Background: How to calculate GDPR fines?

How to properly calculate administrative fines for non-compliance with the EU General Data Protection Regulation (‘GDPR’) is one of the most important questions when applying the GDPR on practical level, e.g. :

  • What is actually meant by the reference to “undertaking” in Article 83 (4) to (6) GDPR?
  • Is a company accountable for infringing actions or omissions by all personnel or only if the non-compliance can be linked to a management function?
  • How are the criteria under Article 83 (2) GDPR to be applied?

As the European Data Protection Board (‘EDPB’) has not yet released any specific fining guidelines on this issue, other than the relatively high level “Guidelines on the application and setting of administrative fines for the purpose of the Regulation 2016/679” (WP253) of 3 October 2017, it is still up to each of the data protection authorities (‘DPAs’) of the EU member states to identify ways to ensure that fines are indeed ‘effective, proportionate and dissuasive’ in each individual case.

On 16 October 2019 the 18 German DPAs published their ‘Concept of the independent data protection authorities of the Federation and the Länder for the admeasurement of fines in proceedings against undertakings’ to calculate ‘comprehensible, transparent and just administrative fines’ (click here for further details). As this concept heavily focusses on the (group) turnover of the infringing controller or processor, it led to a significant increase of the amount of individual fines in Germany, see for example Berlin DPA v. Deutsche Wohnen SE.

The case: 1&1 Telecom GmbH v. BfDI

The Bonn Regional Court (Landgericht) was the first court to decide on a GDPR fine which had been calculated based on the German fining guidelines. The German telecommunication service provider 1&1 Telecom GmbH challenged a 9.55 million Euro fine issued by the German Federal Commissioner for Data Protection and Freedom of Information (Bundesbeauftragter für den Datenschutz und die Informationsfreiheit – ‘BfDI’) in connection with an alleged infringement of the security of processing under Article 32 (1) GDPR (not Article 5 (1) (f) GDPR). The new mobile phone number of a 1&1 customer had been disclosed to the former companion of said customer via a 1&1 call center. The former companion then used the phone number to harass the 1&1 customer (please click here for further background regarding the case).

German fining guidelines not compliant with GDPR

On 11 November 2020 (case number 29 OWi-430 Js-OWi 366/20- 1/20 LG) the Bonn Regional Court Bonn reduced the fine by more than 90% to only 900,000 Euro. In the decision, the court interpreted “undertaking” in Article 83 (4) to (6) GDPR in light of Articles 101, 102 TFEU. Based on the relevant group turnover of the 1&1 Drillisch group of 3.66 billion Euro, the fine therefore only reached 0.025%.

Although the Bonn Regional Court followed the (questionable) position of the BfDI that there actually was a (foreseeable and culpable) breach of Article 32 (1) GDPR by 1&1 Telecom GmbH, the court also found that the fining guidelines by the German DPAs do not comply with Article 83 GDPR. The court criticized the fining guidelines for focusing too much on the turnover of the “undertaking”, concluding that the first and foremost function of the turnover is to define the potential maximum fine for a breach of the GDPR, and not to determine the specific amount. In particular, turnover is not listed among the criteria in Article 83 (2) GDPR for determining whether to impose an administrative fine and deciding on the amount. That said, the court found that – as a first step – a DPA needs to determine the amount of the fine independent from the turnover and only based on Article 82 (2) GDPR. Only if such fine would be too low (and therefore not effective and not dissuasive) or too high (and therefore not proportionate) against the amount of turnover, the fine may be increased or decreased.

The Bonn Regional Court held that the fining guidelines by the German DPAs in fact work the other way around. They start with categorizing the undertakings in size categories based on their turnover. This size category is then used to calculate a ‘daily rate’ (10.17 million Euro in case of 1&1 Telecom GmbH) which is the starting point for calculating the fine. This ‘daily rate’ will then be kept or raised (not lowered) based on the seriousness of the infringement. Only as a last step the ‘daily rate’ may be lowered (or raised further) depending on the aggravating and mitigating factors set out in Article 83 (2) GDPR.

According to the Bonn Regional Court, this approach in particular leads to unproportionate fines in the case of only minor infringements by undertakings with a high turnover; and to ineffective and not dissuasive fines in case of severe infringements by undertaking with a small amount of turnover. The DPAs therefore need to focus on the criteria in Article 83 (2) GDPR first. With this in mind, the Bonn Regional Court set out the mitigating factors that lower the fine given to 1&1 Telecom GmbH:

  • The use of authentication procedures (name + data of birth) had not been criticized by the German DPAs until the incident;
  • There was only one case of misuse;
  • Mobile phone numbers are not a particularly sensitive type of personal data;
  • The level of negligence by 1&1 Telecom GmbH was minor;
  • Weak authentication was used for reasons of customer friendliness;
  • 1&1 Telecom GmbH was very cooperative and changed the authentication procedure without undue delay to a five digit service PIN;
  • 1&1 Telecom GmbH had not received any prior enforcement fines;
  • No possibility of a mass disclosure of personal data; and
  • Media coverage caused reputational damage for 1&1 Telecom GmbH.

Against this background, the Bonn Regional Court held that a fine of 9.55 million Euro as was too high.

Accountability of undertakings for administrative fines

An additional interesting issue in dispute was the question of whether a company can be fined, if the DPA fails to link the respective breach of the GDPR to a specific act or omission of at least one person in the management of the company.

The background of this dispute is that Section 41 (1) German Federal Data Protection Act (Bundesdatenschutzgesetz – ‘BDSG’) refers to the German Act on Regulatory Offences (Gesetz über Ordnungswidrigkeiten – ‘OWiG’) when it comes to issuing fines under Article 83 (4) to (6) GDPR. Section 30 OWiG however states that legal entities may only be fined, if certain persons in the management have committed a criminal or administrative offence (including the omission to implement or operate a proper compliance monitoring system). As the BfDI hadn’t linked the alleged infringement of Article 32 (1) GDPR to an act or omission of the management in the fining order, the order would have been invalid, if Section 30 OWiG had been applicable. The Bonn Regional Court however found that Article 83 GDPR gives no discretion to the Member States when it comes to the accountability of undertakings for administrative fines, Article 83 (8) GDPR only leaves room for procedural safeguards, not for additional requirements to issue the fine against the undertaking.

A recent decision by the Austrian Supreme Administrative Court (Verwaltungsgerichtshof) further shows that Article 83 (8) GDPR may be interpreted in different ways by Member States. In this case the Supreme Administrative Court concluded that Member State law may very well require that the names of those natural persons whose violation is attributed to the legal entity must be mentioned both in the prosecution and in the verdict (decision dated 12 May 2020, case number Ro 2019/04/0229, available here – in German only). Consequently, the interpretation of Article 83 (8) GDPR cannot be considered as settled yet.

Conclusion

Although the decision by the Bonn Regional Court is not yet final, it demonstrates that it may be worth challenging GDPR fines in court, even if the court agrees with the DPA with respect to the infringement. As GDPR fines should be effective, proportionate and dissuasive ‘in each individual case’, there is still room for reducing the fine, in particular if the controller or processor properly reacted to the (alleged) breach of the GDPR once becoming aware. It is therefore of utmost importance to properly document all steps taken by the controller or processor and all communication with the DPA in an investigation and fining procedure, to allow the court to properly review the calculation of the fine issued by the DPA. The decision also showed that the fining guidelines of the German DPAs can no longer be applied as they clearly fail to meet the standards set out in Article 83 GDPR.