After months of anticipation, the European Data Protection Board (EDPB) adopted new Guidelines on the calculation of administrative fines under the GDPR in May 2022. With the newly released Guidelines, the EDPB seeks to foster a more uniform approach to imposing fines across Europe (EU). The Guidelines come after two previous attempts by the German and Dutch Data Protection Authorities (DPAs) in 2019 to establish fine models, the results of which have not been without criticism. In particular, the German fine model has been met with fierce criticism by a German court in 2020 due to its strong emphasis on the undertaking’s worldwide annual turnover for the calculation of fine amounts. Hence, instead of focusing on a harmonization of fine outcomes across the EU, the EDPB’s Guidelines envisage a “harmonization on the starting points and methodology used to calculate a fine”.
I. Calculating fines: step-by-step
The EDPB’s Guidelines provide a step-by-step approach to calculating fine amounts imposed against controllers and processors of all types. However, the EDPB stresses that these steps only provide starting points as a “common orientation” and that any final fine amount is always dependent on the specific circumstances of the case. Thus, it does not aim to make possible a precise mathematical calculation of the expected fine. However, the EDPB is of the opinion that it is possible for DPAs to predetermine fixed fine amounts for certain types of infringements. In addition to the step-by-step-methodology, such a step would certainly facilitate and greatly expedite regulatory enforcement of minor violations, in particular.
In light of these presumptions, the EDPB has developed the following 5-step-methodology for calculating fines:
- STEP 1: Identifying the processing operations in the case and evaluating the application of Article 83(3) GDPR;
- STEP 2: Setting the starting points for the calculation based on:
- the classification of the infringement pursuant to Article 83(4)-(6) GDPR;
- the seriousness of the infringement pursuant to Article 83(2)(a), (b), (g) GDPR;
- the worldwide annual turnover of the undertaking as one relevant element pursuant to Article 83(1) GDPR.
- STEP 3: Evaluating aggravating and mitigating circumstances related to past or present behavior of the controller or processor giving rise to an increase/decrease of the fine;
- STEP 4: Identifying the relevant legal maximums for the respective processing operations that limit the overall fine amount possible;
- STEP 5: Analyzing if the overall fine amount is effective, dissuasive and proportionate as required by Article 83(1) GDPR and increase/decrease of the fine, if necessary.
II. The step-by-step approach: Explained step-by-step
1. STEP 1: Identifying the relevant processing operations and concurrent infringements
In case the controller or processor infringes several GDPR provisions for the same or linked processing operations, pursuant to Article 83(3) GDPR the total amount of the fine shall not exceed the amount specified for the gravest infringement. Therefore, as a first step, the DPA must identify whether the processing operation(s) subject to the administrative fine constitute(s) only one sanctionable conduct or multiple sanctionable conducts.
a. Same or Linked processing operations
“Linked” processing operations refer to such processing operations that consist of several parts which are carried out by a unitary will and are contextually, spatially and temporally closely related so that they can be considered as one coherent conduct. The EDPB stresses, however, that a sufficient link can only be assumed under special circumstances and that a restrictive approach should be taken. In case that the same or linked processing operations form a single infringement, the fine can be calculated on the basis of this infringement and its legal maximum.
Concurrence of infringements
Referring to three distinct principles (principles of specialty, subsidiarity and consumption) the EDPB stresses that, in essence, in cases where statutory provisions apply that protect the same legal interest so that one provision precludes or subsumes the applicability of another provision, it would be unlawful to impose fines on the same offender twice. Thus, the amount of the fine should be calculated only on the basis of the superseding infringement.
Unity of action
In cases where there is no concurrence of infringements, there can be a unity of action instead. This is the case if a controller or processor violates—for the same or linked processing operations—either several GDPR provisions that mostly protect different legal interests or the same GDPR provisions multiple times. In this case, the fine amount must not exceed the amount specified for the gravest infringement (Article 83(3) GDPR).
b. Multiple sanctionable conducts
Multiple sanctionable conducts (a so-called “plurality of actions”) can be fined independently within one decision and without regard to the amount specified for the gravest infringement pursuant to Article 83(3) GDPR.
