Calculation of fines under the GDPR: draft guidelines by and for the authorities

On 12 May 2022, the European Data Protection Board (the “EDPB”) published its Guidelines 04/2022 on the calculation of administrative fines (the “Draft Guidelines”) under Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (the “GDPR”). The Draft Guidelines provide for a harmonised calculation of administrative fines under the GDPR. In general, the calculation of administrative fines is at the discretion of national data protection authorities (“DPAs”), which must assure that the latter remain effective, proportionate and dissuasive in each individual case. Under the Draft Guidelines, the EDPB provides for a five-step methodology which DPAs should apply when calculating administrative fines.

Step 1: Determining whether there are one or multiple infringements against the GDPR

First, DPAs should consider the conduct and the GDPR infringement of the controller or processor. Depending on the case, DPAs may identify either one or multiple sanctionable conduct according to which the scope of the administrative fine will differ:

• if there is only one sanctionable conduct, DPAs should establish whether or not the alleged conduct gives rise to one or more infringements and whether those infringements are to be considered individually or alongside each other;
• if multiple sanctionable conducts are identified (e.g. different processing operations infringing different requirements stemming from the GDPR), the undertaking can be subject to separate fines applicable for each infringement of the GDPR (in which case the maximum monetary cap for a fine in relation to the same or linked processing operations shall not apply).

As a result, in practice, the aggregate amount of fines may exceed the absolute maximum of 4% of the annual worldwide turnover of the undertaking or EUR 20,000,000, whichever is higher. Also, it is confirmed that the concept of “undertaking” includes group companies.

Step 2: Setting out the starting amount of the fine

To determine the adequate starting amount to consider for the further calculation of the administrative fine, the Draft Guidelines provide that DPAs shall notably assess the degree of seriousness of the infringement by giving due regard to the nature, the duration and the gravity of the infringement and finally take into account the turnover of the undertaking acting as controller or processor. 

Step 3: Evaluation of aggravating and mitigating circumstances related to past or present behaviours

Next, DPAs shall determine whether there are any aggravating or mitigating circumstances, in the past or present, against the data controller or processor, that could justify increasing or decreasing the amount of the fine. In particular, DPAs should, in the event of an infringement, focus on the actions taken by the controller or processor to mitigate the damage suffered by the data subjects. 
In this regard, it is specified that cooperation with the authorities is a general obligation under the GDPR and should not be taken into consideration for the determination of the amount of the fine, except if such cooperation results in mitigating risks for the individuals affected by the infringement at stake.

Step 4: Identification of the relevant legal maximums for the alleged processing operation

As a fourth step, the DPA should identify the maximal legal amount for the processing operation at stake as provided by Articles 84(4)-(6), namely either:

• a fine of maximum EUR 10,000,000 or 2% of the undertaking’s annual worldwide turnover, whichever is higher or,
• a fine of maximum EUR 20,000,000 or 4% of the undertaking’s annual worldwide turnover, whichever is higher.

Step 5: Analysis of whether the calculated fine meets the requirement of effectiveness, dissuasiveness and proportionality

Finally, the DPA shall assess whether the final fine meets the requirements of effectiveness, dissuasiveness and proportionality as required by Article 83(1) of the GDPR. 

With respect to its proposed methodology, the EDPB emphasises the fact that the calculation of an administrative fine is not a mathematical exercise, but rather a process which must take into account the specific circumstances of each case. 

What’s next?

The Draft Guidelines are subject to public consultation and open for comments. Stakeholders can submit their feedback until 27 June 2022 after which the EDPB is expected to adopt its final guidelines.