On 16 October 2019 – after weeks of rumors and speculations – the German data protection authorities (‘DPAs’) published their guidelines (‘Guidelines’) for calculating administrative fines under Article 83 General Data Protection Regulation (‘GDPR’).

The Guidelines are intended to guide enforcement action by German DPAs against business ‘undertakings’. They do not apply to individuals or associations who are not acting in a business capacity. Importantly the methodology set out in the Guidelines for calculating fines is not intended to be exhaustive and will be subject to further specification by the European Data Protection Board (‘EDPB’). Further, the Guidelines are not expected to be binding in cases of cross-border processing or for any non-German DPA.

Five steps to a ‘comprehensible, transparent and just administrative fine’

The Guidelines set out a five step methodology which German DPAs are expected to follow to secure a ‘comprehensible, transparent and just’ approach when calculating the amount of a specific fine:

  1. Categories the undertaking based on annual turnover;
  2. Determine the average annual turnover (this will be determined by reference the category the undertaking has been assigned);
  3. Calculate the economic base value;
  4. Multiply the base value by a factor reflecting the seriousness of the infringement;
  5. Apply a modifying factor (if required) to address any wider circumstances associated with the infringement not yet taken into account.

Step 1: Categorization of undertakings depending on turnover

As a first step, the DPAs identify the undertaking’s total worldwide annual turnover of the preceding financial year. This is used to assign the undertaking to a specific size-category

  • microenterprises: up to € 2 million annual turnover;
  • small enterprises: € 2 million to € 10 million annual turnover;
  • medium-sized enterprises: € 10 million to € 50 million annual turnover; and
  • large-scale enterprises: more than € 50 million annual turnover.

When determining an undertaking’s turnover, the German DPAs will look to the turnover of the ‘functional undertaking’ as understood under Articles 101 and 102 Treaty on the Functioning of the European Union (‘TFEU’). This functional undertaking, also known as ‘economic unit’ in case law of the Court of Justice of the European Union (‘CJEU’), may be defined by reference to the entire group (in the case of an affiliate within a wider group of companies) as importantly the concept is not restricted to the controller or processor which actually committed the GDPR infringement, or the ‘enterprise’ in terms of Article 4 no. 18 GDPR (i.e. the respective natural or legal person engaged in an economic activity).

Step 2: Determination of average annual turnover

This second step is only relevant for ‘undertakings’ with not more than € 500 million annual turnover and leads to the DPA applying a ‘deemed’ average turnover to the undertaking. This is calculated by reference to the relevant size category. For ‘undertakings’ with more than € 500 million annual turnover, the actual turnover will be the basis for further calculations.

Step 3: Calculation of base value

The average annual turnover determined as above is divided by 360 (days) to identify the (average) daily turnover. So for a microenterprise with up to € 700,000 annual turnover the daily rate would be € 972 (= € 350,000 / 360) and for an ‘undertaking’ in the range of annual turnover between € 75 million and € 100 million the daily rate would be € 243,056 (€ 87.5 million / 360). If an ‘undertaking’ has for example € 1.5 billion annual turnover the base value would be about € 4.17 million (€ 1.5 billion / 360).

Step 4: Factoring in the seriousness of the infringement

Depending on the severity of the infringement the daily rate will be multiplied by a factor between 1 and 7.2 (for administrative infringements under Article 83 (4) GDPR) or between 1 and 14.4 (for administrative infringements under Article 83 (5) and (6) GDPR) as set out below:

Severity of the infringement Factor for formal infringements under Article 83 (4) GDPR Factor for material infringements under Article 83 (5) and (6) GDPR
Minor violation 1 to 2 1 to 4
Medium violation 2 to 4 4 to 8
Severe violation 4 to 6 8 to 12
Very severe violation 6 to 7.2 (= 2%) 12 to 14.4 (= 4 %)

The Guidelines do not include definitions as to what constitutes a minor, medium, severe or very severe violation nor to how to allocate an infringement within the respective ‘fining corridor’, e.g. if its medium violation under Article 83 (5) and (6) GDPR whether it’s rather a 4 or an 8. Unofficially published information indicates that the objective criteria in Art. 83 (2) (a) GDPR will be applied here, i.e. nature and gravity of the infringement based on factors covering duration of the infringement, nature scope or purpose of the processing concerned, number of data subjects affected and level of damage suffered by the data subjects.

Step 5: Perpetrator-related and other circumstances not yet taken into account

As a last step, the DPA will apply a further percentage factor, taking into consideration any wider circumstances relevant to the infringement but not yet taken into account.

The percentages for this further step do not officially form part of the published guidelines, but originate from unofficially published information. We have included these numbers only to provide a rough idea how the calculation may look like.

  • Degree of fault (-25% to +50%);
  • Mitigation measures taken by the controller or processor (-25% to +25%);
  • Degree of responsibility (-25% to +50%);
  • Relevant previous infringements (0% to 300%);
  • Cooperation with the DPA (-25% to +25%);
  • Categories of personal data affected (0% to +25%);
  • Manner in which the infringement became known to the DPA (-25% to +10%);
  • Compliance with measures ordered by the DPA (0% to +50%);
  • Adherence to approved codes of conduct or approved certification mechanisms (-25% to + 10%).

Further circumstances lowering the fine could be for example overlong duration of the DPA investigation or impending insolvency of the controller or processor.

Criticism

It actually remains to be seen whether the German courts and ultimately the CJEU will consider the methodology contained within the Guidelines a ‘comprehensible, transparent and just’ basis for enforcing compliance. There are many reasons to criticise the approach so far and ultimately expose the model to legal challenge in case of fines applied based on the Guidelines at this point:

  • Turnover of ‘economic unit’: It is highly disputed whether the economic unit developed in connection with EU antitrust law can be applied to the fines under Article 83 GDPR. The main argument against this approach is that the reference to Articles 101, 102 TFEU is only made in a non-binding recital (150) and creates a direct conflict with the definition of ‘group of undertakings’ in the binding Article 4 no. 19 GDPR (‘group of undertakings’ means ‘a controlling undertaking and its controlled undertakings’). In case of conflict between recitals and main body of Regulation, the main body prevails. Article 83 (4), (5) and (6) GDPR only refer to an ‘undertaking’ not a ‘group of undertakings’
  • Determination of seriousness of the infringement : The Guidelines lack transparency on how the DPAs will determine with objectivity the seriousness of the infringement, with a wide margin of fining (between a factor of 1 to 7.2 or even of 1 to 14.4). Specific criteria are necessary.
  • Unclear how perpetrator-related and other circumstances: The fining guidelines do not provide for any specific criteria how to apply perpetrator-related and other circumstances. Unofficially published information indicates that non-cooperation with the DPA may lead to a 25% higher fine. This does not comply with the right to remain silent in an investigation. In addition, it seems that German DPAs not only intend to subtract 25% of the fine, if a controller or processor voluntarily reports the infringement to the DPA, but also to increase the fine by 10%, if the infringement is revealed by a data subject complaint. This again, violates the nemo tenetur

Additionally, some of the calculations undertaken under these fining guidelines are not comprehensible.