On 12 May 2022 EDPB adopted Guidelines on the calculation of administrative fines (the Guidelines). The Guidelines supplement the Article 29 Working Party’s Guidelines on the application and setting of administrative fines (WP253) adopted in October 2017 and recommends that the two are read together. Whereas the previous guidance set out general principles for when to impose fines under Article 83 GDPR, the new Guidelines provide a detailed five-step methodology for calculating a starting point for a fine and clarify how to determine the turnover of an undertaking in order to harmonise the approach across Member States.
The Guidelines stress that the EDPB envisages harmonisation of the starting points and methodology to calculate a fine, rather than harmonisation of the outcome. Confusingly, they also state that they do not preclude a supervisory authority form using predetermined fixed amount fines for certain infractions (which would be at odds with this approach).
Content
Step 1: Establish how many infringements (and therefore, fines) there are
Step 2: Assess the Starting Point Sum
Step 3: Consider mitigating and aggravating factors
Step 4: Check the sum against the legal maximum
Step 5: Analyse effectiveness, dissuasiveness and proportionality
Contrast with the UK and EU DPA approaches
Our take
Step 1: Establish how many infringements (and therefore, fines) there are
If several independent breaches (sanctionable conducts) are brought to a supervisory authority’s attention in one instance, each separate breach will be punished by an independent fine with each fine subject to individual calculation (individual legal maximums and starting points). For example, a data controller collects data without proper legal basis and when it is later hacked, it fails to notify the supervisory authority. While the two infringements would likely come to the supervisory authority’s attention at the same time, they are not contextually or consequentially related and would be considered as independent breaches.
On the other hand, one sanctionable conduct may lead to several infringements either by several processing activities forming one linked set of operations (e.g. collecting and storing information) or the same infringing activity taking place several times in close temporal proximity (e.g. sending marketing emails in waves). For such multiple infringements performed as part of the same conduct, the supervisory authority has to determine whether it would be sanctioning the offender for the same wrongdoing twice (e.g. where a breach of more specific provision of GDPR breaches a wider provision as well). There are certain principles (including the principles of speciality, of subsidiarity and of consumption) the supervisory authority must take into account in making this determination. In any event if it determines this is one sanctionable conduct the total amount of the fine may not exceed the legal maximum for the gravest infringement.
*diagram provided in the Guidelines
Step 2: Assess the Starting Point Sum
(1) Category of infringement under Article 83(4) – (6) GDPR
The Starting Point Sum is calculated as a percentage of the maximum fine which, depending on which article has been breached, may be (a) the higher of €10m or 2% of the undertaking’s annual turnover, or (b) the higher of €20m or 4% of the undertaking’s annual turnover.
(2) Seriousness of infringement
The supervisory authority determines the seriousness of the infringement in an individual case based on the following factors:
- Article 83(2)(a) factors:
- Nature of the infringement (i.e. the place of the infringed provision in the GDPR framework)
- Gravity of the infringement (considering the nature, scope and purpose of the processing, the number of data subjects concretely and potentially affected and the level of damage to the individual’s rights and freedoms)
- Duration of the infringement (not negative in itself but it may signify wilfulness)
- Intentional or negligent character of the infringement (unintentional does not mean non-voluntary)
- Categories of personal data affected (e.g. in addition to data in Articles 9 and 10 GDPR, location data, data on private communication, national identification numbers, or financial data, such as transaction overviews or credit card numbers are cited as having potential to cause immediate damages or distress and attract greater weight to this factor)
These factors are interlinked and have to be considered as a whole. While no numeric ranges can be given to the above factors as they are fact-specific in each case, the guidance provides three examples that are meant to guide supervisory authority’s assessment (although it is somewhat difficult to draw out concrete principles from these examples).
