Since the effective application of the GDPR, enterprises and data protection legal experts have been eager to be able to forecast the relevant amount of a sanction that could be imposed by the supervisory authorities. The German data protection authorities have published interesting guidelines that include criteria that could be used as a fair basis to ensure that sanctions imposed under the GDPR are effective, proportionate, and dissuasive.
Despite the fact that the sanctioning regime of Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter, GDPR) incorporates criteria to ensure proportionality in the imposing of administrative fines to both large enterprises and retailers, the current application of the provisions relating to the sanctioning regime has been surrounded by a certain shade of potentially bearing legal certainty issues, not least as such application must also rely on the national laws that complement the GDPR.
The above would be mainly due to the fact that, from the potential infringer’s standpoint, it is currently hard to anticipate the relevant amount for which it would be sanctioned and it would depend to a great extent on the individual case. In this sense, we remind that, in the event of a certain data protection infringement, supervisory authorities may issue a reprimand or impose sanctions of up to EUR 20,000,000 or, if the infringer is an undertaking and the amount is higher, up to 4% of the total worldwide annual turnover of the preceding financial year.
On 3 October 2017, the Article 29 Working Party published the Guidelines on the application and setting of administrative fines for the purposes of the GDPR (WP 253) to establish a common understanding among the various data protection supervisory authorities on the applicable criteria for the imposing of sanctions. However, these WP 253 guidelines do not ensure (by themselves) a proportionate application of the sanctioning regime of the GDPR, thus, these should be subject to further guidelines by the European Data Protection Board (EDPB) in the future.
That said, the Conference of German Data Protection Authorities (German Datenschutzkonferenz –DSK) has recently published some guidelines suggesting a calculation system for administrative fines under the GDPR. First of all, it is important to note that these guidelines shall not be binding in any sense on the data protection authorities and courts of the rest of the Member States, as well as that these guidelines shall not be applicable for infringements that entail a cross-border data transfer. Moreover, it is important to note that this system would only be applicable if the infringer is an undertaking, therefore associations and individuals are expressly excluded (and shall be subject to a different calculation system).
The DSK believe that the total annual turnover of an undertaking represents a suitable, appropriate and a fair basis to ensure effectiveness, proportionality and dissuasiveness when imposing significant sanctions to corporations. Thus, the DSK adopts a method that is “comprehensible, transparent and fair” for the individual case, taking into consideration the total annual turnover of the particular undertaking to impose the relevant sanction in five steps, as follows:
- To allocate the relevant undertaking into a category based on its size.
- To determine the average annual turnover of the undertaking within its size category.
- To calculate the corresponding daily amount.
- To multiply the daily amount by a certain factor that depends on the seriousness of the infringement.
- To adjust the amount above according to the circumstances of the individual case
According to the instructions detailed above, the DSK considers that the first step to assess how to impose a fair and proportionate sanction for a particular infringing enterprise is to classify it into a group depending on its size. In addition, the German authorities further allocate enterprises (within each size category) into a range of total annual turnover in order to subdivide them into additional groups (please refer to the guidelines of the DSK for additional information on the particular groups that the German authorities are using to allocate enterprises into each subcategory depending on the total annual turnover).
Once the particular enterprise is assigned into the relevant category according to the criteria described above, the DSK takes the medium annual turnover of each subcategory as reference and divides the relevant amount by 365 in order to determine the daily amount of turnover, which shall serve as the base amount to calculate the applicable sanction to an infringing enterprise. The daily amount of turnover of the particular enterprise shall then be multiplied by a factor that would represent the seriousness of the infringement, discerning between the infringements envisaged by Article 83(4) of the GDPR (with sanctions that may be up to EUR 10,000,000 or 2% of the total annual turnover) and infringements envisaged by Articles 83(5) and 83(6) of the GDPR (whose sanctions may be up to EUR 20,000,000 or 4% of the total annual turnover). The last step for this calculation method is to adjust the resulting amount according to the individual circumstances of the infringer.
The guidelines of the DSK address the need for detailing a fair and proportionate methodology for the imposition of administrative fines until the EDPB publishes additional guidelines in this regard. Whilst we remind that the DSK’s guidelines are not binding on the data protection supervisory authorities of the rest of the Member States, these guidelines could represent an appropriate system to conduct a preliminary estimate of the sanction that may be imposed on an undertaking when investigated by a supervisory authority. Moreover, it is important to note that this calculation system could be used to anticipate the potential risks that we would be undertaking when contracting with other enterprises, based on the size of the enterprise and the relevant processing of personal data that it would be conducting.