The EDPB's steps for calculating fines

The EDPB maintained its five-step methodology previously included in the public consultation version of the Guidelines, composed of the following five steps for the calculation of fines:

• Step 1: Identifying the processing operations in the case and evaluating the application of Article 83(3) of the General Data Protection Regulation (GDPR).

• Step 2: Finding the starting point for further calculation based on an evaluation of:
  • the classification in Article 83(4) to (6) of the GDPR;
  • the seriousness of the infringement pursuant to Article 83(2)(a), (b), and (g) of the GDPR; and
  • the turnover of the undertaking as one relevant element to take into consideration with a view to imposing an effective, dissuasive, and proportionate fine, pursuant to Article 83(1) of the GDPR.
• Step 3: Evaluating aggravating and mitigating circumstances related to past or present behavior of the controller/processor, and increasing or decreasing the fine accordingly.
• Step 4: Identifying the potential maximum fining frames for the relevant processing operations that allegedly infringe the GDPR (increases applied in previous or next steps cannot exceed this amount, see Chapter 6 of the Guidelines).
• Step 5: Analyzing whether the final amount of the calculated fine meets the requirements of effectiveness, dissuasiveness, and proportionality, as required by Article 83(1) of the GDPR, and increasing or decreasing the fine accordingly if required.

Each step includes references to legal provisions, existing Court of Justice of the European Union (CJEU) case law, and practical examples. The final Guidelines have been expanded to include an annex with a reference table that helps to illustrate the methodology of calculating the fine, as well as two detailed examples of applying the Guidelines and the table.

First step: Sanctionable act(s)

Article 83(3) of the GDPR states that if 'a controller or processor intentionally or negligently, for the same or linked processing operations, infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement.'

Therefore, the first step is essentially to determine whether there are one or more sanctionable acts (Chapter 3 of the Guidelines). The EDPB emphasizes that it is important to consider this on a case-by-case basis and gives an example of 'the same or linked processing operations' potentially constituting one and the same conduct. In the case of one conduct, it needs to be established whether or not this conduct gives rise to one or more infringements and, if so, whether the attribution of one infringement precludes the attribution of another infringement, or whether they are to be attributed alongside each other.

Second step: Initial amount of the fine

A key point highlighted in the Guidelines pertains to the establishment of the baseline for calculating the fine, known as the 'starting point.' Establishing a harmonized starting point for further calculation is based on the following three elements:

• the classification in Article 83(4)-(6) of the GDPR (i.e., punishable by a maximum fine of €10 million or 2% or €20 million or 4% of the undertaking's global annual turnover);
• the seriousness of the infringement pursuant to Article 83(2)(a), (b) and (g) of the GDPR. Depending on the established level of seriousness of the infringement, the supervisory authority will determine the starting point for further calculation of the administrative fine as a percentage of the maximum fine (low level of seriousness: 0-10%, medium: 10-20%, high: 20-100%); and
• the turnover of the undertaking as one relevant element to take into consideration with a view to imposing an effective, dissuasive, and proportionate fine, pursuant to Article 83(1) of the GDPR.

Furthermore, the EDPB states that it will follow the requirements of Article 83 of the GDPR, the GDPR as a whole, as well as CJEU case law, stating that the turnover of an undertaking can constitute an indication of its size and economic power. To facilitate the determination of fines, the Guidelines introduce various turnover bands of the undertakings. The thresholds for these bands have been changed compared to the consultation version. For instance, for undertakings with an annual turnover of under €2 million, supervisory authorities may reduce the starting point to as low as 0.2% of the starting point as identified in the preceding steps, whilst for organizations with a turnover between €100-250 million, the identified starting amount might be adjusted to between 15% and 50% of the initial sum.

Additionally, a new category is included for undertakings with an annual turnover exceeding €500 million. In such cases,  the supervisory authorities may consider calculating the fine without any adjustment of the identified starting point.

Third step: Mitigating or aggravating circumstances

Mitigating circumstances include any measures taken to limit the harm to the data subjects (using the criterion set out in Article 83(2) of the GDPR). In this respect, measures taken before the knowledge of the administrative investigation have more weight. Nevertheless, subsequent conduct is also relevant, as the degree of cooperation with the supervisory authority to bring the infringement to an end and the mitigation of the possible adverse effects of the infringement are also taken into account in the balancing exercise. For example, previous breaches by the data controller or data processor are considered aggravating circumstances. It is also beneficial to notify the breach on one's own initiative, before the breach becomes known to the supervisory authority, for example through a complaint or an investigation (Chapter 5 of the Guidelines).

Fourth step: Identifying the relevant legal maximum

In this step, it is decided whether the static (€10 or €20 million) or dynamic (2 or 4% of the annual turnover) upper limit for the fine is to be applied. According to the wording of Article 83(4) and (5) of the GDPR, the higher amount must be applied. The dynamic cap, therefore, applies to undertakings with a total annual turnover exceeding €500 million, since 2% of €500 million amounts to €10 million, and 4% of €500 million amounts to €20 million. Chapter 6 of the Guidelines also contains explanations on the concept of an undertaking, which is essentially based on Articles 101 and 102 of the Treaty on the Functioning of the European Union (TFEU).

