The European Data Protection Board (‘EDPB’), composed of representatives of the EU national data protection authorities has drafted new guidelines with respect to the calculation of fines in case of non-compliance of the General Data Protection Regulation (‘GDPR’). These Guidelines complement the previously adopted Guidelines on the application and setting of administrative fines dating from 2016, which focus on the circumstances in which to impose a fine.
The proposed guidelines are not yet final. At this moment, the proposed guidelines are still open to the comments of parties having an interest in the adoption of the guidelines. Until 27 June 2022 these parties can give suggestions to amend the guidelines before the EDPB comes with final guidelines.
Purpose
The purpose of these new proposed Guidelines is to make sure that national Data Protection Authorities will calculate the fines in a more harmonized way. Currently, the calculation of the amount of the fine is at the discretion of the national supervisory authority, subject to the rules provided for in the GDPR. The calculation of the amount of the fine is based on a specific evaluation carried out in each case, within the parameters provided for by the GDPR, such as the seriousness of the infringement, the character of the infringing party and a set of maximum amounts relating to the specific categories of infringements.
Five step methodology
Taking the foregoing into account, the EDPB proposes a methodology, consisting of five steps, for calculating administrative fines for infringements of the GDPR. This methodology consists of five steps that need to be followed in order to come to a calculation of a fine:
- the processing operations in the case must be identified and the application of Article 83(3) GDPR needs to be evaluated, meaning the (extensive) list of circumstances which need to be taken into account whether or not to impose a fine and deciding on the amount of the fine.
- the processing operations in the case must be identified and the application of Article 83(3) GDPR needs to be evaluated. This is done by evaluating the classification of the infringement in the GDPR, evaluating the seriousness of the infringement in light of the circumstances of the case, and evaluating the turnover of the undertaking.
- the evaluation of aggravating and mitigating circumstances related to past or present behavior of the controller/processor and increasing or decreasing the fine accordingly
- identification of the relevant legal maximums for the different infringements. Increases applied in previous or next steps cannot exceed this maximum amount.
- Analysis whether the calculated final amount meets the requirements of effectiveness, dissuasiveness and proportionality, which form an important part of article 83 GDPR, the article that forms the basis for imposing fines. The fine can still be adjusted according to these principles, however without exceeding the relevant legal maximum.
At the moment, each national Data Protection Authority uses its own rules when imposing fines. The harmonization of the calculation of these fines by the introduction of a methodology to be used by Data Protection Authorities, must lead to more legal certainty for the companies and individuals that could be confronted with a fine. The idea is that fines will be calculated identically in all countries of the European Union. It should also make the control by another Data Protection Authority more simple when involved in a pan-european investigation.
Difference with current guidelines
The proposed guidelines differ from the current guidelines[1] of the Dutch Data Protection Authority (DDPA) in three ways:
- The size of a company will play a more dominant role in the determination of the fine. Currently, the DDPA takes the size of a company only into account at the end of the determination of the fine. Under the proposed guidelines this will take place at the beginning of the process. Companies should be able to see which amount will be taken as a starting point for the calculation of the fine that will be used in relation to an infringement made by a company of a similar size.
- The proposed guidelines introduce three categories for the seriousness of the infringement: low, middle and high. At the moment, the DDPA looks at the seriousness of the infringement in determining the fine, but without the application of a category. Under the proposed guidelines another starting amounts shall apply for every of the mentioned categories.
- Under the proposed guidelines a bandwidth will be used as the starting amount to determine the fine whereas currently the bandwidth is used to fix the fine within the bandwidth. The bandwidth is related to the seriousness of an infringement. In case of a low level of seriousness the supervisory authority will determine the starting amount for further calculation at a point between 0 and 10% of the applicable legal maximum. In case of a medium level of seriousness this will be between 10 and 20% and between 20 and 100% in case of a high level of seriousness. After the determination of the bandwidth, the authority has to see if there are any reasons to increase or decrease the fine.
As is currently the case, fines may lead to amount of 20 million euro or four (4) percent of the worldwide turnover of a company.
The new guidelines only apply to companies. Reason therefor is that not all Data Protection Authorities within Europe may impose fines to state institutions. However, the DDPA can. So the question is whether the DDPA shall apply any new guidelines also to state institutions.
The proposed guidelines aim to give more certainty to companies in relation to the imposition of fines by the national supervisory authorities. For companies operating in more countries within the EU this could certainly be the case. Whereas the current guidelines for fines are determined by the national authorities, this now is harmonized by guidelines applying throughout the European Union. However, the guidelines still give room for national authorities to deviate from one another. The list of circumstances to be taken into account whether or not to impose a fine at all are still numerous. Also, the bandwidths, especially for a high level of seriousness, are very broad, as are the possibilities to increase or decrease the fines. Therefor it remains to be seen if this proposed guidelines lead to more legal certainty for companies confronted with a fine.
[1] https://www.autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/stcrt-2019-14586_0.pdf