New guidelines for calculating fines for data protection breaches

On May 12, 2022, the European Data Protection Board (EDSA) published for consultation guidelines on harmonizing the calculation of fines by data protection authorities. The calculation method proposed by the EDSA serves to standardize the practice of fines in the Member States and is intended to create further legal clarity and transparency with regard to the application of the criteria of Art. 83 GDPR. It is not yet possible to predict what concrete effects the new guideline will have on the practice of imposing fines. However, for large and high-turnover companies, this could lead to higher fines on average across Europe in the future.

The five-step model

In the guidance, EDSA proposes a five-step model for determining the amount of fines. However, this is not intended to be a rigid mathematical procedure. The individual assessment of a fine remains essentially dependent on the evaluation of all circumstances of the individual case.

1. Determination of the number of violations
2. Determination of the initial amount
   a. Determination of the nature of the breach (Art. 83(4-6) GDPR)
   b. Assessment of the seriousness of the breach (Art. 83(2) GDPR)
   c. Determination of the annual turnover of the company
3. Evaluation of all aggravating and mitigating circumstances
4. Determination of the upper limit of the fine
5. Final evaluation

1. Determination of the number of violations

In the first step, the data protection authority identifies the relevant data protection violations and examines whether they each constitute one or more individually punishable violations of data protection law.

2. Determination of the initial amount

Then determine the starting amount for further calculation of the fine. For this purpose (i) the nature of the violation, (ii) the seriousness of the infringement; and (iii) determine the annual turnover of the company.

a. First, the infringements must be assigned to the two categories identified in Art. 83 GDPR. This determines the statutory maximum amount of the fine to be imposed. Violations under para. 4 shall be punishable by a maximum fine of EUR 10 million or 2% of the previous year’s global sales, and violations under para. 5 and 6 with a maximum fine of 20 million euros or 4% of the previous year’s global sales.

b. Next, the seriousness of the respective violation shall be assessed. Violations are to be classified as low, medium or high after a comprehensive overall assessment of the individual case. In particular, the provisions of Art. 83 para. 2 GDPR to be included. For example, breaches in the context of processing data of particularly vulnerable individuals (such as employees or children), special categories of personal data (such as health data), breaches affecting the core activity of the controller, or a high number of data subjects may be particularly serious. In addition, the degree of fault must be taken into account. Depending on the severity of the violation, an appropriate starting amount must be determined. In this regard, the guidelines provide for the following gradation:

• • • Severity of the infringement: Low; initial amount: 0 – 10 % of the statutory maximum amount
    • Severity of the infringement: medium; initial amount: 10 – 20 % of the statutory maximum amount
    • Severity of the infringement: severe; initial amount: 20 – 100 % of the statutory maximum amount

c. The specific calculation of the starting amount shall also be based by the data protection authority on the company’s annual worldwide turnover. Here, adjustments can be made to the starting amount according to the severity of the data protection breach for companies with lower annual sales. In this regard, EDSA proposes the following gradation:

• • • Annual turnover in EUR: ≤ 2 million; maximum reduction to: 0.2% of the initial amount
    • Annual turnover in EUR: ≤ 10 million; maximum reduction to: 0.4 % of the initial amount
    • Annual turnover in EUR: ≤ 50 million; maximum reduction to: 2 % of the initial amount
    • Annual turnover in EUR: 50 million – 100 million; maximum reduction to: 10 % of the initial amount.
    • Annual turnover in EUR: 100 million – 250 million; maximum reduction to: 20 % of the initial amount.
    • Annual sales in EUR: ≥ 250 million; maximum reduction to: 50 % of the initial amount

As a rule, the higher the company’s sales within the respective level, the higher the starting amount. However, the DPA is not required to make this adjustment if it is not necessary for a deterrent effect.

3. Evaluation of all aggravating and mitigating circumstances

In the third step, the initial amount determined is adjusted taking into account the remaining aggravating and mitigating factors (Art. 83(2) GDPR).

In this context, the behavior of the company in the past and in the course of the fine proceedings must be considered in particular. In particular, measures taken by the controller to mitigate harm to data subjects, previous data protection breaches by the controller, the manner in which the breach came to the attention of the data protection authority, the degree of cooperation with the data protection authorities or the achievement of an economic benefit from the breach may be taken into account.

4. Determination of the upper limit of the fine

In the fourth step, the data protection authority determines the maximum amounts for the data protection breach and sets the upper limit for the fines. The relevant figure is the worldwide annual sales of the company in relation to the entire business entity. According to the total annual sales thus determined, either the static maximum amount of 10 million or 20 million euros or the dynamic maximum amount of 2% or 4% of worldwide annual sales, whichever is higher, can become relevant.

5. Final evaluation

Finally, we evaluate whether the fine determined is effective, proportionate and dissuasive. This step represents a final corrective in the sense of a concluding overall view. If the DPA concludes that, for example, the total amount determined is not sufficiently suitable to achieve the stated objectives or the fine exceeds what is necessary to achieve the objectives pursued by the GDPR, the amount can still be corrected accordingly. In justified exceptional cases, the economic performance of the company may also be taken into account, for example if the company demonstrates and proves that the fine will have a lasting adverse effect on the company’s economic performance.

Effects of the guideline

After giving EDSA until June 27, 2022 to comment on the guideline, it is expected that the draft guideline will be finalized and formally adopted in Q4 of this year.

The calculation model presented provides a uniform basis for calculating fines for data protection violations and thus contributes to harmonizing the practice of fines at the European level. It also replaces the previously existing calculation model of the German authorities. The structured calculation approach increases the transparency of the fine assessment. Responsible persons throughout the Union will thus be in a position to better assess the respective risk of a fine on the basis of the concrete assessment criteria and examples provided. However, there remains a considerable margin of discretion for data protection authorities, so that precise predictions are still not possible. It is therefore not possible to determine with certainty whether the new calculation model in Germany will generally lead to higher or lower fines compared with the previous calculation method. However, knowing the criteria for assessing fines is key for responsible parties to take appropriate countermeasures to minimize fines.