The European Data Protection Board (EDPB) published the final version of the Guidelines on the calculation of administrative fines under the GDPR (Guidelines) on 7 June 2023. The Guidelines aim to harmonize the approach to establishing the amounts of administrative fines for violations of the GDPR throughout the EU.
The Guidelines were adopted during the EDPB plenary session between 24 and 25 May 2023, following a public consultation. The consultation version of the Guidelines was published on 16 May 2022 and was summarised in our blog here.
The final Guidelines maintain the proposed five-step methodology of the consultation version for calculating administrative fines, with some noteworthy changes clarified below.
Step 1.
Identifying the processing operations in the case and evaluating the application of Art. 83 (3) GDPR. This step helps to establish whether there is one or there are multiple sanctionable conducts, and how to approach situations with multiple infringements.
For instance, the EDPB provides practical examples on how to distinguish whether it is the same or linked processing operations, or whether one infringement could be considered subsidiary to another infringement. Another example is unity of action, where one conduct is caught by several statutory provisions or a single action infringes the same provision several times.
Step 2.
Establishing a harmonised starting point for further calculation based on the following three elements:
- evaluation of the classification of the infringement under Art. 83(4)-(6) GDPR (i.e. punishable by a fine maximum of EUR 10 million/2% or EUR 20 million/4% of the undertaking’s annual turnover);
- the seriousness of infringement under Art. 83(2) GDPR, with due regard to the nature, gravity and duration of the infringement. The EDPB clarifies in detail how an infringement can be considered to be of a low, medium or high level of seriousness, based on the factors such as the nature, scope or purpose of the processing concerned, the number of data subjects affected and the level of damage suffered by them as well as the intentional or negligent character of the infringement and the categories of personal data affected by the infringement. Depending on the established level of seriousness of the infringement, the supervisory authority will determine the starting amount for further calculation of the administrative fine as a percentage of the maximum fine (low level of seriousness: 0-10%, medium: 10-20%, high: 20-100%); and
- the turnover of the undertaking with a view to impose an effective, dissuasive and proportionate fine, under Art 83 GDPR. Some key changes:
- The EDPB states that it will follow the requirements of Art. 83 GDPR, the GDPR as a whole and the established case laws of the CJEU stating that the turnover of an undertaking can constitute an indication of the size and economic power of an undertaking;
- The Guidelines establish various bands of the undertaking’s turnover to calculate any reduction in fine. The thresholds for these bands have been changed compared to the consultation version. For instance, for undertakings with an annual turnover of under EUR 2 million, the supervisory authorities may reduce the starting calculation to as low as 0.2% of the identified starting amount, whilst for organisations with a turnover between EUR 100-250 million the identified starting amount might be adjusted to between 15% and 50% of that initial sum;
- A new category is included for undertakings with an annual turnover above EUR 500 million; for these undertakings the supervisory authorities may consider calculating the fine without any adjustment of the identified starting amount.
The EDPB points out that these thresholds are not price tags nor are they mandatory. The supervisory authority is under no obligation to apply these adjustments if it is not necessary from the point of view of effectiveness, dissuasiveness and proportionality to adjust the starting point of the fine.
Step 3.
Evaluating aggravating and mitigating circumstances, such as any actions that were taken by controller or processor to mitigate the damage suffered by data subjects, the degree of responsibility of the controller or processor, the degree of co-operation of the organisation with the supervisory authority etc.
In relation to the existence of previous infringements committed by the controller or processor as an aggravating factor, the EDPB now clarifies that previous infringements are infringements already established before the decision is issued (or for Chapter VII GDPR procedures, before the draft decision of the lead supervisory authority under Art. 60 GDPR is issued).
The EDPB also points out that Art. 82(2)(k) GDPR is open-ended and permits any other aggravating or mitigating factors, and may include all the reasoned considerations regarding the legal, socio-economic or market contexts in which the controller or processor in question operates. Examples include economic gain from the infringement or the onset of a pandemic radically changing the ways personal data are processed.
Step 4.
Determining the legal maximums for the different processing operations (such that the increases applied in previous steps or in the next step cannot exceed this amount).
This step specifically zooms into the so-called “dynamic maximum” amounts of fines under the GDPR (i.e. 2% or 4% of total annual turnover of the undertaking in the previous financial year). The EDPB clarifies in detail the concept of “undertaking” under EU law, provides numerous examples of various corporate structures and explains how the total worldwide annual turnover should be calculated.
Step 5.
Evaluating whether the calculated fine would meet the requirements of effectiveness, dissuasiveness and proportionality, and whether further adjustment of the fine is necessary. For example, the supervisory authorities may consider (in accordance with national law) reducing the fine to take into account the impact of the fine on the economic viability of the undertaking and the specific social and economic context (e.g. the sector going through a crisis, mounting unemployment in the region or potential deterioration of the related economic sectors).
Each step includes references to legal norms, existing CJEU cases and numerous practical examples. The final Guidelines are also expanded to include an annex with a reference table that helps to illustrate the methodology of calculating the fine, as well as two detailed examples of applying the Guidelines and the table.
Guidelines on the application of Art. 65(1) GDPR
The EDPB also published a new version of the Guidelines on the application of Art. 65(1) GDPR, adopted during the same plenary session. These Guidelines clarify the procedure and competence of the EDPB when adopting binding decisions under of Art. 65(1)(a) GDPR, as well as applicable procedural safeguards and remedies. Following public consultation, the guidelines were amended to:
- clarify that a mere “comment” expressed by a concerned supervisory authority in relation to a draft decision does not amount to an objection within the meaning of Art. 4(24) GDPR, and so shall not give rise to the obligation to trigger the Art. 65(1)(a) GDPR procedure if the lead supervisory authority decides not to give effect to the comment; and
- add a new example of a possible relevant and reasoned objection which involves disagreement between the concerned supervisory authority and the lead supervisory authority as to whether sufficient factual elements and/or reasoning have been included in the draft decision.
The press release is available here and the Guidelines here. The Art. 65(1) Guidelines are available here.