To take the number of individuals who were actually or potentially affected by a GDPR breach as an example factor, when a data controller responds to DSARs late, the supervisory authority may assign a low level of seriousness to this breach when 50 out of 1,000 DSARs are being handled and the delay is minor (only a few months). Whereas when 95,000 individuals could be potentially affected by a systemic failure within an organisation which allows for wider than necessary access to their personal data (even if only 16 individuals were actually affected by this failure), the breach may be assigned medium level of seriousness. For both examples the assessment is not based solely on one factor but takes into account other factors set out above such as the work done by an organisation to improve its compliance with GDPR or the nature and purpose of processing.
Depending on the level of seriousness, the supervisory authority will set a Starting Point Sum at a different percentage of the legal maximum determined under Article 83(4) – (6) GDPR:
Level of seriousness | Low | Medium | High |
Starting Point Sum = Proportion of the legal maximum* | 0-10% | 10-20% | 20-100% |
*under continuous review by the EDPB
(3) Potential reduction based on turnover
If an undertaking has a particularly small annual turnover, the supervisory authority may consider reducing the starting amount of the fine to a lower percentage of the sum calculated in Step 2, section (2) as per the table below. The supervisory authority is not obliged to reduce the starting sum and even if it does, it may reduce the sum only partially.
Annual turnover (Euros) | Less than 2m | 2m-10m | 10m-50m | 50m-100m | 100m-250m | 250m-500m |
Starting Point Sum (reduced to % of the Starting Point Sum calculated for seriousness above) | 0.2% | 0.4% | 2% | 10% | 20% | 50% |
Step 3: Consider mitigating and aggravating factors
The remaining aggravating and mitigating factors are set out in Articles 83(2)(c) – (k). These may even include significant socio-economic changes, such as the pandemic radically changing data processing.
Each of these factors has to be taken into account. There is no precise calculation attached to each factor (meaning that the increase or reduction of the fine may vary in each case) and the examples given in this section of the Guidelines are only illustrations. The variation range in the illustrations is 10%-40% increase or decrease.
Step 4: Check the sum against the legal maximum
Once all factors have been considered, the supervisory authority has to check that the Starting Point Sum does not exceeding the legal maximum under Article 83(4) – (6) GDPR. Since for undertakings the legal maximum is the higher of the static amount (i.e. €10m or €20m) and dynamic amount (i.e. 2% or 4% of the annual turnover), the supervisory authority has to calculate the turnover of the undertaking in the financial year preceding the fining decision (NB: not the infringement or court decision).
Calculation of turnover
An “undertaking” is described in EU competition law as an economic unit regardless of the legal status of each entity in the unit or the way in which an economic activity is financed. The main criterion is “decisive influence” of one company over the other which is based on factual economic, organisational and legal links. Where a subsidiary is directly or indirectly wholly or almost wholly owned by the parent company, the rebuttable presumption is that the parent exercises decisive influence. Where a subsidiary is not wholly owned, the supervisory authority has to demonstrate both the ability to exercise and the actual exercise of decisive influence by the parent company.
The fine will be addressed to the breaching company and the supervisory authority has the option to hold the parent company jointly and severally liable for the payment of the fine.
Where the undertaking (including a parent company) has to prepare consolidated annual financial statements, the statements of the parent company reflect the combined turnover of the undertaking.
Step 5: Analyse effectiveness, dissuasiveness and proportionality
The calculation set out above is only a general guideline aimed at harmonising the approach of different supervisory authorities. In each case the key consideration has to be whether the particular fine is effective, proportionate and dissuasive, i.e. has a genuine deterrent effect.
Proportionality is reviewed against both the severity of the infringement and the size of the undertaking (i.e. the whole group as set out above). In accordance with national law in exceptional circumstances the supervisory authority may also reduce the fine if it would irreparably damage the undertaking .
A fine is considered effective where it re-establishes compliance with the rules, punishes unlawful behaviour or both. It is dissuasive if it discourages the wrongdoer and/or others from committing the same infringement. For these purposes, the supervisory authority may even set a multiplier for the fine.
