The guidelines on the calculation of GDPR administrative fines from the German data protection authorities can provide valuable support in determining the risk exposure.
The GDPR is mainly known for its massive potential fines up to 4% of the global turnover of the breaching entity. But, as data protection lawyers, we have balways beenstruggling in quantifying the actual risk exposure, also as part of a due diligence process.
Considerable support is now provided by the guidelines issued by the German data protection authorities on the calculation of calculating administrative fines under Article 83 GDPR. And here is a very interesting article on the topic published by my colleagues Verena Grentzenberg and Jan Spittka on Privacy Matters Blog.
Scope of applicability of the guidelines
The guidelines on the calculation of GDPR fines are intended to guide enforcement action by German DPAs against business ‘undertakings’. They do not apply to individuals or associations who are not acting in a business capacity. Importantly the methodology set out in the guidelines for calculating fines is not intended to be exhaustive and will be subject to further specification by the European Data Protection Board (‘EDPB’). Further, the guidelines are not expected to be binding in cases of cross-border processing or for any non-German DPA.
Five steps to a comprehensible, transparent and just GDPR fines
The guidelines set out a five-step methodology which German DPAs are expected to follow to secure a comprehensible, transparent ,and just approach when calculating the amount of a specific fine:
- Categorize the undertaking based on annual turnover;
- Determine the average annual turnover (this will be determined by reference the category the undertaking has been assigned);
- Calculate the economic base value;
- Multiply the base value by a factor reflecting the seriousness of the infringement;
- Apply a modifying factor (if required) to address any wider circumstances associated with the infringement not yet taken into account.
Step 1: Categorization of undertakings depending on turnover
As a first step, the DPAs identify the undertaking’s total worldwide annual turnover of the preceding financial year. This is used to assign the undertaking to a specific size-category
- microenterprises: up to € 2 million annual turnover;
- small enterprises: € 2 million to € 10 million annual turnover;
- medium-sized enterprises: € 10 million to € 50 million annual turnover; and
- large-scale enterprises: more than € 50 million annual turnover.
When determining an undertaking’s turnover, the German DPAs will look at the turnover of the “functional undertaking” as understood under Articles 101 and 102 Treaty on the Functioning of the European Union (‘TFEU’). This functional undertaking, also known as economic unit in case law of the Court of Justice of the European Union (‘CJEU’), can be defined by reference to the entire group (in the case of an affiliate within a wider group of companies) as importantly the concept is not restricted to the controller or processor which actually committed the GDPR infringement, or the “enterprise” in terms of Article 4 no. 18 GDPR (i.e. ,the respective natural or legal person engaged in an economic activity).
Step 2: Determination of average annual turnover
This second step is only relevant for ‘undertakings’ with not more than € 500 million annual turnover and leads to the DPA applying a ‘deemed’ average turnover to the undertaking. This is calculated by reference to the relevant size category. For ‘undertakings’ with more than € 500 million annual turnover, the actual turnover will be the basis for further calculations.
Step 3: Calculation of base value
The average annual turnover determined as above is divided by 360 (days) to identify the (average) daily turnover. So for a microenterprise with up to € 700,000 annual turnover the daily rate would be € 972 (= € 350,000 / 360) and for an ‘undertaking’ in the range of annual turnover between € 75 million and € 100 million the daily rate would be € 243,056 (€ 87.5 million / 360). If an ‘undertaking’ has, for example, € 1.5 billion annual turnover the base value would be about € 4.17 million (€ 1.5 billion / 360).
Step 4: Factoring in the seriousness of the infringement
Depending on the severity of the infringement the daily rate will be multiplied by a factor between 1 and 7.2 (for administrative infringements under Article 83 (4) GDPR) or between 1 and 14.4 (for administrative infringements under Article 83 (5) and (6) GDPR) as set out below:
|Severity of the infringement||Factor for formal infringements under Article 83 (4) GDPR||Factor for material infringements under Article 83 (5) and (6) GDPR|
|Minor violation||1 to 2||1 to 4|
|Medium violation||2 to 4||4 to 8|
|Severe violation||4 to 6||8 to 12|
|Very severe violation||6 to 7.2 (= 2%)||12 to 14.4 (= 4 %)|
The guidelines on the calculation of GDPR fines do not include definitions as to what constitutes a minor, medium, severe or very severe violation nor to how to allocate an infringement within the respective ‘fining corridor’, e.g. if its medium violation under Article 83 (5) and (6) GDPR whether it’s rather a 4 or an 8. Unofficially published information indicates that the objective criteria in Art. 83 (2) (a) GDPR will be applied here, i.e. ,nature and gravity of the infringement based on factors covering the duration of the infringement, nature, scope or purpose of the processing concerned, number of data subjects affected , nd level of damage suffered by the data subjects.
