6 Min Read

EDPB adopts guidelines on the calculation of fines under the GDPR

Read more

By Pavan Trivedi

|

Published 23 May 2022

Overview

On 16 May 2022, the European Data Protection Board (“EDPB”) announced adopted Guidelines which are set to create a consistent methodology for European Supervisory Authorities when calculating and imposing fines for an undertaking’s violation of the EU GDPR. The calculation of the fine still remains at the discretion of the Supervisory Authority but the rules within Article 83(1) of the EU GDPR provide that the issued fine shall be effective, proportionate and dissuasive for each individual case.

The Guidance provides for a harmonised method to calculating fines under the EU GDPR and the EDPB outlines three elements which should be taken into account when establishing the grounds for a fine: (i) the categorisation of infringements by their nature; (ii) the seriousness of the infringement; and (iii) the turnover of the infringing undertaking.

METHODOLOGY

The EDPB formulated the following five-step methodology for Supervisory Authorities to apply when calculating fines for infringements of the EU GDPR.

  1. EVALUATION

Identifying the processing operations in the case and evaluating the application of Article 83(3) EU GDPR.

Supervisory Authorities must first consider the factual circumstances regarding the behaviour of the undertaking and the actual EU GDPR infringement that the fine will be based upon. It must be established at this early stage, whether or not the circumstances of the infringement are to be considered as one or multiple sanctionable conducts.

If multiple sanctionable conducts are found, the undertaking can be subject to separate fines for each infringement of the EU GDPR. The general rule of proportionality will still apply, but the total administrative fine imposed by the Supervisory Authority may exceed the amount specified for the “gravest” infringement.

The Guidelines provide a helpful diagram (see page 10) for Supervisory Authorities to utilise when determining how to proceed.

  1. STARTING POINT

Identifying the starting point for further calculation of the amount of the fine by evaluating:

2.1 The classification in Article 83(4)–(6) EU GDPR;

The GDPR provides for two categories of infringements: (i) infringements punishable under Article 83(4), which carry a maximum fine of €10 million or 2% of the undertaking’s annual turnover, whichever is higher; and (ii) infringements punishable under Article 83(5)-(6) which carry a maximum fine of €20 million or 4% of the undertaking’s annual turnover, whichever is higher.

2.2 The seriousness of the infringement pursuant to Article 83(2)(a), (b) and (g) EU GDPR;

The Supervisory Authority must give regard to the nature, gravity and duration of the infringement and must also take into account the scope or purpose of the processing concerned. They should also assess the number of data subjects affected and the level of damage suffered by them. In addition, the Supervisory Authority can determine if the undertaking infringed the EU GDPR negligently or intentionally.

2.3 The turnover of the undertaking as one relevant element to take into consideration with a view to imposing an effective, dissuasive and proportionate fine, pursuant to Article 83(1) EU GDPR. For undertakings with an annual turnover of:

  • ≤ €2m, supervisory authorities may consider to proceed calculations on the basis of a sum down to 0.2% of the identified starting amount.
  • ≤ €10m, supervisory authorities may consider to proceed calculations on the basis of a sum down to 0.4% of the identified starting amount.
  • ≤ €50m, supervisory authorities may consider to proceed calculations on the basis of a sum down to 2% of the identified start.
  • €50m up until €100m, supervisory authorities may consider to proceed calculations on the basis of a sum down to 10% of the identified starting amount.
  • €100m up until €250m, supervisory authorities may consider to proceed calculations on the basis of a sum down to 20% of the identified starting amount.
  • €250m or above, supervisory authorities may consider to proceed calculations on the basis of a sum down to 50% of the identified starting amount.
  1. AGGRAVATING & MITIGATING CIRCUMSTANCES

Evaluating the aggravating and mitigating circumstances related to past or present behaviour of the controller/processor and increasing or decreasing the fine accordingly (Article 83(2)(a)-(k) EU GDPR).

Supervisory Authorities must determine whether the undertaking has any aggravating or mitigating circumstances, in the past or present, in relation to their case.

In the case of an infringement, the controller or processor must do “whatever they can” to reduce the consequences of the breach of the individual concerned. The undertaking is also obliged to implement technical and organisational measures to ensure a level of security appropriate to the risk, to carry out data protection impact assessments and to mitigate risks arising from the processing of personal data. If a controller or processor adopts appropriate measures to mitigate the extent of damage, the Supervisory Authority can take this in account and decrease the fine. The measures adopted must be assessed for timeliness (i.e. the mitigating measure or measures must have been implemented prior to the Supervisory Authority’s investigation rather than after).

Article 83(2)(e) provides that any relevant previous infringements committed by the controller or processor must be considered when deciding whether to impose a fine, and the amount thereof, and this would be considered an aggregating factor for Supervisory Authorities to consider when calculating the fine against an undertaking.

Other factors to consider include: the degree of cooperation the undertaking takes with the Supervisory Authority; the manner in which the infringement becomes known to the Supervisory Authority; and the undertaking’s compliance with measures previously ordered with regard to the same subject matter.

  1. LEGAL MAXIMUM FINES

Identifying the relevant legal maximums for the different processing operations. Increases applied in previous or next steps cannot exceed this amount.

Instead of imposing fixed amounts to specific infringements, the EU GDPR prohibits Supervisory Authorities from imposing fines which exceed the applicable maximum amounts. As set out above, Article 83(4) allows for fines up to €10 million or 2% of the undertaking’s annual turnover, whichever is higher for infringing the obligations outlined therein, while Article 83(5) and (6) allow for fines up to €20 million or 4% of the undertaking’s annual turnover, whichever is higher. The turnover-based maximum amounts only apply if they exceed the static maximum in the individual case (2% of 500 million amounts to 10 million (the static maximum amount envisaged in Article 83(4)) and 4% of 500 million amounts to 20 million (the static maximum amount envisaged in Article 83(5)).

  1. EFFECTIVENESS, PROPORTIONALITY AND DISSUASIVENESS

Analysing whether the calculated final amount meets the requirements of effectiveness, proportionality and dissuasiveness as required by Article 83(1).

The overarching principle with regard to any fine is that in each individual case, the fine shall be effective, proportionate and dissuasive. The Guidance provides that the Supervisory Authorities must verify whether the amount of the fine meets these requirements, or whether further adjustments to the amount are necessary (increasing or decreasing the fine).

Effectiveness: Supervisory Authorities must evaluate the effectiveness of the fine which is measured by whether it achieves the objectives of: (i) re-establishing compliance with the rules; (ii) punishing unlawful behaviour; or (iii) both.

Proportionality: The principle of proportionality requires that measures adopted by the Supervisory Authority shall be appropriate and necessary in order to uphold the objectives of the GDPR, and reflective of the severity of the infringement and the size (or turnover) of the undertaking.

Dissuasiveness: The fine should provide a genuine deterrent effect for the undertaking.

COMMENTARY

The EDPB has emphasised that the calculation of the GDPR fine within their Guidance is not a simple mathematical exercise but rather a holistic process which must take into account the specific circumstances of each case. The Guidance states that Supervisory Authorities should remain flexible and the EDPB will ensure that the Guidance is regularly reviewed in order to evaluate its effectiveness in achieving the objectives laid out in the GDPR.

The EDPB Guidelines will be open for public consultation until 27 June 2022.

Authors