The price of GDPR infringements

The EDPB has adopted a new set of guidelines to harmonise the way in which data protection authorities (DPAs) calculate fines.

These guidelines are an important addition to the framework the EDPB is building for more efficient cooperation among DPAs on cross-border cases, a strategic priority for the EDPB.

The Guidelines lay out a 5-step methodology DPAs can use when calculating the amount of a fine.

Increased fining power for DPAs

Under the General Data Protection Regulation (GDPR), DPAs have acquired greater fining power. They can issue substantial fines, making non-compliance a costly mistake for both large and small entities. The maximum fines for severe breaches are €20m or 4% of total global turnover.

Four years after the entry into application of the GDPR, enforcement has been picking up speed, as demonstrated by the increasing number of fines imposed and the number of final decisions taken under the one-stop-shop.

Consistent fining

While enforcement of the GDPR lies with the DPAs, the European Data Protection Board (EDPB) is tasked with ensuring the consistent application of data protection rules and promoting cooperation between DPAs.

The EDPB can interpret and clarify specific questions related to the fines that are issued in individual cases when it adopts a binding decision. In the first two Art. 65 decisions taken by the EDPB, the EDPB dealt specifically with questions related to fining. As a result of these decisions, the Lead Supervisory Authorities had to modify the way in which they calculated the fines.

The EDPB is also tasked by the GDPR to issue general guidelines for the setting of administrative fines.

The new EDPB Guidelines on the calculation of administrative fines under the GDPR complement the previously adopted Guidelines on the application and setting of administrative fines for the purpose of the Regulation 2016/679 (WP253), which address the circumstances in which administrative fines would be an appropriate tool.

5 step-method

Through a 5-step method the new EDPB Guidelines offer a systematic and chronological way of calculating a fine. From now onward, DPAs across the European Economic Area (EEA) will follow the same methodology to calculate fines.

First of all, DPAs have to establish whether the case at stake concerns one or more sanctionable conducts. Following this, DPAs will check if a conduct has led to one or multiple infringements. The purpose is to clarify if all the infringements or only some of them can be fined (i.e. in case of “concurrence of laws” whereby one conduct has led to multiple infringements but one infringement precludes the attribution of another infringement).

Next, the EDPB has agreed on harmonised ‘starting points’ for the calculation of a fine. Hereby, three elements are considered: the categorisation of infringements by nature, the seriousness of the infringement and the turnover of a business. The calculation is of course more than a straightforward maths exercise. The DPAs need to assess each case on its merits.

Following this, the EDPB provides a consistent interpretation of the aggravating or mitigating factors that can increase or decrease the amount of the fine.

The next step is to determine the legal maximums of fines as set out in Art. 83 (4)-(6) GDPR and to ensure that these amounts are not exceeded.

Lastly, DPAs need to analyse whether the calculated final amount meets the requirements of effectiveness, dissuasiveness and proportionality or whether further adjustments to the amount are necessary.

Transparency

The guidelines will help ensure that similar infringements are fined in a consistent manner across the EEA. They will also lead to greater transparency on the factors taken into consideration in the calculation of a fine.

The guidelines will be submitted for public consultation for a period of 6 weeks. Following public consultation, a final version of the guidelines will be adopted, taking into account stakeholder feedback, and will include a reference table with a range of starting points for the calculation of a fine, correlating the seriousness of an infringement with the turnover of an undertaking. More info here