Step 5: Perpetrator-related and other circumstances not yet taken into account
As the last step, the DPA will apply a further percentage factor, taking into consideration any wider circumstances relevant to the infringement but not yet taken into account.
The percentages for this further step do not officially form part of the published guidelines but originate from unofficially published information. We have included these numbers only to provide a rough idea how the calculation may look like.
- Degree of fault (-25% to +50%);
- Mitigation measures taken by the controller or processor (-25% to +25%);
- Degree of responsibility (-25% to +50%);
- Relevant previous infringements (0% to 300%);
- Cooperation with the DPA (-25% to +25%);
- Categories of personal data affected (0% to +25%);
- Manner in which the infringement became known to the DPA (-25% to +10%);
- Compliance with measures ordered by the DPA (0% to +50%);
- Adherence to approved codes of conduct or approved certification mechanisms (-25% to + 10%).
Further circumstances lowering the fine could be ,for example ,the duration of the DPA investigation or impending insolvency of the controller or processor.
The view of my German colleagues re the guidelines on the calculation of GDPR fines
It remains to be seen whether German courts and ultimately the CJEU will consider the methodology contained within the Guidelines a ‘comprehensible, transparent and just’ basis for enforcing compliance. There are many reasons to criticize the approach so far and ultimately expose the model to legal challenge in case of fines applied based on the Guidelines at this point:
- Turnover of ‘economic unit’: It is highly disputed whether the economic unit developed in connection with EU antitrust law can be applied to the fines under Article 83 GDPR. The main argument against this approach is that the reference to Articles 101 and 102 TFEU is only made in a non-binding recital (150) and creates a direct conflict with the definition of ‘group of undertakings’ in the binding Article 4 No. 19 of the GDPR (‘group of undertakings’ means ‘a controlling undertaking and its controlled undertakings’). In case of conflict between recitals and the main body of Regulation, the main body prevails. Article 83 (4), (5) and (6) GDPR only refer to an ‘undertaking’ not a ‘group of undertakings’
- Determination of seriousness of the infringement: The guidelines lack transparency on how the DPAs will determine with objectivity the seriousness of the infringement, with a wide margin of fining (between a factor of 1 to 7.2 or even of 1 to 14.4). Specific criteria are necessary.
- Unclear how perpetrator-related and other circumstances: The guidelines on the calculation of GDPR fines do not provide for any specific criteria on how to apply perpetrator-related and other circumstances. Unofficially published information indicates that non-cooperation with the DPA may lead to a 25% higher fine. This does not comply with the right to remain silent in an investigation. In addition, it seems that German DPAs not only intend to subtract 25% of the fine, if a controller or processor voluntarily reports the infringement to the DPA, but also to increase the fine by 10%, if the infringement is revealed by a data subject complaint. This again violates the nemo tenetur.
Additionally, some of the calculations undertaken under these guidelines are not fully comprehensible.
My view on the guidelines
My personal opinion on the guidelines is that, in the absence of more detailed guidelines, they might be a valuable benchmark in supporting entities whose conduct is challenged by local data protection authorities.
However, the guidelines provide for a minimum fine also in case of minor infringements and even if mitigation measures are adopted since the variation due to the good behavior has a limit. But if following the challenge, the company took any action required to ensure data protection compliance and no damages have been suffered by individuals, I do not see the reason why a company should be fined.
Data protection regulations are aimed at protecting personal data, rather than punishing entities for their breach. A collaborative approach between companies and regulators is necessary. Otherwise, companies will tend to “hide” data breaches, and behaviors whose data protection law compliance is uncertain since they are aware that if investigated, they will receive just a fine.
This is not an unlikely scenario since, based on our experience, the position of data protection authorities is that they are building their interpretation of GDPR matters during this period. If even the regulator is uncertain as to the proper interpretation of some GDPR provisions, a fine could be enacted.
On the topic above, you may find interesting the article Are privacy fines really massive under the GDPR?