Following a number of rumors, it is now official: fines for data protection infringements will be imposed according to a uniform procedure in the future. This is intended to guarantee a comprehensible, transparent, and case-by-case approach of setting fines.

On October 14, 2019, the Conference of Independent Federal and State Data Protection Supervisors published the new model. Accordingly, fines will be assessed in five steps in the future:

  1. assignment of the company to a size class
  2. determination of average annual sales of the respective subgroup of the size class
  3. determination of the basic economic value
  4. multiplication of the basic value by a factor dependent on the severity of the infringement
  5. adjustment of the value determined under step 4 on the basis of aggravating or mitigating circumstances.

In the future, fines will therefore be assessed in a precise and, above all, comprehensible manner. At the same time, however, as outlined in our previous article, fines will increase significantly. Even for slight infringements, the daily rate is multiplied by a factor between 1 and 4. As an example, with annual sales of EUR 9 billion, a fine between EUR 25 million and EUR 100 million would be due. As a consequence, in the event of data protection infringements, a company may have to set up provisions and/or notify investors and the public in accordance with the requirements of Securities Trading Legislation.

General managers and executive board members must observe these fine regulations as part of their duty of care (cf. Section 43(1) Act governing German Limited Liability Companies, Section 93(1) sentence 1 Stock Corporation Act). Authorized representative bodies need to take into account that in the event of fines being imposed on their own companies, they might be personal liable under certain circumstances. They should therefore also ensure compliance with provisions under data protection law.

The new fine model sees German supervisory authorities catching up with the levels of fines in neighboring European countries. Recent examples include a fine of EUR 250,000 assessed for infringements by the Spanish soccer league, Google paying EUR 50 million in France, and British Airways being fined EUR 204 million in the UK.