07.07.2022 | KPMG Law Insights

New guidelines for calculating fines for data protection breaches

On May 12, 2022, the European Data Protection Board (EDSA) published for consultation guidelines on harmonizing the calculation of fines by data protection authorities. The calculation method proposed by the EDSA serves to standardize the practice of fines in the Member States and is intended to create further legal clarity and transparency with regard to the application of the criteria of Art. 83 GDPR. It is not yet possible to predict what concrete effects the new guideline will have on the practice of imposing fines. However, for large and high-turnover companies, this could lead to higher fines on average across Europe in the future.


The five-step model

In the guidance, EDSA proposes a five-step model for determining the amount of fines. However, this is not intended to be a rigid mathematical procedure. The individual assessment of a fine remains essentially dependent on the evaluation of all circumstances of the individual case.

  1. Determination of the number of violations
  2. Determination of the initial amount
    a. Determination of the nature of the breach (Art. 83(4-6) GDPR)
    b. Assessment of the seriousness of the breach (Art. 83(2) GDPR)
    c. Determination of the annual turnover of the company
  3. Evaluation of all aggravating and mitigating circumstances
  4. Determination of the upper limit of the fine
  5. Final evaluation


  1. Determination of the number of violations

In the first step, the data protection authority identifies the relevant data protection violations and examines whether they each constitute one or more individually punishable violations of data protection law.


  1. Determination of the initial amount

Then determine the starting amount for further calculation of the fine. For this purpose (i) the nature of the violation, (ii) the seriousness of the infringement; and (iii) determine the annual turnover of the company.

a. First, the infringements must be assigned to the two categories identified in Art. 83 GDPR. This determines the statutory maximum amount of the fine to be imposed. Violations under para. 4 shall be punishable by a maximum fine of EUR 10 million or 2% of the previous year’s global sales, and violations under para. 5 and 6 with a maximum fine of 20 million euros or 4% of the previous year’s global sales.

b. Next, the seriousness of the respective violation shall be assessed. Violations are to be classified as low, medium or high after a comprehensive overall assessment of the individual case. In particular, the provisions of Art. 83 para. 2 GDPR to be included. For example, breaches in the context of processing data of particularly vulnerable individuals (such as employees or children), special categories of personal data (such as health data), breaches affecting the core activity of the controller, or a high number of data subjects may be particularly serious. In addition, the degree of fault must be taken into account. Depending on the severity of the violation, an appropriate starting amount must be determined. In this regard, the guidelines provide for the following gradation:

      • Severity of the infringement: Low; initial amount: 0 – 10 % of the statutory maximum amount
      • Severity of the infringement: medium; initial amount: 10 – 20 % of the statutory maximum amount
      • Severity of the infringement: severe; initial amount: 20 – 100 % of the statutory maximum amount

c. The specific calculation of the starting amount shall also be based by the data protection authority on the company’s annual worldwide turnover. Here, adjustments can be made to the starting amount according to the severity of the data protection breach for companies with lower annual sales. In this regard, EDSA proposes the following gradation:

      • Annual turnover in EUR: ≤ 2 million; maximum reduction to: 0.2% of the initial amount
      • Annual turnover in EUR: ≤ 10 million; maximum reduction to: 0.4 % of the initial amount
      • Annual turnover in EUR: ≤ 50 million; maximum reduction to: 2 % of the initial amount
      • Annual turnover in EUR: 50 million – 100 million; maximum reduction to: 10 % of the initial amount.
      • Annual turnover in EUR: 100 million – 250 million; maximum reduction to: 20 % of the initial amount.
      • Annual sales in EUR: ≥ 250 million; maximum reduction to: 50 % of the initial amount

As a rule, the higher the company’s sales within the respective level, the higher the starting amount. However, the DPA is not required to make this adjustment if it is not necessary for a deterrent effect.


  1. Evaluation of all aggravating and mitigating circumstances

In the third step, the initial amount determined is adjusted taking into account the remaining aggravating and mitigating factors (Art. 83(2) GDPR).

In this context, the behavior of the company in the past and in the course of the fine proceedings must be considered in particular. In particular, measures taken by the controller to mitigate harm to data subjects, previous data protection breaches by the controller, the manner in which the breach came to the attention of the data protection authority, the degree of cooperation with the data protection authorities or the achievement of an economic benefit from the breach may be taken into account.


  1. Determination of the upper limit of the fine

In the fourth step, the data protection authority determines the maximum amounts for the data protection breach and sets the upper limit for the fines. The relevant figure is the worldwide annual sales of the company in relation to the entire business entity. According to the total annual sales thus determined, either the static maximum amount of 10 million or 20 million euros or the dynamic maximum amount of 2% or 4% of worldwide annual sales, whichever is higher, can become relevant.