Fifth step: Individual readjustment

The final step (Chapter 7 of the Guidelines) requires supervisory authorities to verify that the fine imposed is effective, proportionate, and dissuasive in each individual case, or whether adjustments are needed:

• Effectiveness: A fine generally is considered effective if it achieves the objectives for which it was imposed (e.g. re-establishing compliance with the rules, punishing unlawful behavior, or both).
• Proportionality: This requires that measures adopted do not go beyond what is appropriate and necessary to attain the objectives pursued by the law in question. Where there are several appropriate measures, the least onerous ones that cause the least disadvantages must be pursued. Supervisory authorities may, in exceptional cases, consider further reducing the fine based on an inability to pay, taking into account the economic viability of the concerned undertaking, proof of value loss, and specific social and economic context.
• Dissuasiveness: A fine must have a genuine general deterrent effect (i.e. discouraging others from committing the same infringement in the future) and a specific deterrent effect (i.e. discouraging the recipient of the fine from committing the same infringement again). The amount of a fine may be increased if the supervisory authority determines that the amount is not sufficiently dissuasive.

The impact of the Guidelines and outlook

As currently drafted, the Guidelines may facilitate a proportionate approach to fines for companies with lower turnovers. However, they raise a number of issues of concern for data controllers and data processors subject to the GDPR that are part of business groups with large global turnovers. The methodology aims to establish a uniform approach to enforcement penalties across supervisory authorities, to increase transparency and consistency in the calculation of fines, and to move towards a convergence of average penalties. Of course, it is to be appreciated that the EDPB is endeavoring to harmonize the assessment of fines, and at the same time to create transparency. In fact, the EDPB aims to harmonize the starting points and the methodology for calculating a fine, but not the outcome. A precise mathematical calculation of the expected fine based on the Guidelines is not possible, and for good reason. The Guidelines consistently emphasize that the calculation of a fine is 'no mere mathematical exercise' and that a case-by-case analysis is required to calculate the final amount. This is again underlined by the EDPB after the public consultation version of the Guidelines. However, since the concept of the EDPB ultimately depends on a case-by-case assessment, the harmonization effect will probably be limited.

The subject of fines is still a work in progress - as many things have been since the GDPR was introduced. The practice of imposing fines varies widely within the EU. If one looks at statistics and follows the press releases of the national supervisory authorities, most fines come from countries such as Spain and Italy. Other national regulators, such as the French Data Protection Authority (CNIL), the Data Protection Commission (DPC) in Ireland, or the National Commission for Data Protection (CNPD) in Luxembourg, stand out because they have imposed few but extremely high fines on well-known tech giants.

In 2019, the German supervisory authorities presented a system that defined annual turnover as the most important criterion and was therefore more predictable. For this same reason, the system left too little leeway for an examination of individual cases, which is why the authorities were defeated by a judicial review of their system. On November 11, 2020, the Bonn Regional Court rendered a verdict rejecting the system and subsequently reduced the fine, originally determined using this approach, to one-tenth of the initial amount.

The court's major criticism revolved around two key points:

• the primary concern was the fundamental emphasis on a company's turnover in the assessment of the fines, which was deemed problematic; and
• that this type of calculation may be disproportionate, as it is too abstract and in extreme cases (e.g., a low-turnover company facing a serious infringement; or a high-turnover company facing a minor infringement). In such situations, it was emphasized that the offence-related assessment criteria outlined in Article 83(2)(2) of the GDPR should take precedence over considerations related to turnover.

The EDPB's calculation concept, akin to the approach of the German supervisory authorities, places a significant emphasis on turnover. However, it does take into account the seriousness of the infringement much more prominently than the German concept when determining the starting point for the calculation of the fine. In addition, the EDPB's concept grants supervisory authorities wide discretionary powers to deviate from the standard concept if necessary to impose appropriate and dissuasive fines. This flexibility may result in fines that are higher rather than lower fines, particularly since the basic penalty amounts for infringements are generally elevated.

Another highly controversial question is how to determine liability in the context of imposing fines. The Berlin Court of Appeal has brought a preliminary ruling procedure to the European Court of Justice (ECJ), in which it is to be clarified under which conditions a fine can be imposed on companies at all. The question is whether individual decision-makers have to act in a culpable manner, or whether an objective breach of GDPR requirements is sufficient. In its Guidelines, the EDPB assumes direct and autonomous corporate liability. This would mean that the national concept within Member States n opposing direct corporate liability may be incompatible with the GDPR. This point is particularly relevant for fining proceedings in Germany, as the German Act on Regulatory Offences 1987 (OWiG) explicitly provides for corporate liability only if the undertaking's management is directly and personally culpable (Sections 30 and 130 of the OWiG). The German data protection supervisory authorities consider these regulations inapplicable in relation to GDPR fines, a stance now adopted by the EDPB as well. According to the EDPB, a corporate fine does not depend on conduct that is imputable to individual natural persons, such as members of the company's management.

While the Guidelines are not legally binding, they carry persuasive weight and are expected to wield significant influence in the application of fines across the EU. Until the ECJ's decision, organizations should continue to carefully examine all arguments to defend themselves against fining decisions based on corporate liability. Nevertheless, it's important to note that the Guidelines have already set the foundational principles for the practical imposition of fines. Consequently, organizations must factor these principles into their assessments of potential infringements and associated financial risk.

Thorsten Ihler Partner
[email protected]
Melanie Ludolph Associate
[email protected]
Fieldfisher, Hamburg