On 25 May 2018, the European General Data Protection Regulation (GDPR) entered into force. The GDPR is intended to harmonize data protection regulations within the EU, whereby member states are entitled to supplement or modify certain provisions of the GDPR through opening clauses. A violation of the GDPR can be punished with fines of up to EUR 20 million or four percent of the company's total worldwide annual turnover pursuant to Article 83 (5) GDPR. The calculation model is designed to facilitate a comprehensible, transparent and case-by-case procedure for imposing such fines.
On 14 October 14 2019, the German Data Protection Conference (DPA)—the association of the independent data protection authorities of the Federal Republic of Germany and the German federal states—published a concept for the calculation of fines imposed on companies for data protection infringements (link) under the GDPR.
Under the concept, the calculation of fines is based on the company's annual turnover, which, in the opinion of the DPA, represents a suitable and appropriate starting point to ensure effectiveness, proportionality and deterrence.
First, the DPA determines a fictitious daily turnover of the company based on its actual annual turnover according to a publicly available chart (link). The chart shows four categories of companies ("classes") depending on the annual turnover: Micro companies (annual turnover of up to EUR 2 Mio.), small companies (annual turnover of more than EUR 2 Mio. up to EUR 10 Mio.), medium companies (annual turnover of more than EUR 10 Mio. up to EUR 50 Mio.) and large companies (annual turnover of more than EUR 50 Mio.). The classes are further divided in several subgroups based on the annual turnover. The classes of micro and small companies are categorized into three subgroups, and the classes of medium and large companies are categorized into seven subgroups. Each subgroup ranges from a minimum to a maximum annual turnover ("range"). The respective range is assigned to an average annual turnover and then divided by 360 to determine the fictitious daily turnover.
For example, the fictitious daily turnover of a company with an actual annual turnover of EUR 50 Mio. up to EUR 75 Mio. amounts to an average of EUR 62.5 Mio., which is divided by 360, resulting in a fictitious daily turnover of EUR 173,611.00.
The DPA then multiplies the fictitious daily turnover by a factor depending on the severity of the offense and differentiates between light, moderate, serious and very serious infringements. Additionally, the type of infringement is also classified according to formal (Article 83 (4) GDPR) and substantive violations (Article 83 (5) and (6) GDPR).
Lastly, the DPA determines the fine based on the fictitious daily turnover considering the circumstances of each case taking into account the criteria of Article 83 (2) GDPR: This includes, in particular, any previous infringements by the controller or the manner in which the infringement became known to the supervisory authority, as well as other circumstances such as an impending insolvency of the company.
The concept only applies to proceedings against companies within the framework of the GDPR. It does not apply to associations or individuals outside the scope of their economic activities. Furthermore, it is not applicable in cross-border cases. The addressees of the concept are the independent Data Protection Authorities (DPAs) of the Federal Republic of Germany and the German federal states; the concept is neither binding for other European DPAs nor for the German jurisdiction. The German DPAs can, however, decide at any time upon a revocation, amendment or extension of the concept with effect for the future. The concept loses its validity as soon as the European Data Protection Board (EDPB) has adopted final guidelines on the methodology of calculating fines, which would then replace the current DPA model on an EU-wide level.
The fines imposed in the past by the German data protection authorities—such as the fine imposed by the Berlin Commissioner for Data Protection and Freedom of Information against a German real estate company amounting to 14.5 million EUR or the fine imposed by the Federal Commissioner for Data Protection and Freedom of Information against an electronic communication company amounting to 9.55 million EUR—illustrate the enforcement of the GDPR by German DPAs. Therefore, it is recommended that companies monitor current data protection developments in order to prevent data protection infringements from occurring and thus the imposition of potential fines under the GDPR.