On May 12, 2022 the European Data Protection Board (“EDPB”) has adopted draft guidelines on the calculation of administrative fines under GDPR (“Draft Guidelines”) and requests comments on the Draft Guidelines until June 27, 2022. With the Draft Guidelines the EDPB envisages harmonization of the calculation methodology as opposed to the actual outcome.

The proposed step-by-step concept for the calculation of fines under the GDPR are summarized below. However, the EDPB clarifies that the EU data protection authorities (“DPA”) are not required to follow each step if they are not applicable in a given case, nor to provide reasoning surrounding aspects of the Draft Guidelines that are not applicable.

  1. A DPA shall determine the particular conduct and the types of GDPR infringement. Depending on the circumstances, the DPA may find only one sanctionable conduct or multiple sanctionable conducts during its investigation. Based on the identified sanctionable conduct and the infringed provision of the GDPR, the DPA shall determine the scope of administrative fines pursuant to Art. 83 (4) GDPR, i.e. a fine of maximum EUR 10 million or 2% of the undertaking’s annual worldwide turnover, whichever is higher, or Art. 83 (5) GDPR, i.e., a fine maximum of EUR 20 million or 4% of the undertaking’s annual worldwide turnover, whichever is higher.
  2. Next step for the DPA shall be determining the seriousness of the infringement for each sanctionable conduct. There shall be three levels of seriousness: Low, medium or high. In order to determine the level of seriousness of an infringement, the DPA shall consider the following:
    1. Nature of the infringement based on the concrete circumstances
    2. Gravity of the infringement, in particular considering the nature of the processing at stake (e.g., monitoring and evaluation activities as well as activities concerning employees or patients are of higher gravity), scope of the processing (e.g., the larger the territorial scope the higher the gravity), the purpose of the processing (e.g., activities falling into the core business activities are typically of higher gravity), the number of data subjects (e.g., the higher the number of data subjects the higher the gravity), and the level of damages suffered and the impact of the individual’s rights and freedoms (e.g., physical, material or non-material damages).
    3. Duration of the infringement
    4. Intentional or negligent character of the infringement
    5. Categories of personal data affected (e.g., Art. 9 and 10 GDPR data as well as location data, financial data, and/or data on private communication indicate a higher level of seriousness
  3. Based on the level of seriousness (low, medium or high), the DPA shall determine a “starting amount” for the calculation of the exact fine, taken the maximum fine provided by Art. 83 (4) and Art. 83 (5), as applicable into account. For example, if the infringement falls under Art. 83 (5) GDPR, the GDPR provides for a fine maximum of EUR 20 million or 4% of the undertaking’s annual worldwide turnover, whichever is higher.
    1. In case of a low level of seriousness, the “starting amount” shall be 0 to 10% of the maximum fine; in case EUR 20 million is the maximum fine, the “starting amount” would be 0 to EUR 2 million.
    2. In case of a medium level of seriousness, the “starting amount” shall be 10% to 20% of the maximum fine; in case EUR 20 million is the maximum fine, the “starting amount” would be 2 to EUR 4 million.
    3. In case of a high level of seriousness, the “starting amount” shall be 20% to 100% of the maximum fine; in case EUR 20 million is the maximum fine, the “starting amount” would be EUR 4 to 20 million.
    4. In case of an undertaking with an annual worldwide turnover of more than EUR 500 million, the maximum fine under Art. 83 (4) and 83 (5) GDPR will be based on the annual worldwide turnover. Example: A company with an annual worldwide turnover of EUR 800 million could be subject to a maximum fine of EUR 32 million. In case of a high level of seriousness, the “starting amount” would be 20% to 100% of EUR 32 million, i.e. EUR 6.4 million to EUR 32 million.
  4. In order to ensure that the administrative fine is effective, dissuasive, and proportionate the DPA shall verify the “starting amount” by taking the turnover of the undertaking into account.
    1. In case of small-size companies with an annul turnover not exceeding EUR 50 million, the starting amount identified above can be reduced by the DPA to a sum of 2%, 0.4% or even 0.2% (depending on the actual annual worldwide turnover below EUR 50 million). Example: An undertaking with an annual turnover of EUR 500,000 committing an infringement with a high level of seriousness would have a “starting amount” for the calculation of a fine of EUR 4 to 20 million, but this starting point can be reduced to 0.2%, i.e., the “starting point” for this undertaking could be EUR 8,000 (0,2% of EUR 4 million) to 40,000 (0,2% of EUR 20 million)
    2. In case of companies with an annual turnover over EUR 50 million and more , the DPA can reduce the “starting amount” to a sum of 10%, 20% or 50%. Example: An undertaking with an annual turnover over EUR 800 million committing an infringement with a high level of seriousness would have a “starting amount” for the calculation of a fine of EUR 6.4 million to EUR 32 million (between 20 to 100% of the applicable maximum fine). The DPA could decide to reduce the starting amounts to 50%, i.e., between EUR 3.2 million to EUR 16 million.
  5. ​​​​​​​Based on the “starting amount” determined by the DPA by taking (i) the level of seriousness of the infringement, (ii) the applicable maximum fine under Art. 83 (4) and 83 (5) GDPR (i.e., EUR 10 million or 2% of the undertaking’s annual worldwide turnover, whichever is higher, or EUR 20 million or 4% of the undertaking’s annual worldwide turnover, whichever is higher), and (iii) the undertaking’s annual worldwide turnover as potential corrective factor, the DPA shall consider further aggravating and mitigating circumstances to determine the actual fine. Those include in particular ​​​​​​​
    1. Actions taken to mitigate the damages suffered by the data subject
    2. Degree of responsibility, taking into account measures implemented pursuant to Art. 25 and 32 GDPR
    3. Subject matter of prior infringements
    4. Degree of cooperation with an effect of limiting or avoiding negative consequences
    5. Manner in which the infringement became known to the DPA
    6. Adherence to an approved code of conduct or certification mechanism pursuant to Art. 42 GDPR
    7. Any other aggravating or mitigating factors, such as financial benefits gained, losses avoided.
  6. Additional comments of the EDPB to be aware of:
    1. Acts or omissions of an employee resulting in an infringement of the GDPR shall in general be attributable to the controller / processor unless the employee acts solely for its own private purpose or for the purposes of third parties (“acting in excess of their permitted remit”).
    2. It is irrelevant which individual within a controller / processor acted to cause the infringement; acts or omissions of certain functionaries (like managing directors or board members) are also irrelevant.
    3. The term “undertaking’s annual worldwide turnover” shall be interpreted as follow: “undertakings” refer to a single economic units (SEU) within the meaning of Art. 101 and 102 TFEU. An SEU can consists of several legal entities, in particular if a leading entity, namely the parent entity, has decisive influence over its subsidiaries. Decisive influence of the parent entity is presumed if the parent entity holds directly or indirectly 100% or almost 100% of the shares in its subsidiaries. In this case, the parent entity together with such subsidiaries form an SEU and this SEU will be considered to determine the SEU`s (the undertaking’s) annual worldwide turnover. Thus, the relevant annual worldwide turnover for the calculation of a fine can – in certain cases – be the group-wide annual worldwide turnover.
    4. The DPA shall have the option to hold the parent entity jointly and severally liable for the payment of a fine.
  7. Next Steps

EDPB has requested comments on the Draft Guidelines until June 27, 2022. We expect that Guidelines will be finalized and officially adopted in Q4 of 2022.