• Link to Xing
  • Link to LinkedIn
  • Link to Mail
  • Deutsch Deutsch German de
  • English English English en
Telefon: +41 44 22 99 000
data-protectors
  • Home
  • Services
    • Consulting
    • Outsourcing
  • Training
  • About us
    • The firm
    • The experts
  • News
  • Contact
  • German
  • English
  • Click to open the search input field Click to open the search input field Search
  • Menu Menu

EU fines now with uniform rules

18. July 2023/in News/by Beat Singenberger

It is now known that violations of the European General Data Protection Regulation (GDPR) will be punished with fines by the data protection authorities of the EU member states: The fines can amount to up to 20 million EUR, or up to 4 percent of the global annual turnover.

Up to now, it has been up to the competent national data protection authority to determine the amount of the fines. So far, each EU member state decides for itself how far the “up to max. values” provided for by the GDPR will be exhausted. There are now new rules for the assessment of fines: The European Data Protection Board (EDSA) has adopted the final guidelines for the assessment of fines.

At its meeting of 24.5.2023, the European Data Protection Board (EDPB) adopted Guidelines 04/2022 on the calculation of administrative fines under the GDPR following a public consultation.

The guidelines now provide data protection supervisory authorities with uniform standards and a harmonised framework for determining fines. However, the harmonisation only relates to the basis for calculating the fines. The final amount of the fines will continue to be determined individually by the respective national supervisory authority due to the adjustment possibilities of the guidelines model.

The guidelines provide for a five-step assessment procedure that takes into account in particular the nature and gravity of the infringements and the turnover of the undertakings concerned:

Step 1: Sanctionable acts
The supervisory authorities examine whether the case at hand involves sanctionable acts and to what extent these have led to violations of the GDPR. In particular, it will be examined whether one or more acts subject to a fine have been committed.


Step 2: Determining the starting amount
The starting amount for the fine calculation is determined from three factors: The type of infringement (a), the gravity of the infringement (b) and the turnover of the company (c).

Type of infringement (Art. 83 (4) – (6) GDPR)
Violations of Art. 83(4) of the GDPR may be punished by a fine of up to EUR 10 million or, in the case of a company, up to 2% of its total annual worldwide turnover in the preceding business year. Violations of Article 83 (5) and (6) of the GDPR may be punished with a fine of up to EUR 20 million or, in the case of a company, up to 4% of its total annual worldwide turnover in the preceding business year. This results in the statutory maximum amounts that a fine may not exceed in each case.

Severity of the breach
The criteria listed in Art. 83 (2) GDPR are used to determine the gravity of the breach. The determination must result in a severity level in order to be able to determine the starting amount as a percentage of the statutory maximum amount:

  • Low severity: starting amount is between 0 and 10% of the legal maximum.
  • Medium severity: Initial amount is between 10 and 20 % of the statutory maximum.
  • High severity: Initial amount is between 20 and 100 % of the statutory maximum

The turnover of the enterprise
With regard to the turnover of an enterprise, further corrections are made to the initial amount previously determined. The amount can be reduced to between 0.2 % and 50 % of the initial amount determined.

Step 3: Determination of aggravating or mitigating circumstances
Supervisors identify aggravating or mitigating circumstances that may increase or decrease the amount determined in Step 2. These include, for example, the behaviour of the controllers (willingness to cooperate, countermeasures) and whether there have already been breaches of the GDPR in the past. The increase or decrease of the amount is made individually by the supervisory authority.

Step 4: Determining the upper limit
The determined amount of the fine is again compared with the statutory maximum amounts of Art. 83 (4) – (6) DSGVO. It is also decided whether the static (10 or 20 million EUR) or the dynamic (2% or 4% of the annual turnover) upper limit applies to the fine assessment. According to Article 83 (4) and (5) of the GDPR, the higher amount must be used as a basis.

Step 5: Possible readjustments
In the final step of the fine assessment, the supervisory authorities evaluate the determined fine pursuant to Art. 83 (1) GDPR with regard to effectiveness, proportionality and deterrence in order to be able to make any readjustments.

https://www.data-protectors.ch/wp-content/uploads/2023/07/Bild2.jpg 158 281 Beat Singenberger https://www.data-protectors.ch/wp-content/uploads/2023/03/Logo-data-protectors.ch-v2.4-300x169.png Beat Singenberger2023-07-18 18:56:332023-07-26 15:01:24EU fines now with uniform rules

In our news we provide you with relevant information on data protection, data protection management and data-protectors.

Categories

  • Legislation
  • News

News

  • Swiss-US Data Privacy Framework enters into force
  • Providing information by unencrypted e-mail is a data protection violation
  • The EU’s AI Act: What does it mean for Switzerland?
  • How small and medium-sized companies can easily protect themselves against data protection mishaps
  • Claim for damages by an applicant
Link to: Kontaktieren Sie uns
Do you have any questions? Just send us an email!

data-protectors.ch

c/o FACT Schweiz AG | Förrlibuckstrasse 30 | CH-8005 Zurich
Phone: +41 44 22 90 00 | Email: office@fact.ch
MwSt.-Nr: 578810 | HRG CHE-110.188.704

A Member of Software AG

Impressum | Privacy Policy | Legal notice | Disclaimer

© 2024 data-protectors

Link to: Training for more data protection and security competence Link to: Training for more data protection and security competence Training for more data protection and security competence Link to: Google Analytics – can I still use it? Link to: Google Analytics – can I still use it? Google Analytics – can I still use it?
Scroll to top Scroll to top Scroll to top

This is a notification that can be used for cookie consent or other important news. It also got a modal window now! Click "learn more" to see it!

OKLearn More

Cookie and Privacy Settings



How we use cookies

We may request cookies to be set on your device. We use cookies to let us know when you visit our websites, how you interact with us, to enrich your user experience, and to customize your relationship with our website.

Click on the different category headings to find out more. You can also change some of your preferences. Note that blocking some types of cookies may impact your experience on our websites and the services we are able to offer.

Essential Website Cookies

These cookies are strictly necessary to provide you with services available through our website and to use some of its features.

Because these cookies are strictly necessary to deliver the website, refusing them will have impact how our site functions. You always can block or delete cookies by changing your browser settings and force blocking all cookies on this website. But this will always prompt you to accept/refuse cookies when revisiting our site.

We fully respect if you want to refuse cookies but to avoid asking you again and again kindly allow us to store a cookie for that. You are free to opt out any time or opt in for other cookies to get a better experience. If you refuse cookies we will remove all set cookies in our domain.

We provide you with a list of stored cookies on your computer in our domain so you can check what we stored. Due to security reasons we are not able to show or modify cookies from other domains. You can check these in your browser security settings.

Other external services

We also use different external services like Google Webfonts, Google Maps, and external Video providers. Since these providers may collect personal data like your IP address we allow you to block them here. Please be aware that this might heavily reduce the functionality and appearance of our site. Changes will take effect once you reload the page.

Google Webfont Settings:

Google Map Settings:

Google reCaptcha Settings:

Vimeo and Youtube video embeds:

Privacy Policy

You can read about our cookies and privacy settings in detail on our Privacy Policy Page.

Einstellungen akzeptierenVerberge nur die Benachrichtigung
Wir verwenden Cookies, um Inhalte zu personalisieren und Ihnen ein besseres Nutzererlebnis zu bieten. Durch die weitere Nutzung dieser Webseite stimmen Sie der Verwendung von Cookies zu.
Cookie settingsAkzeptieren
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
SAVE & ACCEPT