept of an undertaking. Some were supportive, while others sought additional clarity given the technical nature of the definition or raised concerns about transposing definitions that have developed in competition law to data protection matters.
Some respondents considered that the ICO’s approach makes sense and, in particular, that it is important to ensure that large companies are incentivised to meet regulatory standards across their corporate groups and are not able to avoid fines based on liability only falling on a subsidiary company.
By contrast, other respondents said that there are reasonable concerns about adopting the same approach as under competition law, despite this being the position in the recitals to the UK GDPR. In particular, respondents suggested that for global companies it would be disproportionate to take the global firm’s turnover as a starting point, rather than its UK subsidiary. They also suggested that the ICO’s interpretation needs align with nuances of UK domestic law and avoid discouraging firms from using UK based services or making investments in the UK.
Some respondents suggested that it would be helpful to be clearer about when a parent company has ‘decisive influence’ over a subsidiary, taking into account that a parent company may not have control over the specific processing activities concerned or over the subsidiary’s broader compliance with UK data protection law. Another respondent noted that in many other legal regimes, such as under sentencing guidelines, courts will only look behind the corporate veil in exceptional circumstances.
ICO Response
The ICO welcomes the supportive comments regarding the approach to the concept of an undertaking. While acknowledging the requests for further clarity about the definition for those who are less familiar with data protection law, the ICO considers that the level of detail is appropriate in the context of statutory guidance on fines that is primarily aimed at practitioners and organisations under investigation.
The concept of ‘undertaking’ is well developed in UK competition law (for example, see the case law cited in the Fining Guidance). In many cases it is straightforward to apply the presumption that a parent company has decisive influence over a wholly-owned subsidiary.
As a general principle, the ICO considers it is reasonable to expect that a parent company should generally be held responsible for the conduct – including data processing – of its wholly-owned subsidiaries where together they act as a single economic unit. Indeed, this is the position reflected in Recital 150 to the UK GDPR. If that were not the case, then a global parent company could seek to reduce its potential liability for data protection fines by minimising the turnover of the legal entity within its corporate group that it identifies as a controller for the processing of personal data of UK data subjects. This may artificially lower the fine that could be imposed, undermining the ICO’s ability to enforce UK data protection law and properly protect the personal data of people in the UK.
Where a parent company considers it has evidence to rebut the presumption that it has decisive influence over a wholly-owned subsidiary, the ICO will, of course, assess that evidence on a case by case basis. The case law cited in the Fining Guidance sets out a range of examples of the types of factors relevant to the economic, organisational and legal links that tie a subsidiary to a parent company.
These will vary from case to case, but may, for example, include the level of shareholding a parent company has in its subsidiary and the representation it has on the subsidiary’s board. It may also include other evidence of the influence the parent company has over a subsidiary’s conduct and operations, such as its influence over the way the subsidiary provides goods or services to data subjects or processes their personal data. In response to the comments received, we have amended the Fining Guidance to provide this explanation.