The EDPB guidelines are intended to create a single harmonised methodology to be used by the supervisory authorities (SAs) when calculating the amount of a GDPR fine. The guidance also documents practical examples to facilitate organisations in their understanding of how the calculation method can be applied with consistency.
The guidelines define a five-step methodology in support of calculating administrative fines. The EDPB also states that this methodology should not be misunderstood as a form of automatic calculation. The calculations of fines will remain at the discretion of the supervisory authorities and subject to the rules provided for in the GDPR.
Step 1: Identifying the processing operations in the case and evaluate the application of Article 83(3) of the GDPR
According to the Article 83(3) of the GDPR “If a controller or processor intentionally or negligently, for the same or linked processing operations, infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement.”
In this matter, SAs will need to consider what conduct the fines relate to, and if concurrent infringements have taken place. The case law of the CJEU identified 3 categories under which a case may fall :
- Concurrence of offenses ;
- Unity of action ;
- Plurality of actions.
The categorisation of the case at hand will influence the way the fine is calculated.
Example : In a “Unity of Action” case, the fine is capped at the maximum allowable for the most serious violation, while a “Plurality of Actions” case may result in separate fines being imposed for each conduct, subject to individual maximum amounts.
Step 2: Finding the starting point for further calculation of the fine amount
Under the GDPR, two categories of infringement may serve as the starting point for further calculation of the fine :
- The infringements punishable under Art 83(4) of the GDPR (by a fine of €10 million or 2% of the undertaking’s annual turnover, whichever is higher).
- The Infringements punishable under Art 83 (5)-(6) of the GDPR (by a maximum fine of €20 million or 4% of the undertaking’s annual turnover, whichever is higher).
When evaluating the seriousness of the infringement, the facts and circumstances must be taken in consideration including :
- The nature, scope or purpose of the processing ;
- The number of data subjects affected and the level of damage suffered by them ;
- The nature, gravity and duration of the infringement ;
- The categories of impacted data.
- The potential direct identification of the impacted data subjects ;
- The character of the infringement (negligence or intentional)
By assessing these factors, the SA will determine the seriousness of the infringement as a whole.
The administrative fines will be set between :
- 0 and 10 % of the legal maximum for “low” level infringements ;
- 10 % and 20 % of the legal maximum for “medium” level infringements ;
- 20% and 100 % for “high” level infringements.
In general, the more serious the infringement under each of these categories, the higher the starting amount of the fine. The SAs can also use a tiered approach to determine the starting amount by taking into account the size of an undertaking and setting thresholds based on annual turnover.
Step 3: Aggravating and mitigating circumstances related to past or present behaviour of the controller/processor and increasing or decreasing the fine accordingly
The EDPB advises that the SAs must take into account – at their discretion – the presence of aggravating and mitigating factors as listed under Article 83(2) of the GDPR.
These may include :
- Technical and organisational measures taken by the data controller or the processor to mitigate the damage suffered by data subjects ;
- The potential prior infringement by the data controller/processor and its time frame and subject manner ;
- The degree of responsibility of the controller/processor for the infringement.
- The manner in which the SA became aware of the infringement (complaint/ SA investigation/ informed by controller or processor).
- The extent to which the data controller/processor cooperated with the SA to remedy the infringement and mitigate potential adverse effects;
- The compliance with measures previously ordered on the same subject matter ;
- Adherence to codes of conduct or certification mechanisms;
- Any other aggravating or mitigating circumstances.
Step 4 : Legal maximums for the different processing operations and corporate liability
As opposed to fixed fines for specific violations, the GDPR establishes overall maximum amounts: a static amount is defined by Articles 83(4) and 83 (5), (6) respectively up to €10m or €20m.
In the case of an undertaking, the fine range may shift towards a higher maximum amount based on its turnover (up to 2% or 4% of the undertaking’s total annual turnover of the previous financial year).
The GDPR requires SAs to consider either the static or dynamic turnover-based maximum amount, whichever is greater.
To determine the correct turnover for the dynamic legal maximum, the EDPB advises that it is essential to take into account the concept of undertaking as defined by the CJEU : “every entity engaged in an economic activity, regardless of the legal status of the entity and the way in which it is financed.”
Under competition law, a single economic unit can qualify as an undertaking even if it consists of several legal entities. To assess if several legal entities form a single economic unit, it is necessary to assess whether the individual entity is free in its decision-making ability or if a leading entity exercises decisive influence over the other entities.
Some criteria to take account of in this assessment are :
- The amount of participation by different entities ;
- Personnel and organisational ties across entities ;
- Interdependent instructions ;
- Existence of company contracts.
When choosing the dynamic legal maximum, SAs must also calculate the undertaking’s annual turnover, which is the net sum of all goods and services sold after deducting sales rebates, VAT, and other turnover-related taxes.
Step 5 : Assessment of whether the fine meets the requirements of effectiveness, dissuasiveness and proportionality, as required by Article 83(1) GDPR
SAs must conduct a final assessment for each and every individual case that the fine imposed is “effective, proportionate and dissuasive”, or whether adjustments are needed.
Effectiveness : A fine is generally considered effective if it achieves the goals for which it was imposed (e.g., re-establishing compliance with the rules, punishing unlawful behaviour or both).
Proportionality : Adopted measures should not go beyond what is appropriate and necessary to attain the objectives pursued by the law. Where several appropriate measures exist, the least onerous ones with the fewest disadvantages must be pursued.
In exceptional cases, SAs may consider further reducing the fine based on inability to pay, taking into account the economic viability of the concerned undertaking and the specific social and economic context.
Dissuasiveness : A fine must have a ‘dual’ and general deterrent effect. On the one hand, discouraging others from committing the same infringement, and on the other a specific one, discouraging the recipient controller and/or processor from committing the same infringement again.
Throughout all the above-mentioned steps, it must be borne in mind that the calculation of a fine is not a simple mathematical exercise; specifically it is the circumstances of the case in question that will determine the factors leading to the final amount. DPOs and teams should examine the enforcement nature of the SAs involved (for cross-border, as well as non-cross border cases) to be best prepared for an eventual enforcement action. Moreover, it is noted that the EDPB will continuously review its guidance and methodology as required.
You can download the PDF document of the summary here.