The European Data Protection Board (EDPB) published the final version of its Guidelines on the calculation of fines under the EU’s General Data Protection Regulation (GDPR) on 7 June 2023. The Guidelines aim to further harmonise fining practices across the EU and were adopted by the EDPB following a public consultation launched in 2022 on a draft version.
The way GDPR fines are calculated is of great practical importance to businesses, particularly given the high fines that may be imposed by data protection authorities (DPAs). The risk of a fine has also increased as DPAs make ever greater use of their powers to issue fines. 2022 was a record year for GDPR fines.
As explained further below, for some breaches DPAs may issue fines of up to 4% of the undertaking’s annual global turnover or €20m (whichever is higher). This is one of the reasons why ensuring compliance with the GDPR has been a top priority for organisations since the GDPR became applicable in 2018.
Besides describing how fines are calculated by DPAs in the EU, the Guidelines also provide helpful insights on how businesses may reduce the level of any fine.
The five-step calculation methodology – How does it work?
The Guidelines present a five-step method for calculating fines:
First, the DPA must identify the relevant processing operations and whether the case concerns multiple sanctionable conducts and if there are multiple infringements. The application of fines to each situation can then be assessed based on detailed rules set out in the Guidelines, which explain how in some cases the total fines imposed may exceed the legal maximum set for the gravest single infringement.
Second, the DPA sets a starting point for the calculation of the fine. This is intended to serve as a benchmark for the DPA and a variety of circumstances may reduce or increase this starting point:
- The DPA must first identify whether each infringement is subject to the lower or higher level of GDPR fines. The GDPR differs between infringements which are subject to a maximum fine of €10m or 2% of the undertaking’s annual global turnover and other infringements which are subject to a maximum fine of €20m or 4% of the undertaking’s annual global turnover. An ‘undertaking’ in this context can include a single economic unit, regardless of how many legal persons comprise it. All members of a group of companies may form a single undertaking.
- The DPA then determines whether the infringement is of a low, medium or high level of seriousness. The assessment should consider the nature, gravity, and duration of the infringement, whether the infringement was negligent or intentional and the categories of personal data affected by the infringement. The Guidelines suggest that the starting point for further calculations should usually be determined within a range of 0–10% of the applicable maximum value for a low level of seriousness, a range of 10–20 % for a medium level of seriousness, and a range 20–100 % for a high level of seriousness.
- In order to determine a proportionate and effective fine, the global annual turnover of the undertaking in the last fiscal year should also be factored in. The Guidelines set out suggestions for adjustments to the starting amount based on the turnover of the relevant undertaking (with potentially significant reductions specified for those with turnovers under €500m). The indicative range of adjustments are more prescriptive in the final 2023 version of the Guidelines as compared to the 2022 draft. However, DPAs are not required to follow those suggestions. The EDPB expects DPAs to use a different basis where necessary to ensure effective, dissuasive and proportionate fines.
Third, the DPA should consider aggravating or mitigating factors that are not already accounted for in step two. These include, among others:
- Any action taken by the business to mitigate the damage suffered by affected individuals.
- Any relevant previous infringements.
- The degree of cooperation with the DPA.
- The way the infringement became known to the DPA.
A number of the factors relate to actions taken by the relevant business following the infringement becoming known. For example, businesses that have identified breaches of the GDPR should initiate appropriate and effective mitigating measures as soon as possible. To help prove that adequate measures were implemented, it is recommended that businesses carefully document all such measures.
Fourth, the DPA must verify that the fine does not exceed the legal maximums of 2% or 4% of the undertakings global annual turnover or €10m or €20m, depending on the type of infringement.
The fifth step is to determine whether the calculated final amount meets the requirements of effectiveness, dissuasiveness and proportionality, and make adjustments if not. The Guidelines explain that a variety of factors, including whether the fine may jeopardise the viability of a business, can be taken into account.
What will change for businesses?
Following a discovered infringement that may give rise to the risk of a fine, businesses throughout the EU might benefit from the enhanced transparency and harmonisation provided by the Guidelines to help guide their response and engagement with DPAs. For example, the Guidelines state that:
- DPA should at least set out the factors which led to the determination of seriousness, turnover and mitigating or aggravating factors.
- DPAs have discretion to determine that certain types of infringements will be punished by a predetermined fixed fine (provided that does not hamper the application of the GDPR nor its cooperation and consistency mechanisms).
The Guidelines also include illustrative examples of how they may be applied in practice.
However, the Guidelines are complex and only intended to provide a harmonised starting point for calculating fines, not to align all outcomes.
Businesses will remain unable to precisely calculate a fine in advance and or easily put a ‘price tag’ on a particular violation. This is due to factors such as:
- For large undertakings and serious infringements in particular, the vast range of the starting points for fines suggested by the Guidelines.
- Variations in local laws and practices, such as when EU states have exercised their rights to set different maximum levels of fines for public bodies.
- The calculation of fines remains inherently a subjective exercise.
- DPAs have considerable discretion when setting fines, including when considering aggravating or mitigating factors (see the extensive list in Article 83(2) GDPR and the Guidelines) and other circumstances of the case.
- DPAs are not obliged to follow all the five steps if they aren’t appropriate in a particular case, nor provide reasoning surrounding aspects of the Guidelines that aren’t applicable.
What’s next?
The EDPB has pledged that the Guidelines will remain under constant review.
Businesses should anticipate that the Guidelines and how fines are calculated by DPAs will continue to evolve as the EDPB and DPAs gain further experience.