Contrast with the UK and EU DPA approaches
UK ICO
The ICO issued its own draft guidance in 2020. While the Guidelines apply to current EU member states, the ICO guidance provides an overview of penalties under the UK GDPR. It follows a similar structure in its approach to the Guidelines and likewise considers the factors set out in Article 83(2) (Step 3 above) and the underlying principles of effectiveness, dissuasiveness and proportionality (Step 5 above). However, it splits infringements into four (not three) categories, assigns numerical value to different degrees of culpability and applies different proportions to the calculation of the starting sum. Furthermore, the ICO set an early payment reduction of 20% which the Guidelines do not provide for.
For full details on the original ICO guidance on calculation of fines please see our blog post here. This guidance has been updated with slightly simplified calculations for the public consultation that closed on 24 March 2022. Final publication is expected by the end of 2022.
Dutch Autoriteit Persoonsgegevens (AP)
Like the UK ICO, the AP also issued its own guidance in respect of its calculation of administrative fines in March 2019.
The Guidelines vary in a few key aspects from the Dutch AP’s existing policy. Firstly, the Guidelines place a more significant emphasis on the revenue of a business in determining the amount of the fine. Under the current AP policy, the AP only takes this into account at the end of the calculation; this will instead now be considered at the beginning. As a result, businesses will be able to see what amount will be used as a starting point (in Step 2 above) when calculating a fine for a business of their size. The Guidelines set out three categories of infringements on the basis of seriousness: low, medium and high, while the current rules do not split infringements into categories on that basis.
Another difference between the current AP guidance and the Guidelines is the use of numeric ranges in the process for calculating a fine. The current rules set out ranges of fines on the basis of the maximum fines that could be imposed under the GDPR and the category of infringement. In principle, the AP will determine the amount of the fine within the minimum and maximum amount of the range. In the new Guidelines, however, the range is intended to assist in determining the starting point for the calculation, rather than the final fine.
Finally, the Guidelines will only apply to fines issued to businesses, whereas the AP’s policy applies to fines issued to government organisations too. The AP is consulting on its continued approach to the calculation of fines that fall outside the scope of the Guidelines. The policy rules were intended to apply until EDPB guidelines were issued. However, the policy rules will need to be officially withdrawn and new policy rules referring to the (final) EDPB guidelines will have to be issued before the AP can apply the Guidelines.
German Data Protection Conference
In October 2019, the German data protection supervisory authorities released a concept paper on how to impose fines in proceedings against companies (Konzept der unabhängigen Datenschutzaufsichtsbehörden des Bundes und der Länder zur Bußgeldzumessung in Verfahren gegen Unternehmen [see link]). These concepts were applied in the first multi-million Euro GDPR fine against Deutsche Wohnen (read our blog for more details) (which was later invalidated). The “old” German fining approach will probably not be applied going forward. Although the new EDPB model is similar to the previous German approach, it gives authorities a bit more flexibility as it is less detailed on how the calculation is applied. However, the old approach had already established that using turnover as a starting point could lead to substantial fines for large multinational companies.
Our take
The Guidelines will allow organisations to better evaluate their risk for GDPR non-compliance. Although the Guidelines do not guarantee harmonisation of outcomes, they provide more detail than just the upper limit set out in the GDPR and are helpful for understanding what factors a supervisory authority would consider in determining the appropriate fine.
Even if the Guidelines do not obviously make the level of fines much more predictable, the suggested harmonisation of methodology across Member States should improve the transparency, and in theory consistency, of enforcement penalties. Note that if an organisation has processing activities covered by both the UK GDPR and the EU GDPR, it may be subject to enforcement actions from both the ICO and the EU supervisory authorities with different fines and calculation methodologies for each. The UK approach will be finalised once the ICO guidance is adopted, currently projected for the end of 2022.
If fined, a company may get fined both in the EU and the UK. Therefore, the company should defend itself by setting out that, at least when assessing the new step 5 set out above, a UK fine would need to be factored in when calculating the EU fine to be in line with overall proportionality. With the previous German model, courts already came to the conclusion that just looking at the undertaking’s revenue to calculate fins can lead to disproportionate fines, e.g. see the case where the Regional Court of Bonn cut a multimillion GDPR fine by 90%.