Search
Contact
07.07.2022 | KPMG Law Insights

New guidelines for calculating fines for data protection breaches

On May 12, 2022, the European Data Protection Board (EDSA) published for consultation guidelines on harmonizing the calculation of fines by data protection authorities. The calculation method proposed by the EDSA serves to standardize the practice of fines in the Member States and is intended to create further legal clarity and transparency with regard to the application of the criteria of Art. 83 GDPR. It is not yet possible to predict what concrete effects the new guideline will have on the practice of imposing fines. However, for large and high-turnover companies, this could lead to higher fines on average across Europe in the future.

 

The five-step model

In the guidance, EDSA proposes a five-step model for determining the amount of fines. However, this is not intended to be a rigid mathematical procedure. The individual assessment of a fine remains essentially dependent on the evaluation of all circumstances of the individual case.

  1. Determination of the number of violations
  2. Determination of the initial amount
    a. Determination of the nature of the breach (Art. 83(4-6) GDPR)
    b. Assessment of the seriousness of the breach (Art. 83(2) GDPR)
    c. Determination of the annual turnover of the company
  3. Evaluation of all aggravating and mitigating circumstances
  4. Determination of the upper limit of the fine
  5. Final evaluation

 

  1. Determination of the number of violations

In the first step, the data protection authority identifies the relevant data protection violations and examines whether they each constitute one or more individually punishable violations of data protection law.

 

  1. Determination of the initial amount

Then determine the starting amount for further calculation of the fine. For this purpose (i) the nature of the violation, (ii) the seriousness of the infringement; and (iii) determine the annual turnover of the company.

a. First, the infringements must be assigned to the two categories identified in Art. 83 GDPR. This determines the statutory maximum amount of the fine to be imposed. Violations under para. 4 shall be punishable by a maximum fine of EUR 10 million or 2% of the previous year’s global sales, and violations under para. 5 and 6 with a maximum fine of 20 million euros or 4% of the previous year’s global sales.

b. Next, the seriousness of the respective violation shall be assessed. Violations are to be classified as low, medium or high after a comprehensive overall assessment of the individual case. In particular, the provisions of Art. 83 para. 2 GDPR to be included. For example, breaches in the context of processing data of particularly vulnerable individuals (such as employees or children), special categories of personal data (such as health data), breaches affecting the core activity of the controller, or a high number of data subjects may be particularly serious. In addition, the degree of fault must be taken into account. Depending on the severity of the violation, an appropriate starting amount must be determined. In this regard, the guidelines provide for the following gradation:

      • Severity of the infringement: Low; initial amount: 0 – 10 % of the statutory maximum amount
      • Severity of the infringement: medium; initial amount: 10 – 20 % of the statutory maximum amount
      • Severity of the infringement: severe; initial amount: 20 – 100 % of the statutory maximum amount

c. The specific calculation of the starting amount shall also be based by the data protection authority on the company’s annual worldwide turnover. Here, adjustments can be made to the starting amount according to the severity of the data protection breach for companies with lower annual sales. In this regard, EDSA proposes the following gradation:

      • Annual turnover in EUR: ≤ 2 million; maximum reduction to: 0.2% of the initial amount
      • Annual turnover in EUR: ≤ 10 million; maximum reduction to: 0.4 % of the initial amount
      • Annual turnover in EUR: ≤ 50 million; maximum reduction to: 2 % of the initial amount
      • Annual turnover in EUR: 50 million – 100 million; maximum reduction to: 10 % of the initial amount.
      • Annual turnover in EUR: 100 million – 250 million; maximum reduction to: 20 % of the initial amount.
      • Annual sales in EUR: ≥ 250 million; maximum reduction to: 50 % of the initial amount

As a rule, the higher the company’s sales within the respective level, the higher the starting amount. However, the DPA is not required to make this adjustment if it is not necessary for a deterrent effect.

 

  1. Evaluation of all aggravating and mitigating circumstances

In the third step, the initial amount determined is adjusted taking into account the remaining aggravating and mitigating factors (Art. 83(2) GDPR).

In this context, the behavior of the company in the past and in the course of the fine proceedings must be considered in particular. In particular, measures taken by the controller to mitigate harm to data subjects, previous data protection breaches by the controller, the manner in which the breach came to the attention of the data protection authority, the degree of cooperation with the data protection authorities or the achievement of an economic benefit from the breach may be taken into account.

 

  1. Determination of the upper limit of the fine

In the fourth step, the data protection authority determines the maximum amounts for the data protection breach and sets the upper limit for the fines. The relevant figure is the worldwide annual sales of the company in relation to the entire business entity. According to the total annual sales thus determined, either the static maximum amount of 10 million or 20 million euros or the dynamic maximum amount of 2% or 4% of worldwide annual sales, whichever is higher, can become relevant.

