Germany: Are companies in Germany now facing fines in the millions?
On 14 October 2019, the German Data Protection Conference ('DSK') published its future concept for the determination of fines for violations of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR')1. The aim of the concept is to guarantee a consistent level of penalties set by German supervisory authorities in proceedings against companies. Dr. Karsten Krupna, Partner at krupna LEGAL, provides an overview of the scope of application and binding effect of the concept of the DSK's for the calculation of fines and its content, as well as the possible effects of fines and an outlook on the possible consequences for business practice.
Compared to other European countries, the German data protection supervisory authorities have so far been considered very moderate in imposing fines. While the Portuguese data protection authority has imposed a fine of €400,000 and the French data protection authority imposed a €50 million fine, the British Information Commissioner's Office recently sanctioned a data protection violation with more than €200 million. In contrast, in Germany, since 2018, fines with a total volume of €485,490 have been imposed within one year. According to the 'Welt am Sonntag' of May 2019, this amount is based on the information provided by the supervisory authorities from 15 of the 16 federal states. Based on the total amount mentioned above, the average fine imposed in Germany is around €6,000. With these amounts, it is not surprising that the German supervisory authorities have been considered moderate in a European comparison. As far as can be seen, the fact that the application of the framework for setting fines in Germany was perhaps also based on a different self-image of official practice, was not discussed.
Whether a possible misunderstanding between the media perception and the authorities' self-image was also a reason for the step taken by the DSK cannot be determined. The calculation of the fine focuses on the turnover of a company. The DSK considers this as a 'suitable, adequate, and fair starting point for ensuring effectiveness, proportionality, and dissuasion2.' For the potentially affected companies, however, the main question arises as to what consequences are to be expected with regard to the level of future fines. In October 2019, the Berlin data protection authority imposed a fine of around €14.5 million on a real estate company. Compared to the aforementioned annual amount from the survey result, this represents an increase of approximately €14 million due to only one case. Is this a pre-taste of the new fining practice in Germany?
Scope and binding effect of the DSK concept
The concept of the DSK only applies in fine proceedings against companies. Therefore, it is not applicable to fines imposed on 'associations or natural persons outside their economic activity.' Finally, the concept has no binding effect on cross-border cases, other data protection authorities in the EU, or the courts3.
Determination of the fine on the basis of the DSK concept
The central starting point for the concept of the DSK is the previous year's turnover of the respective company. This is based on the controversial and therefore broad concept of a company, in line with Recital 150 of the GDPR. The fine will then be determined systematically in the following five steps:
- the company concerned is allocated to a size class on the basis of its turnover;
- the average annual turnover for this size class is ascertained;
- an economic basic value is calculated;
- a factor for the seriousness of the violation is determined, which is multiplied by the previously ascertained basic value; and
- the result determined under (4) is adjusted on the basis of other circumstances speaking for and against the company concerned, insofar as these were not yet taken into account in the previous determination.
In detail, the methodology applies as follows.
Categorisation of companies by size class
Firstly, the company is allocated to one of four size classes on the basis of an annual turnover table. Within a range of up to €2 million for micro companies ('A'), the table further classifies between small companies ('B'), medium-sized companies ('C'), and large companies ('D'). D companies are defined as those with an annual turnover exceeding €50 million.
If the class size is defined as a 'rough framework,' a more detailed division into subgroups is made within each class. In the case of A companies, i.e. companies with an annual turnover of up to €2 million in the previous year, for example, there are three subgroups, which are described as follows:
- subgroup 1 ('A.I'): previous year's turnover up to €70,000;
- subgroup 2 ('A.II'): previous year's turnover between €70,000 and €1.4 million; and
- subgroup 3 ('A.III'): previous year's turnover between €1.4 million and €2 million.
If, for example, the company concerned had a turnover of €900,000 in the previous year, it must be allocated to the size category of company A and then to subgroup A.II.
By contrast, the largest class in terms of company D contains seven subgroups. These range from a previous year's turnover between €50 million and €75 million, which is subgroup D.I, to the last subgroup D.VII, in which companies with a previous year's turnover of more than €500 million are classified.
Determination of the average annual turnover of the corresponding subgroup
In the second step, the average annual turnover of the subgroup in which the company was classified is determined.
The subgroups for the size class of micro companies are then given the following average annual turnover:
- subgroup A.I: €350,00;
- subgroup A.II: €1,050,000; and
- subgroup A.III: €1.7 million.
Within each size category, A. to D., an average annual value is thus determined for the respective subgroup. There is only one exception for the subgroup D.VII, because from an annual turnover of more than €500 million, the percentage fine of 2% or 4% of the annual turnover is taken as the maximum limit, so that for the respective large enterprise a calculation is made on the basis of the actual turnover.
Calculation of the basic economic value
Based on the average annual turnover of the subgroup, the 'basic economic value' of the company is now calculated by determining a daily rate. For this purpose, the average annual turnover ascertained for the company concerned is divided by 360 (days).
The following daily rates are then calculated for the subgroups for the size class of A companies:
- subgroup (A.I): €972;
- subgroup (A.II): €2,917; and
- subgroup (A.III): €4,722.
By comparison, the daily rate for a company in subgroup D.VI is already €1.25 million. The calculation for the strongest subgroup, in terms of annual turnover, D.VII, is once again special. As in the determination of the average annual turnover, the daily rate is also determined here on the basis of the actual turnover.
