Search
Contact
07.07.2022 | KPMG Law Insights

New guidelines for calculating fines for data protection breaches

On May 12, 2022, the European Data Protection Board (EDSA) published for consultation guidelines on harmonizing the calculation of fines by data protection authorities. The calculation method proposed by the EDSA serves to standardize the practice of fines in the Member States and is intended to create further legal clarity and transparency with regard to the application of the criteria of Art. 83 GDPR. It is not yet possible to predict what concrete effects the new guideline will have on the practice of imposing fines. However, for large and high-turnover companies, this could lead to higher fines on average across Europe in the future.

 

The five-step model

In the guidance, EDSA proposes a five-step model for determining the amount of fines. However, this is not intended to be a rigid mathematical procedure. The individual assessment of a fine remains essentially dependent on the evaluation of all circumstances of the individual case.

  1. Determination of the number of violations
  2. Determination of the initial amount
    a. Determination of the nature of the breach (Art. 83(4-6) GDPR)
    b. Assessment of the seriousness of the breach (Art. 83(2) GDPR)
    c. Determination of the annual turnover of the company
  3. Evaluation of all aggravating and mitigating circumstances
  4. Determination of the upper limit of the fine
  5. Final evaluation

 

  1. Determination of the number of violations

In the first step, the data protection authority identifies the relevant data protection violations and examines whether they each constitute one or more individually punishable violations of data protection law.

 

  1. Determination of the initial amount

Then determine the starting amount for further calculation of the fine. For this purpose (i) the nature of the violation, (ii) the seriousness of the infringement; and (iii) determine the annual turnover of the company.

a. First, the infringements must be assigned to the two categories identified in Art. 83 GDPR. This determines the statutory maximum amount of the fine to be imposed. Violations under para. 4 shall be punishable by a maximum fine of EUR 10 million or 2% of the previous year’s global sales, and violations under para. 5 and 6 with a maximum fine of 20 million euros or 4% of the previous year’s global sales.

b. Next, the seriousness of the respective violation shall be assessed. Violations are to be classified as low, medium or high after a comprehensive overall assessment of the individual case. In particular, the provisions of Art. 83 para. 2 GDPR to be included. For example, breaches in the context of processing data of particularly vulnerable individuals (such as employees or children), special categories of personal data (such as health data), breaches affecting the core activity of the controller, or a high number of data subjects may be particularly serious. In addition, the degree of fault must be taken into account. Depending on the severity of the violation, an appropriate starting amount must be determined. In this regard, the guidelines provide for the following gradation:

      • Severity of the infringement: Low; initial amount: 0 – 10 % of the statutory maximum amount
      • Severity of the infringement: medium; initial amount: 10 – 20 % of the statutory maximum amount
      • Severity of the infringement: severe; initial amount: 20 – 100 % of the statutory maximum amount

c. The specific calculation of the starting amount shall also be based by the data protection authority on the company’s annual worldwide turnover. Here, adjustments can be made to the starting amount according to the severity of the data protection breach for companies with lower annual sales. In this regard, EDSA proposes the following gradation:

      • Annual turnover in EUR: ≤ 2 million; maximum reduction to: 0.2% of the initial amount
      • Annual turnover in EUR: ≤ 10 million; maximum reduction to: 0.4 % of the initial amount
      • Annual turnover in EUR: ≤ 50 million; maximum reduction to: 2 % of the initial amount
      • Annual turnover in EUR: 50 million – 100 million; maximum reduction to: 10 % of the initial amount.
      • Annual turnover in EUR: 100 million – 250 million; maximum reduction to: 20 % of the initial amount.
      • Annual sales in EUR: ≥ 250 million; maximum reduction to: 50 % of the initial amount

As a rule, the higher the company’s sales within the respective level, the higher the starting amount. However, the DPA is not required to make this adjustment if it is not necessary for a deterrent effect.

 

  1. Evaluation of all aggravating and mitigating circumstances

In the third step, the initial amount determined is adjusted taking into account the remaining aggravating and mitigating factors (Art. 83(2) GDPR).

In this context, the behavior of the company in the past and in the course of the fine proceedings must be considered in particular. In particular, measures taken by the controller to mitigate harm to data subjects, previous data protection breaches by the controller, the manner in which the breach came to the attention of the data protection authority, the degree of cooperation with the data protection authorities or the achievement of an economic benefit from the breach may be taken into account.

 

  1. Determination of the upper limit of the fine

In the fourth step, the data protection authority determines the maximum amounts for the data protection breach and sets the upper limit for the fines. The relevant figure is the worldwide annual sales of the company in relation to the entire business entity. According to the total annual sales thus determined, either the static maximum amount of 10 million or 20 million euros or the dynamic maximum amount of 2% or 4% of worldwide annual sales, whichever is higher, can become relevant.

