The German Datenschutzkonferenz (DSK), the joint body of the German data protection authorities, has just published the model which it intends to use to calculate fines pursuant to Article 83 of the GDPR.
Under the new framework, a fine for GDPR violations will be calculated in five steps as shown below:
(a) Step 1: The company is assigned to a group based on its size
As a first step, the DSK proposes to assign the company in question to a group based on its total worldwide turnover of the previous year. Companies could be categorised as: very small; small and medium-sized; or large. Each group is then further divided into subgroups.
Illustration 1: A company has a worldwide turnover of €900,000 for the previous year. It is therefore assigned to “sub-group A.II” – micro companies with a turnover of between €700,000 and €1.4 million.
Illustration 2: A company has a worldwide turnover of €2 billion for the previous year. It is therefore assigned to “sub-group D.VII” – large companies with an annual turnover of more than €500 million.
For corporate groups, a key issue is whether the authorities base the calculation on the turnover of the individual company concerned or on that of the entire group. It should be noted that Article 83 of the GDPR envisages that fines will be imposed on an “undertaking”, and the DSK has noted that the meaning of this term is the same as that used in antitrust law (which is imported by Recital 150 GDPR). The consequence of this is that parent companies and subsidiaries are regarded as an economic unit (an “undertaking”), so that the total turnover of the group of companies will be used as the basis for calculating the fine.
(b) Step 2: The DSK determines the average annual turnover of the “undertaking” based on the specific group to which it has been allocated
The DSK then goes on to determine the “average annual turnover” of the undertaking (whether this is an individual company or a group). Where an undertaking’s annual turnover of the previous year is less than €500 million, the DSK assigns a fixed “average annual turnover fee” to the undertaking, based on the sub-group it has been sorted into in Step 1.
Illustration 1: The company in “sub-group A.II” above would be deemed to have an “annual average turnover” of €1,050,000 (regardless of its actual annual turnover) – that is, the average sum of the lower and upper bands in that sub-group (€700,000 and €1.4 million).
On the other hand, where the undertaking has an annual turnover of more than €500 million, the DSK will apply the maximum percentages under Article 83(4) and (5) of the GDPR (that is, 2% or 4%, depending on which provision of the GDPR was infringed) to the undertaking’s actual annual worldwide turnover in order to calculate the fine.
Illustration 2: The company in “sub-group D.VII” above would have its fine calculated based on its actual turnover – that is, €2 billion. If the 2% metric was applied, the company could potentially face a fine of €40 million.
(c) Step 3: Calculation of the “daily rate”
Next, the DSK determines the “daily rate” by dividing the calculated average annual turnover of the undertaking for the previous year by 360 days.
(d) Step 4: The DSK determines the “regular fine corridors” and the mean value
The next step is an assessment by the authority of the perceived severity of the specific offence. This severity assessment seems to be based primarily on an overall assessment taking into consideration, inter alia, the GDPR provisions infringed and the maximum fine limits set out in Article 83 (4) – (6) of the GDPR, with some discretion for the authorities to take into account the level of harm to individuals (noting that the GDPR’s maximum fine limits may not be exceeded).
The DSK’s model sets out four levels of severity which are split into two groups, depending on whether there has been:
- a technical infringement (formeller Verstoß) of the GDPR, i.e. violation of the requirements listed in Article 83 (4) GDPR, such as missing or incomplete data processing or joint controllership agreement, violation of privacy by design and default, failure to appoint a data protection officer, etc.; or
- a material infringement (materieller Verstoß) of the GDPR, i.e. violation of the requirements listed in Article 83 (5) GDPR such as violation of data subject rights, data transfer to countries outside the EEA whose data protection laws have not been deemed adequate, unlawful data processing, etc.
Each factor is associated with a multiplier range pursuant to Article 83(4) and (5) GDPR:
- If the perceived gravity of the infringement is:
- minor then the multiplier range for
- technical infringements is 1 to 2,
- material infringements is 1 to 4;
- average then the multiplier range for
- technical infringements is 2 to 4,
- material infringements is 4 to 8;
- severe then the multiplier range for
- technical infringements is 4 to 6,
- material infringements is 8 to 12; and
- very severe then the multiplier range for
- technical infringements is 6<,
- material infringements is 12<.
- minor then the multiplier range for
The levels of severity will be determined on a case by case basis. For example, sending an unsolicited e-mail advertisement could be regarded as a minor infringement, and the unauthorised monitoring of employees a severe infringement, but there is no further guidance on this at this stage (so this key element remains to be determined).
The outcome of the severity assessment is the determination of the so-called “regular fine corridor” by multiplying the “daily rate” by the multiplier range associated with the relevant severity level. The authorities then calculate the median value of the resulting “fine corridor”, which becomes the basis for the further calculation of the fine.
(e) Step 5: Classification of the specific GDPR infringement
The final step involves modification of the fine (calculated under Step 4 above) to take into account the nature of the offence and its consequences for the affected data subject.
In particular, this includes all circumstances referred to in Article 83 (2) GDPR (e.g. nature, extent and purpose of the unlawful processing, number of data subjects involved in the processing, extent of harm suffered by data subjects, etc.) as well as other circumstances, such as duration of the infringement or any threat of insolvency for the company.
The Berlin Data Protection Authority (which took the lead in developing this new framework) recently announced its intention to impose multimillion-Euro GDPR fines. This approach to fines has also been presented to the “Fining Taskforce” of the European Data Protection Board (EDPB), which aims to ensure consistent GDPR practices in relation to fines in the EU. The DSK believes that their model guarantees a systematic approach for a transparent and comprehensible calculation of fines.
The application of the new model would lead to significantly higher GDPR fines than those imposed by the German authorities so far. The largely linear calculation method, starting with turnover, leads to serious penalty risks, especially for undertakings and groups with high revenues.
The calculation model will certainly be tested by the courts. With the high fines that are to be expected for multinational companies, it is more than likely that they will challenge the new model and escalate this to the highest courts, including the European Court of Justice.
The purely linear calculation based on revenues could be contested – especially with regard to whether it leads to proportionate fines in each individual case. While the model may be proportionate in relation to data-driven companies that generate a high profit from their revenues, we have substantial concerns as to whether it would be proportionate for companies generating a low profit ratio relative to their turnover, or where the data processing in question only plays a minor role in the business of the company in question. In addition, the model does not seem to take into account different business models. It remains to be seen whether the final calculation in Step 5 could be a corrective step.