European Data Protection Board (EDPB) specifies calculation basis for GDPR fines

The Draft Guidelines published by the EDPB on May 12, 2022 are intended to complement Working Paper 253, the subject of which is the application and setting of fines pursuant to GDPR. Comments on the Draft will be accepted until June 27, 2022. The Guideline aims to introduce a uniform methodology for calculating fines and thus contribute to further harmonization and transparency of national data protection authorities’ fining practices. The Draft Guideline breaks down the methodology for calculating fines into five steps:

Step 1 (Chapter 3 of the Draft Guidelines): Substantive data processing and scope of Art. 83 (3) GDPR.
The first step initially focuses on the identification of the data processing in question. Subsequently, the national supervisory authorities are to check whether the processing is within the scope of Art. 83 (3) GDPR, i.e., whether it is sanctionable.

Step 2 (Chapter 4 of the Draft Guidelines): Determination of the initial value for calculating the amount of the fine.
In the next step, the initial value for determining the amount of the fine is established. In the course of this, the infringement is classified according to Art. 83 (4-6) GDPR (EUR 10 million or 2 % of the annual turnover or EUR 20 million or 4 % of the annual turnover) at the beginning.

In addition, the severity of the breach pursuant to Art. 83 (2) a), b) and g) GDPR is included in the calculation. In this context, criteria such as the type and duration or the fault (intentionality or negligence) with regard to the breach are decisive. This step also includes a determination as to which categories of personal data are affected by the breach. Another relevant element in the calculation is the company’s turnover. This is due to the fact that, according to Art. 83 (1) GDPR, the fine should be “effective, proportionate and dissuasive”. However, the Draft Guidelines suggest to the supervisory authorities to significantly reduce the basic amount with regard to small and medium-sized enterprises.

Step 3 (Chapter 5 of the Draft Guidelines): Assessment of aggravating and mitigating circumstances.
In connection with the controller’s past or present conduct, the Draft provides guidance to supervisory authorities to increase or decrease the fine accordingly.
Mitigating circumstances include taking measures to limit the damage and immediately ceasing the harmful conduct. Cooperation with the supervisory authority can also be taken into account as a mitigating factor. This includes, among other things, independently reporting the violation before the supervisory authority becomes aware of it. In contrast, a previous breach of the GDPR has the effect of increasing the fine.

Step 4 (Chapter 6 of the Draft Guidelines): Determination of the upper limit of the fine
At this point, a distinction is made between the static (EUR 10 million or 20 million) and the dynamic (2 % or 4 % of the annual turnover) consideration of the upper limits for the fine. Pursuant to Art. 83 (4) and (5) GDPR, the higher amount is to be applied in each case. Accordingly, the dynamic approach only applies to companies with a total annual turnover of more than EUR 500 million. The upper limits also include increases in fines that have already been imposed as a result of the previous steps.

Step 5 (Chapter 7 of the Draft Guidelines): Weighing according to criteria pursuant to Art. 83 (1) GDPR
In the final step, it must be evaluated whether the final amount of the fine meets the requirements of “effectiveness, dissuasive character and proportionality” pursuant to Article 83 (1) GDPR. If this is not the case, the amount of the fine should be adjusted accordingly.

Conclusion: EDPB creates more transparency on fine risks
The Draft is to be welcomed, especially from a company’s point of view, as the guidelines can be used as an instrument to better assess the risk of potential fines in the future. In the event of a company's own GDPR infringements, the Guidelines offer greater predictability of the resulting fine amount. The reduction of the basic amount for less financially strong small and medium-sized enterprises is to be welcomed. The supervisory authorities’ assessment of aggravating or mitigating circumstances, on which the amount of the fine may additionally depend, will play a central role for companies (Step 3). Therefore, data protection related compliance measures will become even more relevant for companies in the future.

The Draft aims at further harmonizing the fine calculation procedure. The establishment of the five-stage calculation methodology creates a basis for this. However, whether the effects of harmonization and greater transparency will also be reflected in the actually imposed fines cannot be predicted with certainty, given the dependence on the circumstances of the individual case. This fact is emphasized even in the Draft of the Guidelines, since it is the basis of calculation and not the concrete result that can and should be harmonized (cf. in particular chapter 5). Until the final application of the Guidelines, it therefore remains to be seen to what extent at least the uniform calculation basis will take effect and thus minimize legal uncertainties regarding impending GDPR fines.

It also remains to be seen whether the Draft will be subject to changes based on the comments received at the end of the public consultation process. Overall, however, the Draft already sets the cornerstones for the imposition of fines in practice, from which the final version will probably differ only marginally. Companies are therefore recommended to already prepare themselves for the defined calculation basis and criteria.

Many thanks to Philip Koch and Amai Niedermowwe for their valuable assistance in writing this post.