  1. Final evaluation

Finally, we evaluate whether the fine determined is effective, proportionate and dissuasive. This step represents a final corrective in the sense of a concluding overall view. If the DPA concludes that, for example, the total amount determined is not sufficiently suitable to achieve the stated objectives or the fine exceeds what is necessary to achieve the objectives pursued by the GDPR, the amount can still be corrected accordingly. In justified exceptional cases, the economic performance of the company may also be taken into account, for example if the company demonstrates and proves that the fine will have a lasting adverse effect on the company’s economic performance.


Effects of the guideline

After giving EDSA until June 27, 2022 to comment on the guideline, it is expected that the draft guideline will be finalized and formally adopted in Q4 of this year.

The calculation model presented provides a uniform basis for calculating fines for data protection violations and thus contributes to harmonizing the practice of fines at the European level. It also replaces the previously existing calculation model of the German authorities. The structured calculation approach increases the transparency of the fine assessment. Responsible persons throughout the Union will thus be in a position to better assess the respective risk of a fine on the basis of the concrete assessment criteria and examples provided. However, there remains a considerable margin of discretion for data protection authorities, so that precise predictions are still not possible. It is therefore not possible to determine with certainty whether the new calculation model in Germany will generally lead to higher or lower fines compared with the previous calculation method. However, knowing the criteria for assessing fines is key for responsible parties to take appropriate countermeasures to minimize fines.

Explore #more

13.06.2024 | Press releases

Handelsblatt and Best Lawyers honor KPMG Law Experts

Best Lawyers has once again identified the best commercial lawyers in Germany for 2024 exclusively for Handelsblatt. A total of 28 lawyers were honored by…

27.05.2024 | KPMG Law Insights

Agreement on ecodesign regulation: products to become more sustainable

After lengthy negotiations, the Council and Parliament of the European Union reached a provisional agreement on the Ecodesign Regulation on the night of December 5,…

22.05.2024 | KPMG Law Insights

The AI Act is coming: EU wants to get a grip on AI risks

For many people, artificial intelligence (AI) is the great hope for business, healthcare and science. But there are also plenty of critics who fear the…

17.05.2024 | KPMG Law Insights

Podcast series “KPMG Law on air”: When the family business is to be sold

Around 38,000 family businesses are currently handed over each year. In most cases, the change of ownership takes place within the family. But more and…

03.05.2024 | KPMG Law Insights

Doubts about inability to work? What employers can do

The certificate of incapacity for work (AU certificate) serves as proof of incapacity for work due to illness. However, only if the certificate meets certain…

27.03.2024 | KPMG Law Insights

EU Buildings Directive: life cycle greenhouse potential becomes relevant

On March 12, 2024, the EU Parliament approved the amendment to the EU Buildings Directive. The directive obliges member states and, indirectly, building owners and…

19.03.2024 | Business Performance & Resilience, KPMG Law Insights

CSDDD: Provisional agreement on the EU Supply Chain Directive

The EU member states agreed on the CSDDD, the EU Supply Chain Directive, on March 15, 2024. Germany abstained from the vote. Negotiators from the…

21.02.2024 | KPMG Law Insights, KPMG Law Insights

The Digital Services Act – what does it mean for companies?

The Digital Services Act (DSA) is a key component of the EU’s digital strategy and came into force on November 16, 2022. As a regulation,…

15.02.2024 | KPMG Law Insights

Data compliance management: How to implement it in practice

Part 3 of the article series “Professional tips for data compliance management”   The third part of this series of articles deals with data compliance

14.02.2024 | Business Performance & Resilience, PR Publications

Guest article in ZURe: Monitoring the implementation of the LkSG

The current issue of ZURe (p. 20 ff.) contains a guest article by KPMG Law Partner Thomas Uhlig (Head of General Business and Commercial Law),…


Francois Heynike, LL.M. (Stellenbosch)

Head of Technology Law

THE SQUAIRE Am Flughafen
60549 Frankfurt am Main

tel: +49-69-951195770

© 2024 KPMG Law Rechtsanwaltsgesellschaft mbH, associated with KPMG AG Wirtschaftsprüfungsgesellschaft, a public limited company under German law and a member of the global KPMG organisation of independent member firms affiliated with KPMG International Limited, a Private English Company Limited by Guarantee. All rights reserved. For more details on the structure of KPMG’s global organisation, please visit

 KPMG International does not provide services to clients. No member firm is authorised to bind or contract KPMG International or any other member firm to any third party, just as KPMG International is not authorised to bind or contract any other member firm.