Fines for violations of the EU General Data Protection Regulation (GDPR) or national data protection law still vary greatly across the EU. In order to standardise the fines imposed by EU member states and make them more transparent, the European Data Protection Board (EDPB) published Guidelines on the calculation of fines in May 2023. We explain what companies can now expect.
Calculation of fines under the GDPR
The headlines about data protection violations by companies with substantial fines being imposed are never-ending. Be it a EUR1.2 Billion for unlawful third country transfers for Meta, or EUR5 Million for intransparent data processing and inadequate disclosure for Spotify.
In principle, the competent supervisory authority under the GDPR can impose fines of up to EUR20 million for infringements or, in the case of corporate groups, up to 4% of the total global turnover generated in the previous financial year – whichever is higher!
However, since the GDPR came into force in 2018, very heterogeneous practices of imposing fines have been observed in the individual EU member states. The Irish supervisory authority even refused to impose a fine on Meta and had to be forced by the EDPB to impose a correspondingly high fine following objections from other European data protection authorities.
EDPB Guidelines on the calculation of fines
In view of the different levels of fines imposed in the past, the EDPB now sets out the standards that European data protection authorities should use when calculating fines. The Guidelines provide for a calculation procedure consisting of five steps:
1. What offences have been committed?
The first step is for the data protection authorities to determine which behaviour is sanctionable and whether the incident in question is a single act or multiple acts. The authority can take each individual offence into account if there are multiple offences. As a result, the fine can be significantly higher. Nevertheless, Art. 83 (3) GDPR must be observed so that the total amount of the fine may not exceed the maximum amount of the most serious offence.
2. What are the starting point and upper limit of the fine?
As a second step in the calculation, the Guidelines set out a starting point that is intended to establish a basis for the amount of the fine for each individual offence. This step is the central component of the Guidelines. Firstly, the supervisory authority must determine what the upper limit of the fine should be for each offence. Two values could be taken into account here:
- either EUR10 million or 2% of the previous year’s global turnover in accordance with Art. 83 (4) GDPR,
- or in accordance with Art. 83 (5), (6) GDPR EUR20 million or 4% of the previous year’s turnover.
The type and category of personal data concerned, the seriousness of the offence and the turnover of the company/companies concerned must be taken into account.
The severity of the offence is divided into three levels: low, medium and severe. For a low severity category, the starting point for the calculation is 0-10% of the respective upper limit. For high severity, the starting point is 20-100% of the upper limit.
Furthermore, the type of processing must be taken into account when assessing the starting point. This means that the authority can assign a higher severity to processing operations that constitute monitoring or evaluation activities. The EDPB Guidelines also stipulate that if the number of data subjects is high, the severity must also be categorised as high. This means that the more far-reaching the offence, the higher the fine.
3. How high is the turnover and are there other mitigating or aggravating circumstances?
Once the initial value has been determined, the next step is to take into account the turnover of the company or corporate group in question. This can have a further impact on the initial amount. If a corporate group has a very low turnover, e.g. up to EUR2 Million, the initial amount can be reduced by up to 0.2%. With a turnover of more than EUR250 Million, the initial amount is reduced by up to 50%. Basically, this means that the higher the turnover, the higher the starting amount. The purpose of this is to ensure that even large corporate groups receive appropriate and deterring penalties. Whether this will actually materialise in practice remains to be seen.
The following example is intended to illustrate the third step of the calculation procedure:
Assume that a corporate group achieved a turnover of EUR300 million in the last financial year and is to be penalised for a data protection breach. In this example, the initial amount is EUR1 Million due to the nature and severity of the offence, and no mitigating or aggravating factors have been taken into account. The corporate group´s turnover now comes into play. The reduction here is 0.2 % per EUR 1million in turnover. This results in a reduction of EUR600,000 (0.2 % x EUR300 million). The amount of the fine after the reduction is therefore EUR400,000.
Furthermore, the supervisory authority must examine whether there are mitigating or aggravating factors pursuant to Art. 83 (2) GDPR that reduce or increase the fine. Past experience with the controller or processor may also be taken into account in the assessment. Another circumstance that can also be taken into account and lead to a reduction of the fine is good cooperation with the supervisory authority in order to limit or even avoid negative consequences. However, if the supervisory authority comes to the conclusion that aggravating circumstances exist, an initial fine of EUR150,000 could turn into a fine of EUR200,000, for example.
4. What is the maximum amount that may be applied?
The fourth step is to include the statutory maximum amounts pursuant to Art. 83 (4-6) GDPR. Care should be taken to ensure that these are not exceeded.
5. Is a deterrent effect achieved if proportionality is observed?
Ultimately, the authority must examine whether the final amount achieves the desired deterrent effect on the one hand and whether it is proportionate on the other, or whether further adjustments to the amount are necessary.
Significance of the Guidelines on the calculation of administrative fines under the GDPR
The EU-wide standardisation of the procedure for calculating fines could result in companies and corporate groups receiving higher fines for GDPR violations than before. This will particularly affect companies and corporate groups in EU member states whose supervisory authorities have previously been rather reluctant to impose (high) fines.
One positive effect for companies and corporate groups, however, is the associated legal certainty that is guaranteed by the standardisation. In addition, transparency is increased and companies and corporate groups can better assess which factors are taken into account when calculating fines and incorporate this into their risk analyses.
Even if the EDPB Guidelines aim to standardise the level of fines in the EU member states, it remains to be seen whether this effect will actually materialise. This is because, despite the five steps specified, the supervisory authorities still have a great deal of individual discretion.
It also remains to be seen whether the planned GDPR Procedural Regulation, which is intended to optimise cross-border proceedings by supervisory authorities, will have an impact on the area of fines and the amount of fines.