Italian DPA’s fines: the Supreme Court of Italy clarifies the highest limits

With decision of September 22nd 2023, no. 27189, the Italian Supreme Court of Cassation stated that quantifying the pecuniary administrative fine based on the average percentage applied in similar cases it’s a violation of the GDPR, which, on the contrary, imposes to quantify the amount of the fine based on the circumstances of the specific case and according to the highest limit established by the Regulation.

The Case

In 2021, the Italian Data Protection Authority inflicted to a company the penalty of € 2,600,000 after having ascertained the violation of many rules of the GDPR. Said amount was quantified by the DPA on the basis of art. 83 of the GDPR that, given the violations committed by the company, would have allowed to inflict a pecuniary penalty “up to € 20,000,000 or, for companies, up to 4% of the previous year’s total annual worldwide revenue, if higher”.

The sanctioned company appealed the provision before the Court of Milan, stating its illegitimacy for the excessiveness of the penalty imposed. On this regard, the plaintiff argued that the penalty represented 7.29% of its total worldwide revenue and was surely higher that the parameter of 4% mentioned in art. 83 of the GDPR. It argued moreover that said amount was even higher than the average percentage (0,0019%) applied by the same DPA to other sanctioned subjects.

The Court of Milan, accepting both defensive argumentations of the plaintiff, annulled the decision of the DPA stating that the amount of the penalty was too much.

Against the decision of the judge of merit the Italian DPA brought an appeal before the Italian Supreme Court of Cassation stating, among others, that the fine imposed was not excessive at all, as it was quantified in accordance with the maximum limit set by the GDPR, equal to € 20,000,000.

GDPR fines: the principles stated by the Supreme Court of Cassation

The Court accepted the appeal of the Italian DPA and dismissed the decision of the Court of Milan.

With regards to the reference to the average percentages applied in similar cases, the Court clarified that the rule imposed by the GDPR is to quantify the single penalty on the basis of the specific real case, in order to guarantee that, in relation to such case, the penalty is effective, proportioned and dissuasive.

“Therefore, the statement of the Court according to which the penalty is illegitimate because allegedly higher compared to the average percentage applied in other cases (moreover not even specified) constitutes an infringement of the Regulation. If anything, a similar statement may be a reporting of an index of a hypothetical disproportion, that anyway should always be related to the “single case”, and as such could imply a judgement adequately and concretely motivated”.

With respect to the edictal maximums established by GDPR, the Court stated that the literal content of art. 83, (5)(A) is clear in providing that the limit referred to the percentage of the annual worldwide revenue is relevant only if the amount of the penalty established by the DPA exceeds the amount indicated by the rule itself (as it is inferred from the final locution of the rule “if higher” – referred to the penalty).

Therefore, the percentage of 4% of the annual worldwide revenue is a proportional reference that, for companies, acts as another edictal limit of the penalty in case it is higher than the ordinary amount (€ 20,000,000). When the penalty quantified by the Italian DPA is lower than such amount, the limit of the revenue does not apply.

“Therefore, the reference to the proportionated penalty is not set by the GDPR with a mitigating function of the edictal limitation established with the variable ordinary penalty, but it represents a further and separate edictal limitation to which one should resort to only if it is higher (in itself) than the maximum of the above-mentioned penalty”.


Ilaria Feriti