Global menu

Our global pages


GDPR penalties: lessons that can be learnt from competition law

  • United Kingdom
  • Europe
  • Competition, EU and Trade
  • Privacy, data protection and cybersecurity


Like the General Data Protection Regulation (“GDPR”), the current UK competition law regime is derived from the European Union.  Unlike the GDPR, however, EU and UK competition law has existed for decades with a well-developed body of legislation, decisions, jurisprudence and guidance.  In this briefing, we consider the lessons that can be learnt from EU/UK competition law in respect of the financial penalties that can be imposed by the Information Commissioner’s Office (“ICO”) for breaches of the GDPR or the Data Protection Act 2018 (“DPA”) in the UK.

Maximum financial penalties 

The European Commission (“Commission”) and the UK Competition and Markets Authority (“CMA”)[1] have the power to impose a maximum financial penalty of 10 per cent of an “undertaking’s” total group worldwide turnover for breaching competition law.  Although the maximum fine for breaching the GDPR/DPA is lower,[2] the concepts used to determine the level of fines are similar.


The GDPR does not define an “undertaking”.  Instead, recital 150 GDPR expressly stipulates that the concept should be considered in accordance with EU competition law principles.[3] These are set out in Articles 101 and 102 of the Treaty on the Functioning of the European Union and in Chapter 1 and 2 of the UK Competition Act 1998.  However, they do not in fact provide any guidance on what an “undertaking” actually is.  The definition has been developed over the years through the Commission’s decisional practice and the jurisprudence of the EU courts.

“Economic activity”

Under EU competition law, an “undertaking” has been defined broadly to include any entity which is engaged in an economic activity.  In other words, any activity consisting in offering goods or services on a particular market.  The legal status of the entity and the way in which it is financed is irrelevant for this purpose.  It is possible for an entity to perform both economic and non-economic activities such as public bodies.  Therefore, it is important for regulators to categorise the type of activity which was being performed when the breach occurred.

“Single economic entity”

Another important legal concept under EU competition law is the “single economic entity” doctrine.  In relation to financial penalties, this doctrine is fundamental to determine:

  • who is liable to pay the fine; and
  • the maximum level that can be imposed.

The single economic entity doctrine is used to determine which companies are in the same economic group.  Under competition law, this can be broader than the companies which form part of the same corporate group and is based on the ability to “exercise decisive influence”.  This is essentially a test of control and is used to ascertain whether an entity enjoys “real autonomy” in determining its commercial policy on the market. 

Parental liability 

It is well established under EU competition law that if a parent company has a 100% shareholding in a subsidiary, it is presumed to exercise decisive influence over that entity.  It is possible for the parent company to rebut this presumption by providing evidence that the subsidiary acted independently on the market and that any economic, organisational and legal links between the parent and the subsidiary do not mean that they are a single economic entity.  However, this has proven very difficult to achieve in practice.  Therefore, when a wholly-owned subsidiary is found to have breached EU/UK competition law, the parent company is usually held to be jointly and severally liable for any fine imposed on its subsidiary.[4]

Furthermore, under EU/UK competition law, parental liability does not end once a subsidiary is sold.  The EU and UK competition authorities consider who was responsible for the infringing company’s conduct when the infringement was committed.  If the parent company was jointly and severally liable with the subsidiary for the infringement which took place before the subsidiary was sold, the former parent company will remain jointly and severally liable for that infringement.  However, if the subsidiary continues the infringement post-acquisition, the successive owner will usually be held jointly and severally liable with the infringing subsidiary from the date of the acquisition (assuming parental liability can be established).  In this situation, the overall liability will be apportioned between the seller and buyer of the subsidiary based on their respective periods of ownership.  This highlights the importance of:

  • conducting thorough due diligence before acquiring a company;
  • ensuring that the warranties in the SPA are sufficiently broad to capture any unknown or undisclosed breaches of competition law; and
  • ensuring that any indemnities provided by the seller are sufficient to cover any financial penalties imposed by competition authorities, as well as any damages that may be awarded in follow-on litigation.

Maximum fine

The maximum fine permitted under EU/UK competition law is limited to 10 per cent of the total annual group worldwide turnover of the infringing undertaking.  For the regulator to calculate this amount, it needs to determine which entities form part of the same single economic group.  Under EU competition law, this can include entities which are not wholly-owned subsidiaries and can even include minority shareholders if they have the ability to exercise decisive influence over the commercial policy of an entity within that group.  For example, if an infringing undertaking is owned by a private equity firm, the turnover of all of the companies upon which it can exercise decisive influence is included for the purpose of determining the maximum fine.  

The largest fine imposed to date by the Commission was EUR 4.34 billion, which was levied on a global technology player on a joint and several basis with its parent company.  The fine amounted to approximately 4.4 per cent of worldwide group turnover. 


Privacy practitioners and risk managers can learn much from competition law (and how risk and potential fines are calculated, assessed and mitigated).  There is now a close alignment of, on the one hand, control of data and, on the other, measuring an organisations dominance or ability to influence markets.  Accordingly, our Privacy and Competition teams are working closely in assisting and supporting clients in this area.

Return to the article series>

For more information, please get in touch

[1] As well as the other concurrent UK competition authorities. 

[2] The maximum amount of the penalty for breaching the GDPR or the DPA depends on the type of breach and whether the ‘standard maximum amount’ or ‘higher maximum amount’ applies.  For “undertakings”, the standard maximum amount is EUR 10 million or 2 per cent of total worldwide [group] turnover (whichever is the highest) and the higher maximum amount is EUR 20 million or 4 per cent of total worldwide [group] turnover (whichever is the highest).

[3] “…Where administrative fines are imposed on an undertaking, an undertaking should be understood to be an undertaking in accordance with Articles 101 and 102 TFEU for those purposes.”

[4] If a joint venture company is found to have breached EU/UK competition law, the parents of that company can be fined on a joint and several basis.