Search
Contact
07.07.2022 | KPMG Law Insights

New guidelines for calculating fines for data protection breaches

On May 12, 2022, the European Data Protection Board (EDSA) published for consultation guidelines on harmonizing the calculation of fines by data protection authorities. The calculation method proposed by the EDSA serves to standardize the practice of fines in the Member States and is intended to create further legal clarity and transparency with regard to the application of the criteria of Art. 83 GDPR. It is not yet possible to predict what concrete effects the new guideline will have on the practice of imposing fines. However, for large and high-turnover companies, this could lead to higher fines on average across Europe in the future.

 

The five-step model

In the guidance, EDSA proposes a five-step model for determining the amount of fines. However, this is not intended to be a rigid mathematical procedure. The individual assessment of a fine remains essentially dependent on the evaluation of all circumstances of the individual case.

  1. Determination of the number of violations
  2. Determination of the initial amount
    a. Determination of the nature of the breach (Art. 83(4-6) GDPR)
    b. Assessment of the seriousness of the breach (Art. 83(2) GDPR)
    c. Determination of the annual turnover of the company
  3. Evaluation of all aggravating and mitigating circumstances
  4. Determination of the upper limit of the fine
  5. Final evaluation

 

  1. Determination of the number of violations

In the first step, the data protection authority identifies the relevant data protection violations and examines whether they each constitute one or more individually punishable violations of data protection law.

 

  1. Determination of the initial amount

Then determine the starting amount for further calculation of the fine. For this purpose (i) the nature of the violation, (ii) the seriousness of the infringement; and (iii) determine the annual turnover of the company.

a. First, the infringements must be assigned to the two categories identified in Art. 83 GDPR. This determines the statutory maximum amount of the fine to be imposed. Violations under para. 4 shall be punishable by a maximum fine of EUR 10 million or 2% of the previous year’s global sales, and violations under para. 5 and 6 with a maximum fine of 20 million euros or 4% of the previous year’s global sales.

b. Next, the seriousness of the respective violation shall be assessed. Violations are to be classified as low, medium or high after a comprehensive overall assessment of the individual case. In particular, the provisions of Art. 83 para. 2 GDPR to be included. For example, breaches in the context of processing data of particularly vulnerable individuals (such as employees or children), special categories of personal data (such as health data), breaches affecting the core activity of the controller, or a high number of data subjects may be particularly serious. In addition, the degree of fault must be taken into account. Depending on the severity of the violation, an appropriate starting amount must be determined. In this regard, the guidelines provide for the following gradation:

      • Severity of the infringement: Low; initial amount: 0 – 10 % of the statutory maximum amount
      • Severity of the infringement: medium; initial amount: 10 – 20 % of the statutory maximum amount
      • Severity of the infringement: severe; initial amount: 20 – 100 % of the statutory maximum amount

c. The specific calculation of the starting amount shall also be based by the data protection authority on the company’s annual worldwide turnover. Here, adjustments can be made to the starting amount according to the severity of the data protection breach for companies with lower annual sales. In this regard, EDSA proposes the following gradation:

      • Annual turnover in EUR: ≤ 2 million; maximum reduction to: 0.2% of the initial amount
      • Annual turnover in EUR: ≤ 10 million; maximum reduction to: 0.4 % of the initial amount
      • Annual turnover in EUR: ≤ 50 million; maximum reduction to: 2 % of the initial amount
      • Annual turnover in EUR: 50 million – 100 million; maximum reduction to: 10 % of the initial amount.
      • Annual turnover in EUR: 100 million – 250 million; maximum reduction to: 20 % of the initial amount.
      • Annual sales in EUR: ≥ 250 million; maximum reduction to: 50 % of the initial amount

As a rule, the higher the company’s sales within the respective level, the higher the starting amount. However, the DPA is not required to make this adjustment if it is not necessary for a deterrent effect.

 

  1. Evaluation of all aggravating and mitigating circumstances

In the third step, the initial amount determined is adjusted taking into account the remaining aggravating and mitigating factors (Art. 83(2) GDPR).

In this context, the behavior of the company in the past and in the course of the fine proceedings must be considered in particular. In particular, measures taken by the controller to mitigate harm to data subjects, previous data protection breaches by the controller, the manner in which the breach came to the attention of the data protection authority, the degree of cooperation with the data protection authorities or the achievement of an economic benefit from the breach may be taken into account.

 

  1. Determination of the upper limit of the fine

In the fourth step, the data protection authority determines the maximum amounts for the data protection breach and sets the upper limit for the fines. The relevant figure is the worldwide annual sales of the company in relation to the entire business entity. According to the total annual sales thus determined, either the static maximum amount of 10 million or 20 million euros or the dynamic maximum amount of 2% or 4% of worldwide annual sales, whichever is higher, can become relevant.

