As a business owner, you may want to know more about how GDPR (General Data Protection Regulation) fines are calculated. This year, the EDPB (European Data Protection Board) has adopted new Guidelines on the calculation of administrative fines, harmonizing the methodology used by Data Protection Authorities (DPAs).
The guidelines also provide consistent "starting points" for calculating fines. As a result, the European Board takes three factors into consideration:
- the classification of the violations based on their nature.
- the degree of the violation.
- the turnover of the impacted enterprises.
The supervisory bodies do not need to follow all stages if they do not apply in a particular situation. These Guidelines can be used as a step-by-step approach.
The DPA must determine whether one or more actions are punishable. It must also determine whether those acts resulted in one or more violations. The purpose is to clarify whether all offenses can result in fines or only a part of them. (Article83(3) GDPR)
The same or linked processing operations
According to the EDPB, "the same or linked processing operations" may include several components that are carried out by a unitary will and are related in a way that would make them appear as one conduct to an outside observer.
A sufficient connection should not be assumed to be adequate to prevent the supervisory authority from violating the principles of deterrence and effective enforcement of the GDPR.
Multiple sanctionable conducts
Because they came to the DPA's attention at the same time without being the same or linked processing operations in the sense of Article 83(3) GDPR, these violations are addressed in a single decision.
The DPA must establish a starting point when determining the penalty. As a starting point for further calculation, the EDPB considers three factors:
Categorization of infringements under Articles 83(4)– (6) GDPR
The GDPR distinguishes between two types of violations:
- those that are sanctioned by Article 83(4) GDPR (the maximum fine is €10 million, or 2% of the company's annual revenue, whichever is greater).
- and those that are sanctioned by Article 83(5) and (6) GDPR (the maximum fine is €20 million, or 4% of the company's annual revenue, whichever is higher).
The Seriousness of the infringement in each individual case
The GDPR (Article 83(2)(a) ) requires the supervisory authority to consider the nature, gravity, and duration of the infringement, as well as the nature, scope, or purpose of the processing in question. Also, it must consider the number of data subjects affected and the level of damage they have experienced.
Turnover of the undertaking to impose an effective, deterrent, and equitable fine
Article 83(1) of the GDPR requires each supervisory authority to ensure that administrative fines are effective, reasonable, and dissuasive in each individual case. DPAs should customize administrative fines within the entire range available up until the legal maximum in order to impose an effective, appropriate, and dissuasive fine in all circumstances. Depending on the circumstances of the case, this can result in considerable increases or decreases in the amount of the fine.
The supervisory authority must consider the remaining aggravating and mitigating circumstances specified in Article 83(2) GDPR after evaluating the nature, gravity, and duration of the infringement, as well as the character of the infringement and the categories of personal data, impacted.
Increases or decreases in a fine cannot be predicted using tables or percentages when assessing these aspects. It is underlined that the actual quantification of the fine will be based on all of the elements gathered throughout the course of the inquiry, as well as additional considerations related to the supervisory authority's previous fining experiences.
Setting the legal maximum fine amounts, as specified in Article 83 paragraphs (4)-(6) of the GDPR, ensuring that these amounts are not exceeded.
The administrative fine imposed for GDPR violations mentioned to in Articles 83(4)-(6) must be effective, proportionate, and dissuasive in each individual case. According to the EDPB it is the supervisory authorities' responsibility to determine whether the amount of the fine fits these requirements or whether further changes are required.
Why is it important to know how GDPR fines are calculated?
The steps outlined above establish a generic procedure for calculating penalties and are intended to allow more transparency in supervisory authorities' fining practices. However, the EDPB states clearly that this basic procedure should not be misinterpreted as a type of automatic calculation. Individual fines must always be based on a human judgment of the relevant case facts and they must be effective, proportionate, and deterrent in that unique situation.
Knowing how GDPR fines are calculated as an entrepreneur or business owner will help you invest more in becoming and being compliant with the regulation.
The GDPR has been changing since its implementation and it is critical to comply with to avoid penalties. Please contact us if you want to learn more or have any questions.
We offer a number of services to help you and keep your corporate compliance program up to date.
Last updated: October 17, 2022