The EDPB (European Data Protection Board) has published new draft guidelines on how to calculate fines for GDPR (General Data Protection Regulation) violations.
Much of the discussion surrounding the GDPR has centred on the disciplinary powers it gives to regulators, with the most severe infractions being subject to fines of up to €20 million or 4% of the organisation’s annual global turnover, whichever is greater.
In the four years since the Regulation has taken effect, the EDPB noticed a lack of consistency in the way fines were being handed out.
A report by our sister company found that 429 GDPR fines were issued in 2021, resulting in penalties totalling €1,098,942,386.84.
However, many of these penalties came from a handful of supervisory authorities. Spain’s Agencia Española de Protección de Datos, for example, is responsible for 175 (with fines totalling €27,191,800), while Italy’s Garante per la protezione dei dati personali handed out 60 fines (totalling €45,937,495).
Meanwhile, the only fine issued by Luxembourg’s data protection authority was a €746 million penalty levied against Amazon.
By contrast, the UK has only levied 3 fines, accounting for €625,800, and several countries have issued no penalties whatsoever.
The EDPB’s new guidelines attempt to harmonise the way penalties are issued with a five-step methodology for calculating fines.
What are the current rules?
Article 83 of the GDPR states that supervisory authorities must impose administrative fines on a case-by-case basis, ensuring that each penalty is effective, proportionate and dissuasive.
When determining the size of the fine, the authority must account for the circumstances of the breach, note whether the infringement was intentional or negligent, and account for any previous violations by the organisation.
Fines must not exceed the maximum allowable under the GDPR. This refers not only to the much-discussed €20 million figure; rather, the Regulation splits its maximum penalties into two tiers.
Organisations face a maximum penalty of €10 million or 2% of their annual global turnover for infringements related to Articles 8, 11, 25–39 and 41(4)–43.
The upper limit of €20 million or 4% of an organisation’s annual global turnover is reserved for infringements related to:
- The basic principles for data processing (Articles 5, 6, 7 and 9);
- Data subject rights (Articles 12–22);
- Personal data transfers to a third country or an international organisation (Articles 44–49);
- Provisions relating to specific processing situations (Chapter 9);
- Regulatory investigations by the supervisory authorities access to conduct an investigation (Article 58[1]) or compliance with enforcement actions (Article 58[2]).
The five-step methodology
The EDPB has created the following five-step process for calculating administrative fines.
1. Identify the processing operations and evaluate the application of Article 83(3) of the GDPR
The supervisory authority should consider the actions and errors that breached the GDPR. Article 83(3) states that if the same or linked processes result in multiple GDPR violations, the total administrative fine cannot exceed the maximum amount that applies to the most serious infringement.
Additionally, the supervisory authority must determine whether the circumstances surrounding the breach should be considered as one or multiple errors.
If it was a single error, the supervisory authority must decide whether the action resulted in multiple GDPR breaches. If that’s the case, the authority must then consider whether it would be lawful to fine the organisation twice for the same offense.
2. Find the starting point for calculating the fine
To find a rough estimate for the fine, the supervisory authority must consider three elements.
First, the authority must assess whether the infringement falls within the GDPR’s lower or higher tier of fines.
Second, it must assess the circumstances of the breach, such as the categories of personal data that were affected.
Third, it must review the organisation’s annual global turnover. The EDPB notes that fines should be dissuasive, which means that the scale of the penalty should be proportionate to the organisation’s income.
3. Evaluate whether aggravating or mitigating circumstances apply
Now that the supervisory authority has a baseline for calculating a fine, it must review the specifics of the infringement to determine whether the penalty should be raised or lowered.
The GDPR lists several aggravating and mitigating circumstances in Article 83(2), which include actions taken by the organisation to address the damage.
5. Identify the maximum fine that can be issued
The maximum penalty will depend on whether the infringement falls within the GDPR’s lower or higher tier – which the supervisory authority will have already identified in step two.
Under the GDPR, the maximum fine will be whichever is greater between an absolute sum (€10 million for the lower tier and €20 million for the higher tier) or a percentage of its annual global turnover (2% of 4%).
The EDPD’s guidance clarifies how annual global turnover should be calculated. It emphasises the concept of ‘undertaking’, which is based on the economic, legal and organisational links between the parent company and its subsidiary.
This includes the level of participation between the two, the personnel or organisational connections and the existence of company contracts.
5. Analyse whether the calculated final amount meets the GDPR’s requirements
In this context, the GDPR’s requirements refer to the effectiveness, dissuasiveness and proportionality of the fine.
If the supervisory authority believes that one or more of these factors hasn’t been adequately addressed, it is entitled to adjust the fine. However, the penalty cannot exceed the relevant legal maximum.
What happens next?
The EDPB’s draft guidance is currently open for public consultation. Stakeholders can submit feedback until 27 June 2022, after which the EDPB is expected to adopt its final guidelines.
You can learn more about how the GDPR’s requirements affect your organisation with our expert resources.
Whether you’re looking for a little guidance or you’d like a dedicated consultant, we offer a range of services that can be tailored to meet your needs.
Our team of experts are on hand to help you at any stage of your GDPR journey. You can learn more about our services on our website or by speaking to one of our experts.
