On 14 October 2019, the German Conference of Data Protection Supervisory Authorities (DSK) issued guidelines on determining fines under the EU General Data Protection Regulation (GDPR). The guidelines are quite complex and raise a number of questions.
A four-step calculation
The guidelines set out four categories of undertakings – further divided into 20 sub-categories – based on total worldwide annual turnover.
For each sub-category, the guidance gives an average annual turnover figure. This is used to calculate a daily rate (average annual turnover divided by 360). Next, this daily rate is multiplied by a factor of between one (for very minor infringements) and 12 or higher for very serious infringements, although fines are capped at 2 or 4 per cent of annual turnover (depending on the nature of the infringement).
Finally, the fine may be adjusted, depending on concrete circumstances such as the co-operation with the authority or the length of the proceeding.
Please see here for a summary of the Guidelines.
A dubious reference to ‘group turnover’
The reference to ‘group turnover’ (made through the reference to Articles 101 and 102 TFEU in Recital 150) suggests that very high fines could be imposed for minor infringements, which surely can’t be right.
According to Article 83 of the GDPR – the key provision on fines – the reference point for the fine is ‘the undertaking’, not ‘undertakings’ or ‘a group of undertakings’. This suggests the legislator intended that a fine would apply to the particular infringing business rather than the wider group.
This makes even more sense when considering that GDPR infringements may only be committed by a data controller or processor acting as a single entity. Why then should fines be determined on the basis of the group turnover, which would include entities that are not involved in the data processing?
Furthermore, this competition law-like approach does not fit the GDPR system. Under competition law, fines are calculated based on group turnover to account for the fact that the parent company might have benefited from the infringement. This does not necessarily apply to GDPR infringements, which do not always result in commercial benefits for the controller or processor.
Questionable legal conformity
Firstly, the guidelines do not seem to accord with the GDPR’s approach to fines.
The GDPR provides for a case-by-case assessment, following which fines are imposed depending on the circumstances of each case. But the guidelines introduce a de facto minimum fine by using average annual turnover to calculate the daily rate; the criteria listed in Article 83(2) of the GDPR are only considered as a last step or not considered at all, depending on how close the daily rate (multiplied with the factor for the severity of the infringement) already is to the 2 or 4 per cent cap.
This methodology also does not comply with Article 83 of the GDPR, which only refers to the undertaking’s turnover when determining the maximum fine. Furthermore, the GDPR only distinguishes between formal and material infringements. Why therefore introduce another categorisation? Distinguishing between light, medium or heavy infringements brings neither clarity nor transparency.
Second, the guidelines do not appear to align with fundamental legal principles.
For example, under the German Act on Regulatory Offences (Gesetz über Ordnungswidrigkeiten), the maximum fine for companies is €10m. This applies regardless of the nature and gravity of the infringement. But according to the German GDPR fining model, fines may amount to millions of euros, even for relatively minor infringements. This could result in fines imposed under German law for a major criminal offence being lower than fines imposed for a minor data protection violation under the guidelines.
The German GDPR fining model raises a number of questions. Considering that the model does not apply to cross-border cases and is not supposed to be binding in other EU member states, it will be interesting to see how other data protection authorities address the topic as they wait for the European Data Protection Board to establish harmonised fining guidelines.