The EDPB sets out relevant steps and factors that EU supervisory authorities should consider when calculating administrative fines under the GDPR.

On 16 May 2022, the European Data Protection Board (EDPB) adopted draft Guidelines 04/2022 on the calculation of administrative fines under the GDPR (Draft Guidelines).^[1] The Draft Guidelines are currently subject to public consultation and comments may be submitted until 27 June 2022 (at the latest). The EDPB’s aim is to create a harmonised methodology for the calculation of GDPR fines. All EU supervisory authorities (SAs) must use the same starting points, on the basis of which administrative fines can be subsequently calculated and further tailored for individual cases. The EDPB clearly emphasizes that the Draft Guidelines are not drafted to enable controllers/processors to precisely calculate the expected fine; this determination will rather depend on all the individual circumstances of the case. SAs will need to ensure that fines are effective, proportionate, and dissuasive, taking into account the particularities of each case. While the EDPB acknowledges that SAs retain discretion to account for these particularities, they are clearly expected to follow the methodology set out in the Draft Guidelines.

Generally, the EDPB appears to emphasise setting GDPR fines at a level that effectively deters future non-compliance, rather than ensuring the proportionality of GDPR penalties. The EDPB also focuses on the revenues of the relevant undertaking, which is taken into account at a number of stages of the methodology set out in the Draft Guidelines.

How Is the Methodology Calculated?

The EDPB suggests five steps when calculating administrative fines. Briefly, these are:

1. identifying the processing operations in the analysed case, including if the same or linked processing activities infringe several GDPR provisions;
2. finding the starting point for calculating the fine based on the nature of infringement, its seriousness, and the turnover of the undertaking — this is said to be particularly relevant for imposing effective, proportionate, and dissuasive fines;
3. evaluating aggravating and mitigating circumstances;
4. identifying the relevant legal maximums for the different processing operations (i.e., up to the higher of €10 million / 2% of the undertaking’s annual turnover or €20 million / 4% of the undertaking’s annual turnover, as set out in Article 83(4)-(6) GDPR);
5. analysing whether the final amount is indeed effective, dissuasive, and proportionate or whether it is necessary to increase/decrease the fine accordingly.

What Is the Starting Point for Calculation?

According to the EDPB, the starting point for calculating the administrative fines represents only the beginning for further calculations, which will be based on all circumstances of the case and will result in the final amount of the imposed fine. The Draft Guidelines nevertheless state that the starting point should be harmonised and based on the following three elements:

(1) The categorisation of infringements by nature: the first category is punishable with fines up to €10 million / 2% of the undertaking’s annual turnover (whichever is higher) under Article 83(4) GDPR and the second category is punishable with fines up to €20 million / 4% of the undertaking’s annual turnover (whichever is higher) under Article 83(5) and (6) GDPR.

(2) The seriousness of the infringement: SAs will consider factors such as the nature, gravity, and duration of the infringement, the number of data subjects affected,^[2] the level of damage suffered, the intentional or negligent character of the infringement, and the categories of data affected. SAs can find the infringement to be of varying levels of seriousness, as outlined below:

The Draft Guidelines expressly state that the above ranges remain under the review of the EDPB and its members and can be adapted when necessary.

(3) The turnover of the undertaking: the Draft Guidelines emphasize this element as relevant, not only for the purposes of the applicable legal maximums under Article 83(4)-(6) GDPR but also for imposing an effective, dissuasive, and proportionate fine. According to the Draft Guidelines:

• A fine is: effective, if it achieves the objectives for which it was imposed, e.g., re-establishing compliance with the rules, punishing unlawful behavior, or both; proportionate, if measures adopted do not exceed the limits of what is appropriate and necessary in order to attain the objectives legitimately pursued by the GDPR — SAs must verify that the fine is proportionate both to the severity of the infringement and to the size of the undertaking to which the entity committing the infringement belongs; dissuasive, if it has a genuine deterrent effect, either general or specific (i.e., discouraging others and/or the addressee of the fine from committing the same infringement in the future).
• Regarding the concept of “undertaking”, this should be interpreted within the meaning of Articles 101 and 102 of the Treaty on the Functioning of the European Union and the Draft Guidelines state that the turnover figure to be used for fine calculation is the total worldwide annual turnover of the relevant corporate group as a whole (rather than solely of the specific legal entity/entities against which the fine is imposed). Further, the EDPB states that the term “preceding” from Article 83 (i.e., “the total worldwide annual turnover of the preceding financial year”) refers to the year preceding the moment the fining decision is issued by the SA and not the time of the infringement.
• To assist the SAs to maintain proportionality of the fine to the size of the undertaking (as noted above), the SA may consider adjusting the fine’s starting point to reflect the size of the undertaking’s turnover, according to the tiers set out below. This mechanism is intended to mitigate the effects of the fixed maximums of €10 million or €20 million under Article 83(4)-(6) GDPR on lower-turnover undertakings (such thresholds being, potentially, disproportionately high in relation to such undertakings). The EDPB sets out the following starting point ranges:

The Draft Guidelines also state that, as a general rule, the higher the turnover within the applicable tier, the higher the starting amount is likely to be. SAs are not obliged to apply adjustments to the starting points if they are not necessary to ensure effective, dissuasive, and proportionate fines. The EDPB notes the figures are merely starting points for further calculations and not fixed amounts (“price tags”) for GDPR infringements. Depending on how SAs apply the Draft Guidelines in practice (and the approach of national courts), the combination of the weight placed on turnover in the methodology and the tiered approach set out above is likely to result in fines being set at the upper end of the scale in relation to undertakings with large revenues.