 

  1. Final evaluation

Finally, we evaluate whether the fine determined is effective, proportionate and dissuasive. This step represents a final corrective in the sense of a concluding overall view. If the DPA concludes that, for example, the total amount determined is not sufficiently suitable to achieve the stated objectives or the fine exceeds what is necessary to achieve the objectives pursued by the GDPR, the amount can still be corrected accordingly. In justified exceptional cases, the economic performance of the company may also be taken into account, for example if the company demonstrates and proves that the fine will have a lasting adverse effect on the company’s economic performance.

 

Effects of the guideline

After giving EDSA until June 27, 2022 to comment on the guideline, it is expected that the draft guideline will be finalized and formally adopted in Q4 of this year.

The calculation model presented provides a uniform basis for calculating fines for data protection violations and thus contributes to harmonizing the practice of fines at the European level. It also replaces the previously existing calculation model of the German authorities. The structured calculation approach increases the transparency of the fine assessment. Responsible persons throughout the Union will thus be in a position to better assess the respective risk of a fine on the basis of the concrete assessment criteria and examples provided. However, there remains a considerable margin of discretion for data protection authorities, so that precise predictions are still not possible. It is therefore not possible to determine with certainty whether the new calculation model in Germany will generally lead to higher or lower fines compared with the previous calculation method. However, knowing the criteria for assessing fines is key for responsible parties to take appropriate countermeasures to minimize fines.

Explore #more

24.03.2025 | KPMG Law Insights

Product piracy in online retail: these are the latest tricks

Product piracy is also flourishing with the growth in online trade. A major problem for brand owners, but also a challenge for online marketplaces and…

24.03.2025 | Deal Notifications

KPMG Law advises Munich Airport on the sale of aerogate München Gesellschaft für Luftverkehrsabfertigungen mbH

KPMG Law Rechtsanwaltsgesellschaft mbH (KPMG Law) provided legal advice to Flughafen München GmbH (FMG) on the sale of its subsidiary aerogate München Gesellschaft für Luftverkehrsabfertigungen…

21.03.2025 | KPMG Law Insights

Special infrastructure assets: how the administration manages to implement projects quickly

The special infrastructure fund creates the opportunity to catch up on years of investment backlog. There is a need for urgency. Defence capability, economic growth…

20.03.2025 | KPMG Law Insights

AI Act: This applies to AI in universities and research

Artificial intelligence (AI) offers numerous opportunities for research, teaching and administration, but also raises complex legal issues. The European Union’s AI Regulation(AI Act)…

19.03.2025 | In the media

BUJ/KPMG Law Summit Transformation

The Bundesverband der Unternehmensjuristinnen und Unternehmensjuristen e.V. (BUJ) and KPMG Law cordially invite you to the BUJ Summit Transformation on May 28, 2025 in Frankfurt…

18.03.2025 | In the media

KPMG Law Statement in the German transport magazine DVZ: Planning at a crawl; DIHK sees great potential for faster traffic route construction

The Chamber of Commerce in Arnsberg regularly awards prizes to the worst state roads in the Hellweg-Sauerland region of Westphalia. A funny idea, if it…

13.03.2025 | KPMG Law Insights

ECJ tightens antitrust liability for information exchange

The ECJ (C-298/22) has recently set strict standards for the permissible exchange of information between companies. As a result, companies are now even more faced…

11.03.2025 | In the media

KPMG Law Interview with HAUFE: LkSG after the elections – everything new?

Many companies have made considerable efforts to implement the Supply Chain Due Diligence Act. The political discussion about its abolition is now causing uncertainty. KPMG…

07.03.2025 | In the media

Guest article in unternehmensjurist: Implementing the requirements of the BFSG correctly

The Barrier-Free Accessibility Reinforcement Act requires companies to offer certain products and services without barriers. The obligations vary depending on the role in business transactions.…

05.03.2025 | In the media

KPMG Law Statement in TextilWirtschaft: What the changes from Brussels mean for the fashion industry

It’s now official: the EU Commission will massively simplify the planned sustainability reporting. The Supply Chain Law Initiative examines the announced changes to the CSDDD…

Contact

Francois Heynike, LL.M. (Stellenbosch)

Partner
Head of Technology Law

THE SQUAIRE Am Flughafen
60549 Frankfurt am Main

Tel.: +49-69-951195770
fheynike@kpmg-law.com

© 2024 KPMG Law Rechtsanwaltsgesellschaft mbH, associated with KPMG AG Wirtschaftsprüfungsgesellschaft, a public limited company under German law and a member of the global KPMG organisation of independent member firms affiliated with KPMG International Limited, a Private English Company Limited by Guarantee. All rights reserved. For more details on the structure of KPMG’s global organisation, please visit https://home.kpmg/governance.

 KPMG International does not provide services to clients. No member firm is authorised to bind or contract KPMG International or any other member firm to any third party, just as KPMG International is not authorised to bind or contract any other member firm.

Scroll