 

  1. Final evaluation

Finally, we evaluate whether the fine determined is effective, proportionate and dissuasive. This step represents a final corrective in the sense of a concluding overall view. If the DPA concludes that, for example, the total amount determined is not sufficiently suitable to achieve the stated objectives or the fine exceeds what is necessary to achieve the objectives pursued by the GDPR, the amount can still be corrected accordingly. In justified exceptional cases, the economic performance of the company may also be taken into account, for example if the company demonstrates and proves that the fine will have a lasting adverse effect on the company’s economic performance.

 

Effects of the guideline

After giving EDSA until June 27, 2022 to comment on the guideline, it is expected that the draft guideline will be finalized and formally adopted in Q4 of this year.

The calculation model presented provides a uniform basis for calculating fines for data protection violations and thus contributes to harmonizing the practice of fines at the European level. It also replaces the previously existing calculation model of the German authorities. The structured calculation approach increases the transparency of the fine assessment. Responsible persons throughout the Union will thus be in a position to better assess the respective risk of a fine on the basis of the concrete assessment criteria and examples provided. However, there remains a considerable margin of discretion for data protection authorities, so that precise predictions are still not possible. It is therefore not possible to determine with certainty whether the new calculation model in Germany will generally lead to higher or lower fines compared with the previous calculation method. However, knowing the criteria for assessing fines is key for responsible parties to take appropriate countermeasures to minimize fines.

Explore #more

26.08.2024 | In the media

Interview with Moritz Püstow on sustainability and increasing efficiency in the construction industry

How is the construction industry equipping itself for the future, which is facing major challenges?
In an interview with Baublatt, KPMG Law expert Moritz

22.08.2024 | Press releases

Strategic alliance between KPMG Law and MHP – A Porsche Company

KPMG Law and MHP – A Porsche Company have entered into a strategic alliance.
MHP is a leading consulting firm in the field of Engineering…

21.08.2024 | In the media

Guest article in the dpn: Initial practical experience with the implementation of DORA

In times of crisis and increasing cybercrime, digital operational stability is extremely important for companies.
In future, financial companies and third-party service providers of information…

19.08.2024 | In the media

Guest article at Springer Professional: Giralgeldtoken wants to simplify financial processes in industry

The commercial banks’ cash token should be an alternative to the digital euro for industry and have the character of a deposit.
This could be…

16.08.2024 | Deal Notifications

KPMG Law advises Hagedorn on syndicated financing

KPMG Law advised the Hagedorn Group on the negotiation and closing of a financing transaction A team led by Frankfurt-based KPMG Law partner and head…

06.08.2024 | In the media

Interview with Daniel Kaut on Talent Rocket about working in M&A

Daniel Kaut is a partner at KPMG Law and has been advising on M&A transactions and corporate law for 20 years.
He also has strategic…

06.08.2024 | In the media

Guest article in Betrieb on the topic of data protection and co-determination

The introduction of artificial intelligence in companies offers numerous opportunities, but also brings with it considerable challenges.
Complex issues arise in particular at the interface…

06.08.2024 | In the media

Guest article in IT-Zoom: The path to safe and ethical AI

The June 25, 2024 issue of IT-Zoom contains a guest article by KPMG Law expert Francois Maartens Heynike and KPMG Law expert Kerstin Ohrem.…

02.08.2024 | KPMG Law Insights

AI and employment law: what the AI Act means for HR

On August 1, the EU AI Act in force.
It regulates the use of artificial intelligence within the European Union.
As a regulation, the AI…

24.07.2024 | In the media

KPMG Law recognized as a top employer in Central Germany in the magazine azur

The legal market in Hesse is clearly characterized by the legal metropolis of Frankfurt am Main.
For those seeking a career in banking and finance…

Contact

Francois Heynike, LL.M. (Stellenbosch)

Partner
Head of Technology Law

THE SQUAIRE Am Flughafen
60549 Frankfurt am Main

tel: +49-69-951195770
fheynike@kpmg-law.com

© 2024 KPMG Law Rechtsanwaltsgesellschaft mbH, associated with KPMG AG Wirtschaftsprüfungsgesellschaft, a public limited company under German law and a member of the global KPMG organisation of independent member firms affiliated with KPMG International Limited, a Private English Company Limited by Guarantee. All rights reserved. For more details on the structure of KPMG’s global organisation, please visit https://home.kpmg/governance.

 KPMG International does not provide services to clients. No member firm is authorised to bind or contract KPMG International or any other member firm to any third party, just as KPMG International is not authorised to bind or contract any other member firm.

Scroll