EU fines now with uniform rules
It is now known that violations of the European General Data Protection Regulation (GDPR) will be punished with fines by the data protection authorities of the EU member states: The fines can amount to up to 20 million EUR, or up to 4 percent of the global annual turnover.
Up to now, it has been up to the competent national data protection authority to determine the amount of the fines. So far, each EU member state decides for itself how far the “up to max. values” provided for by the GDPR will be exhausted. There are now new rules for the assessment of fines: The European Data Protection Board (EDSA) has adopted the final guidelines for the assessment of fines.
At its meeting of 24.5.2023, the European Data Protection Board (EDPB) adopted Guidelines 04/2022 on the calculation of administrative fines under the GDPR following a public consultation.
The guidelines now provide data protection supervisory authorities with uniform standards and a harmonised framework for determining fines. However, the harmonisation only relates to the basis for calculating the fines. The final amount of the fines will continue to be determined individually by the respective national supervisory authority due to the adjustment possibilities of the guidelines model.
The guidelines provide for a five-step assessment procedure that takes into account in particular the nature and gravity of the infringements and the turnover of the undertakings concerned:
Step 1: Sanctionable acts
The supervisory authorities examine whether the case at hand involves sanctionable acts and to what extent these have led to violations of the GDPR. In particular, it will be examined whether one or more acts subject to a fine have been committed.
Step 2: Determining the starting amount
The starting amount for the fine calculation is determined from three factors: The type of infringement (a), the gravity of the infringement (b) and the turnover of the company (c).
Type of infringement (Art. 83 (4) – (6) GDPR)
Violations of Art. 83(4) of the GDPR may be punished by a fine of up to EUR 10 million or, in the case of a company, up to 2% of its total annual worldwide turnover in the preceding business year. Violations of Article 83 (5) and (6) of the GDPR may be punished with a fine of up to EUR 20 million or, in the case of a company, up to 4% of its total annual worldwide turnover in the preceding business year. This results in the statutory maximum amounts that a fine may not exceed in each case.
Severity of the breach
The criteria listed in Art. 83 (2) GDPR are used to determine the gravity of the breach. The determination must result in a severity level in order to be able to determine the starting amount as a percentage of the statutory maximum amount:
- Low severity: starting amount is between 0 and 10% of the legal maximum.
- Medium severity: Initial amount is between 10 and 20 % of the statutory maximum.
- High severity: Initial amount is between 20 and 100 % of the statutory maximum
The turnover of the enterprise
With regard to the turnover of an enterprise, further corrections are made to the initial amount previously determined. The amount can be reduced to between 0.2 % and 50 % of the initial amount determined.
Step 3: Determination of aggravating or mitigating circumstances
Supervisors identify aggravating or mitigating circumstances that may increase or decrease the amount determined in Step 2. These include, for example, the behaviour of the controllers (willingness to cooperate, countermeasures) and whether there have already been breaches of the GDPR in the past. The increase or decrease of the amount is made individually by the supervisory authority.
Step 4: Determining the upper limit
The determined amount of the fine is again compared with the statutory maximum amounts of Art. 83 (4) – (6) DSGVO. It is also decided whether the static (10 or 20 million EUR) or the dynamic (2% or 4% of the annual turnover) upper limit applies to the fine assessment. According to Article 83 (4) and (5) of the GDPR, the higher amount must be used as a basis.
Step 5: Possible readjustments
In the final step of the fine assessment, the supervisory authorities evaluate the determined fine pursuant to Art. 83 (1) GDPR with regard to effectiveness, proportionality and deterrence in order to be able to make any readjustments.