2. STEP 2: Setting the Starting Points for Calculation
The EDPB names three elements as the starting point for the calculation from which the Supervisory Authorities may deviate in individual cases by decreasing or increasing the fine if necessary. In any case, all circumstances of the case must be taken into account and weighted.
a. Categorization of infringements (Article 83(4)-(6) GDPR)
Dependent on which obligation has been violated, Article 83(4)-(6) GDPR provides a first starting point that categorizes violations of certain provisions by their seriousness, the first being infringements punishable under Article 83(4) GDPR (maximum fine of EUR 10m or 2% of the worldwide annual turnover) and the second being infringements punishable under Article 83(5) and (6) GDPR (maximum fine of EUR 20m or 4% of the worldwide annual turnover).
b. Seriousness of the infringement (Article 83(2)(a), (b), (g) GDPR)
In relation to the specific circumstances of each case, the EDPB sheds light on the criteria provided by the GDPR that have to be taken into account when evaluating the seriousness of the infringement:
- Nature, gravity and duration of the infringement (Article 83(2)(a) GDPR)
- Nature and scope of processing
- Number of data subjects and purported damage suffered
- Ability to identify data subjects
- Intentional or negligent character of the infringement (Article 83(2)(b) GDPR)
- Categories of personal data affected (Article 83(2)(g) GDPR)
Evaluating the overall seriousness of the infringement, the EDPB suggests different percentage ranges of the respective legal maximum to be considered as a starting point, depending on the level of seriousness. While the calculation of a fine for a lower level of seriousness should start at between 0-10% of the legal maximum, a medium level of seriousness should be calculated on the basis of 10-20%, whereas a serious infringement would dictate a starting amount at 20-100% of the legal maximum.
c. Turnover of the undertaking Article 83(1)
A Supervisory Authority should also consider the starting point of any fine using the tiered approach outlined in the Guidelines which focus specifically on the size of an undertaking and its annual turnover. The intention appears that within the different tiers, the size of any fine will correlate with the position of an organization within those parameters. Regardless, the EDPB advises that the imposition of any fine should be effective, dissuasive and proportionate. The calculations are, therefore, proportionate to the turnover in the following manner:
- Less than EUR 2 million – a Supervisory Authority may consider an initial figure down to 0.2% of the starting amount;
- Less than EUR 10 million – a Supervisory Authority may consider an initial figure down to 0.4% of the starting amount;
- Less than EUR 50 million – a Supervisory Authority may consider an initial figure down to 2% of the starting amount;
- Less than EUR 100 million – a Supervisory Authority may consider an initial figure down to 10% of the starting amount;
- Less than EUR 250 million – a Supervisory Authority may consider an initial figure down to 20% of the starting amount;
- Less than EUR 500 million – a Supervisory Authority may consider an initial figure down to 50% of the starting amount.
It is worth noting that the above figures represent a deduction on the total amount of the fine. There is no obligation on a Supervisory Authority to make that reduction.
Step 3: Mitigating and aggravating factors
The EDPB outlines the remaining mitigating and aggravating factors in Articles 82(3)(c) to (k) including actions taken to limit damage to data subjects, previous infringements, degree of responsibility, cooperation with a supervisory authority and the initial notification process.
The Guidelines work through some examples with variations on the initial figure (increases and decreases) being between 10 – 40%. The EDPB has not provided precise calculations in comparison to other steps.
Step 4: Legal maximum fines
Once the fine has been calculated, the EDPB reaffirms that Supervisory Authorities must not impose fines that exceed the statutory limits outlined in the GDPR, specifically Articles 83(4) – (6). Those limits are either the static amounts of €10m or €20m, or the dynamic amounts of 2% or 4% of annual turnover. The EDPB also reminds Supervisory Authorities that any calculation is dependent upon whether the fine is addressed to the breaching company and the parent company and that any such calculation is made in respect of the year preceding the fining decision, not the infringement.
Step 5: Effectiveness, dissuasiveness, proportionality
As a final step, the EDPB reminds the Supervisory Authorities of the overarching objective of the fining regime, specifically that any fine should be effective, dissuasive and proportionate. A Supervisory Authority should verify that the amount is able to effectively reestablish compliance, uphold the objectives of the GDPR and act as a deterrent for other organizations.
What does this mean?
The new fining approach by the EDPB marks a rather significant deviation from current attempts to harmonize the imposition of fine amounts by the German or Dutch DPAs. While especially the German fining model relies heavily on an undertaking’s worldwide annual turnover as a starting point for the calculation of fines, under the EDPB’s approach the turnover is merely a criterion (of many) that may reduce the starting point depending on an undertaking’s size—a move likely to be embraced by SMEs since this approach favors more appropriate and moderate fines for smaller undertakings. Companies with higher revenues and complex corporate structures, however, may start to face higher fines in the future as even DPAs that have so far been more restrained to impose large fines will have to adapt their fining practice to the new guidelines.
The guidelines are a good step towards harmonizing the EU DPAs’ fining practice and towards making the calculation somewhat more comprehensible and systematic. Whether fines will be more predictable in the future remains questionable, however, given that the calculation of fines will always be subject to the circumstances of each individual case and that DPAs are given much leeway in assessing the amounts. Ultimately, the DPAs are faced with the difficult task of reducing a complex set of circumstances of a privacy violation to mere numbers that result in a fine amount. Finding the right balance within large fine ranges, often ranging from a few hundred thousand to even billions of euros, will always remain difficult—a fact that the guidelines cannot change.