 

  1. Final evaluation

Finally, we evaluate whether the fine determined is effective, proportionate and dissuasive. This step represents a final corrective in the sense of a concluding overall view. If the DPA concludes that, for example, the total amount determined is not sufficiently suitable to achieve the stated objectives or the fine exceeds what is necessary to achieve the objectives pursued by the GDPR, the amount can still be corrected accordingly. In justified exceptional cases, the economic performance of the company may also be taken into account, for example if the company demonstrates and proves that the fine will have a lasting adverse effect on the company’s economic performance.

 

Effects of the guideline

After giving EDSA until June 27, 2022 to comment on the guideline, it is expected that the draft guideline will be finalized and formally adopted in Q4 of this year.

The calculation model presented provides a uniform basis for calculating fines for data protection violations and thus contributes to harmonizing the practice of fines at the European level. It also replaces the previously existing calculation model of the German authorities. The structured calculation approach increases the transparency of the fine assessment. Responsible persons throughout the Union will thus be in a position to better assess the respective risk of a fine on the basis of the concrete assessment criteria and examples provided. However, there remains a considerable margin of discretion for data protection authorities, so that precise predictions are still not possible. It is therefore not possible to determine with certainty whether the new calculation model in Germany will generally lead to higher or lower fines compared with the previous calculation method. However, knowing the criteria for assessing fines is key for responsible parties to take appropriate countermeasures to minimize fines.

Explore #more

09.01.2025 | In the media

KPMG Law strengthens Legal Transformation Managed Services and Legal Corporate Services with two new senior managers

On January 1, KPMG Law strengthened its Transformation Managed Services practice with Jana Sichelschmidt and its Corporate Services practice with Dr. Michaela Lenk. Both are…

06.01.2025 | Deal Notifications

KPMG Law advises on the sale of Käppler & Pausch GmbH

Gabriel Pausch, the co-founder and main shareholder of Käppler & Pausch GmbH, a system supplier for metal assemblies as well as metal and sheet metal…

03.01.2025 | In the media

Interview in Betrieb on the EU money laundering package and its impact

The EU anti-money laundering package harmonizes anti-money laundering and counter-terrorism rules in Europe and introduces new measures such as cash limits of €10,000, identification requirements…

02.01.2025 | In the media

KPMG Law Statement in eMagazin Immobilienanwälte: Creativity meets law in trademark protection

Four Frankfurt, Elbtower, Vonovia: real estate projects and companies are backed by constructs worth millions or even billions. In order to stand out from the…

20.12.2024 | KPMG Law Insights

The EU packaging regulation sets strict requirements for packaging

The EU has adopted the Packaging Regulation. After the European Parliament adopted the Commission’s draft on April 24, 2024, the EU member states also approved…

20.12.2024 | Deal Notifications

KPMG and KPMG Law supported the sale of circular Informationssysteme to the teccle group

Together with the corporate finance/M&A advisors of KPMG AG Wirtschaftsprüfungsgesellschaft (KPMG), KPMG Law Rechtsanwaltsgesellschaft mbH (KPMG Law) advised the shareholders of circular Informationssysteme GmbH (circular)…

19.12.2024 | Press releases

KPMG Law defends Federal Motor Transport Authority against claim for damages in connection with the emissions scandal

The state is not liable to vehicle purchasers for damages. KPMG Law has defended the Federal Motor Transport Authority (KBA) against a civil plaintiff’s state…

18.12.2024 | KPMG Law Insights, KPMG Law Insights

MiCAR – What the new EU regulation means for crypto service providers and issuers

An EU regulation will soon come into force that will regulate crypto assets uniformly throughout Europe. It contains significant new obligations for issuers and crypto…

16.12.2024 | Deal Notifications

KPMG Law advises CERTANIA Holding GmbH on the acquisition of RASG Holdco Ltd.

KPMG Law Rechtsanwaltsgesellschaft mbH (KPMG Law) has provided legal advice to CERTANIA Holding GmbH, a platform of the Munich-based PE firm Greenpeak Partners, on the…

04.12.2024 | Deal Notifications

KPMG Law and KPMG advises Brain Biotech AG on license agreements and monetization of license rights

KPMG Law Rechtsanwaltsgesellschaft mbH and KPMG AG Wirtschaftsprüfungsgesellschaft (KPMG) advised Brain Biotech AG on the monetization of licensing rights with Royalty Pharma and the conclusion…

Contact

Francois Heynike, LL.M. (Stellenbosch)

Partner
Head of Technology Law

THE SQUAIRE Am Flughafen
60549 Frankfurt am Main

Tel.: +49-69-951195770
fheynike@kpmg-law.com

© 2024 KPMG Law Rechtsanwaltsgesellschaft mbH, associated with KPMG AG Wirtschaftsprüfungsgesellschaft, a public limited company under German law and a member of the global KPMG organisation of independent member firms affiliated with KPMG International Limited, a Private English Company Limited by Guarantee. All rights reserved. For more details on the structure of KPMG’s global organisation, please visit https://home.kpmg/governance.

 KPMG International does not provide services to clients. No member firm is authorised to bind or contract KPMG International or any other member firm to any third party, just as KPMG International is not authorised to bind or contract any other member firm.

Scroll