Aiming for uniformity of the systematic assessment of fines, the Conference of the German Data Protection Authorities (DSK) has published a new model for calculating fines under the EU General Data Protection Regulation (GDPR). The DSK now calculates fines by dividing group companies’ annual turnover by 360 and multiplying this by a factor, that varies depending on the severity of the offence. This can lead to very large fines, especially for larger groups of companies. Further, there are also circumstances where the fine could be increased or even reduced. In this article, we provide you with insight into the calculation of the model, with a formula and a detailed example.
In its statement, the DSK clarified that the imposition of fines in proceedings against companies takes place in five steps. Firstly, the company concerned is assigned to a size class (“Größenklasse”). Secondly, the average annual turnover of the respective subcategories of the size class is determined. Then, a basic economic value (“Tagessatz”) is determined. As the fourth step, this basic economic value is multiplied by a factor depending on the degree of the severity of the circumstances. Finally, the value determined is adjusted depending on the circumstances of the offender and other circumstances not yet taken into account.
Detailed overview of the five steps
The following sections provide the five steps developed by the DSK to calculate GDPR fines.
The first step consists of categorising the size of the company pursuant to the worldwide annual turnover pursuant to Art. 83 sec. 4 to 6 GDPR to a size class (“Größenklasse”). Please see this link for a detailed description of the size classes and subcategories.
Secondly, the average annual turnover of the subgroup to which the company belongs is determined. Please see this link for a detailed description of the assessment of the average turnover. It is to be noted that if the annual turnover exceeds EUR 500 million, the maximum percentage fine of 2% or 4% of the annual turnover is to be applied, so that the calculation for the respective company is based on the actual turnover.
In the third step, the average annual turnover is divided by 360. This division leads to the determination of a basic economic value (“Tagessatz”). These values are shown in the table in this link.
The fourth step consists of classifying the factor which the basic value is multiplied by. The factor is defined by the degree of severity of the offence. This takes place on the basis of concrete fact-referred circumstances of the individual case, according to Art. 83 para. 2 sentence 2 GDPR, and is classified in light, medium, severe or very severe.
The following table was published by the DSK for the purpose of classification of the factor:
For the last step, the amount calculated will be adjusted on the basis of all circumstances in favour of and against the party concerned, insofar as these have not yet been taken into account in the fourth step. In particular, this includes all offence-related circumstances (cf. catalogue of criteria in Art. 83 para. 2 GDPR) as well as other circumstances, such as a long proceedings or an imminent company insolvency. Depending on each offence-related circumstance, reductions or increases may be applied to the previously calculated value. For example, for each offence-related circumstance, reductions or increases of 25% are very likely.
Formula for the GDPR fine calculation model
For the sake of clarity, the fine calculation model can be summarised to the following general formula:
* Based on the average turnover of the previous year of the developed size classes (step 1, 2)
** Factor according to the degree of severity of the offence
*** Rounded up amount that can still be adjusted depending on whether there are any other aggravating or mitigating factors in the individual case (step 5)
Example for a fine calculation according the formula
As an example, a group of a company with a worldwide annual turnover of EUR 120 million, will be classified into category “D.III” (please see table under link, EUR 100 million up to 200 million) with an annual average turnover of EUR 150 million. This is then divided by 360 which gives a basic economic value (“Tagessatz”) of EUR 416.667. The basic economic value will then be multiplied by the factor, that will vary based on the severity of the offence. For instance, if the authority assesses the infringement as a very severe offence pursuant Art. 83 sec. 5 GDPR, factor 12 would be applied. This would lead to a fine of about EUR 5 million.
Depending on the individual case, a reduction or an increase could be possible.
Outlook for companies
In summary, the calculation formula seems to be quite simple. However, there is uncertainty around which factor the basic economic value will be multiplied by. The factor will be adjusted by the authority, depending on the perceived severity of the particular offence. This assessment will be based on the individual case taking into account multiple circumstances. It will therefore be unclear what the end will be, in particular in respect to possible increases of the basic economic value. Therefore, the measurements can lead to very high fines, depending on the turnover of the particular company and the severity of the offence. Companies should now be prepared in terms of data protection. However, it is not yet clear how the courts will position themselves on this matter as they are not bound by the DSK’s calculation model. Finally, it is to be noted that this model is neither binding for cases with a cross-border reference nor for any other EU data protection authorities.