Multiplication of the basic value by the seriousness of the violation
In the fourth step, the previously determined daily rate is now multiplied by a factor that is intended to reflect the seriousness of the violation. For this purpose, the seriousness of the accusation is firstly determined for the individual case on the basis of the criteria under Article 83 (2) of the GDPR. The degree of seriousness of the violation is classified in the categories 'minor,' 'medium,' 'serious,' and 'very serious.' For the degree of seriousness, a factor is then ascertained from a table by which the basic value is multiplied. Within the table or, ultimately, in the choice of the multiplication factor, a distinction is made between formal violations according to Article 83 (4) of the GDPR and material violations according to Article 83 (5) and (6) of the GDPR.
If the degree of the offence is assessed as 'serious,' the following multiplication factors result, for example:
- formal violations: 4 to 6; and
- material violations: 8 to 12.
However, in the case of a material and very serious violation, there is no clear limitation of a factor. Moreover, the factor to be multiplied is at least 12, although in this case the factor may not be arbitrarily determined. In any case, the limit is set by the individual case related fine framework.
Adjustment of the determined fine
The completion of the calculation methodology for the framework of fines is probably the most interesting step in practice. In this last step, the previously calculated amount of the fine is adjusted on the basis of all circumstances that speak for and against the company concerned, insofar as these have not previously been taken into account when classifying the degree of seriousness and determining the multiplication factor. According to the concept of the DSK, this includes 'in particular all circumstances relating to the violator (cf. the catalogue of criteria of Article 83 (2) of the GDPR) as well as other circumstances, such as a long duration of the proceedings or an imminent insolvency of the company.'
After this adjustment, the fine is fixed in accordance with the concept.
Expected effects on the determination of fines in Germany
The turnover-oriented concept of the DSK is comparable to the Federal Cartel Office ('Bundeskartellamt') guidelines for the determination of fines in antitrust proceedings4, which, as is well known, leads to high fines in cartel law. In this tendency, it is to be feared that companies with high turnover in particular will have to expect significantly higher fines. This is at least the case if no significant corrections are made by adjusting the basic value, in step No. 5. The calculation of the daily rate in steps No. 1 to No. 3, and the multiplication factor to be determined in the fourth step of the concept of the DSK, mean that even minor formal violations may result in fines in the millions for companies with high turnover. It is questionable whether, and how in practice, a previously calculated fine in the millions can still result in a fine of €100,000, for example, by means of a correction in step No. 5. In any case, it is to be feared that, despite the possible adjustment, the amount determined in steps No. 1 to No. 4 will at least have a certain 'anchor effect' for the calculation of the final fine. However, it may be assumed with regard to the aim of the concept, that this anchor effect was intended.
Consequences for practice
In general, it can be expected that the German data protection authorities will no longer be considered to be moderate in setting the level of fines in the future. Instead, companies will have to be prepared for higher fines, as the most recent fine of €14.5 million imposed in Berlin shows. Should a company come into the focus of a supervisory authority, a cooperative and solution-oriented collaboration is recommended in any case. This is, on the one hand because, according to the law and in the spirit of improving data protection practice, the supervisory authority does not have to impose a fine at all. On the other hand, constructive cooperation allows the supervisory authority to reduce the level of fines.
However, due to the various open aspects in connection with the fine concept of the DSK, it can also be assumed that German courts will increasingly deal with the determination basis and the proportionality of a fine. In particular, it will have to be clarified whether the previous year's turnover of the company should be a relevant point of reference and whether, despite Recital 150 of the GDPR, an antitrust law definition of a company according to Article 101 and Article 102 of the Treaty on the Functioning of the European Union should be applied. The question also arises as to how the average annual turnover is to be determined for companies which have no turnover from the previous year.
Irrespective of the expected practice of determining fines and the legal questions regarding the fine concept, companies may also attempt to use the DSK's provisions for their own purposes. Thus, the concept could be used in the future to carry out their own risk evaluation under data protection law with regard to potential fines in a more substantiated manner and without the general reference to the maximum percentages or amounts in the millions mentioned in Article 83 of the GDPR. Violations in the company identified by internal data protection audits could rather, in line with the concept, at least roughly be determined and summarised by potential fines. In this way, the management is in any case given a somewhat more concrete picture of the potential financial risks. This basis could also facilitate the prioritisation of necessary data protection measures and the calculation of any provisions.
The DSK concept can even be taken into account in company acquisitions. For example, the buyer can use the concept to assess the data protection violations identified in the course of due diligence at the target, justify the resulting risks more transparently to the seller, and finally, negotiate the identified potential risks of a fine, e.g. within the scope of the purchase price. In the sense of a more concrete evaluation basis, insurers are also likely to be interested in using the concept when developing their products.
Dr. Karsten Krupna
krupna LEGAL, Hamburg
1. Concept of the independent German federal and state data protection authorities for the determination of fines in proceedings against companies, available in German at: https://www.datenschutzkonferenz-online.de/media/ah/20191016_bußgeldkonzept.pdf
2. Own translation by the author.
3. Concept (fn. 2), p. 1.
4. Bundeskartellamt, Leitlinien für die Bußgeldzumessung in Kartellordnungswidrigkeitenverfahren vom 25.06.2013, abrufbar unter: https://www.bundeskartellamt.de/SharedDocs/Publikation/DE/Leitlinien/Bekanntmachung%20-%20Bußgeldleitlinien-Juni%202013.pdf?__blob=publicationFile&v=5