What Are Potential Aggravating and Mitigating Circumstances?

To determine whether aggravating or mitigating circumstances have occurred, the SA must take account of the factors listed in Article 83(2) GDPR. Amongst aspects to be considered in this determination, the Draft Guidelines note the following:

• Mitigating actions: the Draft Guidelines state that SAs need to consider “any action taken by the controller or processor to mitigate the damage suffered by data subjects”, noting that controllers or processors should “do whatever they can do in order to reduce the consequences of the breach for the individual(s) concerned”. Such mitigating actions may be considered a mitigating factor by the SAs, decreasing the amount of the fine, with particular regard afforded to the timeliness and effectiveness of such actions.

• Degree of responsibility: The Draft Guidelines state that SAs should consider whether the controller/processor “did what it could be expected to do” given the nature, purposes, or size of the processing in light of its GDPR obligations. Specifically, SAs will analyse residual risks to the freedoms and rights of data subjects, the impairment caused to data subjects, the damage persisting after adoption of the measures, the robustness of measures adopted under Articles 25 and 32 GDPR, and whether the data in question was directly identifiable and/or available without technical protection. The EDPB also considers it important for controllers and processors to have accountability documentation in place, since this could provide evidence of when measures were taken and how they were implemented.
• Previous infringements: Any relevant^[3] previous infringements by the controller/processor should be considered when deciding whether to impose an administrative fine and its amount. Generally, the longer the time between the previous and current infringement, the less relevance shall be afforded to it. However, infringements committed a long time ago might still be relevant for the “track record” of the entity and fixed limitation periods are not to be set to this purpose.^[4]
• Cooperation with the SA: The Draft Guidelines state that, when cooperation with the SA “has the effect of limiting or avoiding negative consequences for the rights of the individuals that might otherwise have occurred”, this may be a mitigating factor.
• How the SA became aware: Awareness may be a mitigating factor if the controller or processor proactively notified the SA of the infringement before it was known to the SA by virtue of, for example, a complaint or an investigation.
• Compliance with measures previously ordered regarding the same subject matter: Compliance with measures previously ordered is mandatory and so will not be taken into account as a mitigating factor per se. To meet the mitigation threshold, it will be necessary to show that additional measures, beyond those ordered, have been taken. Conversely, non-compliance with a corrective power previously ordered may be considered either as an aggravating factor or as a different infringement in itself.

The Draft Guidelines suggest that SAs’ consideration of a number of the factors listed in Article 83(2) GDPR may often have an aggravating, or at best neutral, effect. For example, the Draft Guidelines state that the existence of (relevant) previous infringements can be considered as aggravating, whereas the absence of (any) previous infringements “cannot be considered a mitigating factor, as compliance with GDPR is the norm”; “it is likely that” the degree of responsibility of the controller or processor “will be considered an aggravating or a neutral factor”; ordinary cooperation with SAs, and similarly compliance with measures previously ordered, is mandatory and should therefore “be considered neutral (and not a mitigating factor)”; and in respect of notifiable personal data breaches under Article 33 GDPR, such notification should be considered neutral. However, the Draft Guidelines do also contemplate circumstances in which the factors listed in Article 83(2) GDPR will have a mitigating effect on the level of administrative fine. For example, as noted above, the Draft Guidelines state that cooperation with the SA may be a mitigating factor if such cooperation “has the effect of limiting or avoiding negative consequences for the rights of the individuals that might otherwise have occurred”; awareness may be a mitigating factor if the controller or processor proactively notified the SA of the infringement before it was known to the SA; adherence to codes of conduct or approved certification mechanisms may constitute a mitigating factor; and the degree of responsibility of the controller or processor, and similarly compliance with measures previously ordered, may be a mitigating factor where the controller or processor has “gone above and beyond the obligations imposed upon them”.

What Do the Draft Guidelines Mean for Controllers and Processors?

The Draft Guidelines are subject to public consultation. As currently drafted, the Draft Guidelines may facilitate a proportionate fining approach for lower-turnover companies, but they raise a number of issues of concern for controllers and processors subject to the GDPR that are part of corporate groups with large global revenues. Whilst the Draft Guidelines do provide for SA discretion, the focus on revenues at various stages of the EDPB’s proposed methodology, and the difficulty controllers and processors may face in persuading SAs that any mitigation is warranted, mean that we might see larger fines being issued across the EU against high-revenue companies/ groups in respect of GDPR infringements. In the event that this is not ameliorated following consultation, the EDPB’s views likely will be challenged at an EU level and/or in the national courts in the near future.[5]

Endnotes

^[1] These Draft Guidelines complement EDPB’s previously adopted by the Article 29 Working Party, Guidelines on the application and setting of administrative fines for the purpose of the Regulation 2016/679, which focus on the circumstances in which to impose a fine.

^[2] Can include consideration of “the ratio between the number of data subjects affected and the total number of data subjects in that context”.

^[3] The Draft Guidelines state that “previous infringements of either the same or different subject matter to the one being investigated might be considered relevant”, although note that “infringements of the same subject matter must be given more significance”.

^[4] Some national laws do prevent SAs from considering previous infringements after a settled period. Likewise, certain national laws impose a record deletion obligation after a certain period of time, which prevents the acting supervisory authorities from taking into account these precedents.

^[5] Indeed, it is understood that the EDPB’s views regarding the application of Article 83(3) GDPR, the relevance of revenues generally and what are the relevant revenues for the purposes of Articles 83(4)-(6) — none of which is addressed in detail in this summary of the Draft Guidelines — are currently subject to challenges in the courts.