Share This Article
The Italian Supreme Court established some important principles on how to calculate GDPR fines and might have an impact also internationally.
The case of the Italian Supreme Court on how to calculate GDPR fines
In Judgment 3276/2022, the Court of Milan had ruled with respect to Resolution No. 234 of 2021 by which the Italian Data Protection Authority (the “Garante“) had imposed an administrative fine of EUR 2,600,000 on a company for having violated distinct provisions of Regulation 2016/679-EU (the “GDPR“) regarding the personal data of so-called riders, cancelling the resolution due to the excessiveness of the sanction imposed.
Specifically, the court allegedly justified its ruling by stating that the Garante’s decision, while legitimate in terms of the possibility of intervention against the company, was not so in terms of the level of the sanction. In fact, the order had stated that it intended to take into account the “economic conditions of the offender, determined on the basis of the company’s revenues achieved with reference to the annual financial statements for the year 2019” (closed with operating losses), and yet it had then quantified the sanction on account of the most serious violation (pursuant to Article 83(5)(a) of the GDPR) as 7.29 percent of the company’s annual turnover, and thus significantly higher than the 4 percent parameter mentioned by the cited norm, and even higher than the average percentage (0.0019 percent) applied by the same Guarantor to other sanctioned subjects.
Moreover, the court had held that it did not have in any case the “possibility […] to modify the amount of the pecuniary fine,” as this power was not granted by the national legislation on personal data.
For the above reasons, the Garante therefore appealed before the Supreme Court, arguing mainly that Article 83 of the GDPR and Article 166 of the Italian Privacy Code, among other things, had been violated or misapplied, believing that the fine had instead been imposed to the extent permitted by the applicable parameter.
The Principles set by the Italian Supreme Court on the Calculation of GDPR fines
The Italian Supreme Court, upholding the Garante’s grounds of appeal, expresses, among other things, the following principles of law on how to calculate fines under the GDPR.
The Supreme Court holds that violating the provisions of the GDPR entails a fine that in general must not exceed “the amount specified for the most serious violation.” In fact, Article 83 of the GDPR establishes two types of alternative administrative fines:
a. up to EUR 10,000,000 or up to EUR 20,000,000, or
b. up to 2 percent or up to 4 percent of the previous year’s total annual worldwide turnover, “whichever is higher.”
The administrative fine of “percentage” (2 percent or 4 percent), however, is a proportional reference that, for companies, “does not have a mitigating function of the edictal limit ordinarily set at a variable amount between the minimum and the maximum.” This means that the “percentage” fine operates only as an additional limit to the “ordinary” edictal limit (EUR 20,000,000). And this would be drawn from the final part of the rule (“if higher“), which is referred to the “numerical” financial penalty.
It follows that the Supreme Court affirms that the fines imposed by the Garante are not static, but could also be modified by the court, should the latter deem it necessary.
Relevance of the decision for companies’ privacy compliance
The Supreme Court’s decision enshrines important principles for companies regarding sanctions imposed by the Garante through administrative measures. The Supreme Court crystallizes the principle that the maximum fine is not determined in the “percentage” fine, but in the “numerical” fine. This means that a company could be sanctioned for more than 4 percent of its annual worldwide turnover (up to a maximum of EUR 20,000,000), as long as the sanction is effective, proportionate and dissuasive. Moreover, the court may well modify a sanction imposed by the Garante if it deems it necessary.
On a similar topic, the article “A privacy breach is not always a crime in Italy according to the Supreme Court” may be of interest.