According to recent press reports, the German data protection authorities have agreed on a new way to calculate administrative fines under the General Data Protection Regulation (“GDPR”). The new scoring model, which has not yet been officially published, could make fines of tens of millions of euros a reality in Germany. In contrast to their French and UK counterparts, Germany’s data protection authorities have so far been more restrictive in imposing GDPR fines.
The New Model
The new model is reported to derive a daily fine rate from the worldwide company turnover of the previous year. The daily rate is then multiplied by a factor of 1 for a very minor infringement to 14.4 for a very serious infringement. The severity is determined by, among other things, the duration of the infringement, the number of persons affected and the extent of the damage suffered.
The model also takes into account the degree of fault. If the negligence was minor or unintentional, the factored rate is reduced by 25 percent. If the negligence was more than minor but deliberate, the fine may increase by 25 percent or even 50 percent. If the company had been non-compliant in the past, a surcharge will be added: 50 percent if this is a second infringement, 150 percent if this is a third infringement and 300 percent if this is a fourth or more infringement.
Other factors that can have an impact include the company’s cooperativeness with the authorities and measures it has taken to mitigate the damages.
A Look Ahead
While the model is not official yet, once formally adopted in its reported form, fines are likely to increase. However, it will also give businesses more clarity about how the fines are determined.