EDPB Publishes Guidelines on the Calculation of Administrative Fines Under the GDPR
On May 12, 2022, the European Data Protection Board (“EDPB”) adopted Guidelines 04/2022 on the calculation of administrative fines under the EU General Data Protection Regulation (“GDPR”) (the “Guidelines”). The Guidelines are intended to harmonize the methodology supervisory authorities (“SAs”) use when calculating the amount of a GDPR fine and provide illustrative examples to help organizations understand the calculation method.
The amount of a fine is at the discretion of the SA, subject to the calculation rules laid out in the GDPR. According to Article 83 of the GDPR, the amount of a fine, which must be determined on a case-by-case basis, should be effective, proportionate and dissuasive. The amount of the fine cannot exceed the maximum amounts provided for in Article 83(4)-(6) of the GDPR, i.e., up to €10 million or 2% of an undertaking’s total worldwide annual turnover (whichever is higher), or depending on the GDPR infringement, up to €20 million or 4% of an undertaking’s total worldwide annual turnover (whichever is higher).
In the Guidelines, the EDPB lays out a five-step methodology for calculating the amount of administrative fines for infringements of the GDPR. The EDPB also states that this methodology should not be misunderstood as a form of automatic or arithmetical calculation; a human assessment of all relevant facts and circumstances at hand must always be conducted.
Step 1: Identify the processing operations in the case and evaluate the application of Article 83(3) of the GDPR.
Article 83(3) of the GDPR provides that “If a controller or processor intentionally or negligently, for the same or linked processing operations, infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement.”
SAs first will need to consider what conduct the fine relates to, particularly whether concurrent infringements took place. For example, one case could include multiple sanctionable acts that could result in several infringements. The rules on concurrence are outlined in the case law of the Court of Justice of the European Union (“CJEU”), which identified three categories under which a case may fall: (1) concurrence of offense; (2) unity of action/processing; and (3) plurality of actions. The way the fine is calculated will depend on the category of the case at hand. For example, in a “unity of action/processing” case, the fine is limited to the maximum allowed for the gravest infringement, whereas a “plurality of actions” case can result in separate fines being imposed for each conduct, subject to individual maximum amounts.
Step 2: Identify the starting point for further calculation of the fine amount.
There are two categories of infringements under the GDPR that may serve as the starting point for further calculation of the fine: (1) infringements punishable under Article 83(4) of the GDPR by a fine of €10 million or 2% of the undertaking’s annual turnover, whichever is higher; or (2) infringements punishable under Article 83(5)–(6) of the GDPR by a maximum fine of €20 million or 4% of the undertaking’s annual turnover, whichever is higher.
Consideration also must be given to the facts and circumstances of the infringement when evaluating its seriousness. The GDPR requires SAs to consider, in light of the specific case: (1) the nature, gravity and duration of the infringement; (2) the nature, scope or purpose of the processing at stake; (3) the number of data subjects affected and level of damage suffered by them; (4) whether data subjects are directly identifiable; (5) the intentional or negligent character of the infringement; and (6) the categories of affected data. The assessment of those factors will help determine the seriousness of the infringement as a whole (i.e., low, medium or high level of seriousness). Administrative fines will be set between 0 and 10% of the applicable legal maximum for low level infringements; between 10% and 20% for medium level infringements; and between 20% and 100% for high level infringements. Generally, the more severe the infringement under each of these categories, the higher the starting amount of the fine will be.
In addition, SAs may consider adjusting the starting amount using a tiered approach based on the size of an undertaking and its annual turnover, i.e., if an infringement is committed by an undertaking with an annual turnover under €2 million, under €10 million or under €50 million, or an undertaking with an annual turnover exceeding €100 million, €250 million or €500 million. Generally, the higher the turnover of the undertaking within its applicable tier, the higher the starting amount for the calculation of the fine.
Step 3: Evaluate aggravating and mitigating circumstances related to past/present behavior of the controller/processor.
SAs must take into account whether any of the aggravating and mitigating factors listed under Article 83(2) of the GDPR are present, including: (1) any measure (technical and organizational) taken by the data controller/processor to mitigate the damage suffered by data subjects; (2) the degree of responsibility of the controller/processor for the infringement; (3) any prior infringement by the data controller/processor, and the time frame and subject matter of such prior infringement; (4) the degree of cooperation of the data controller/processor with the SA to remedy the infringement and mitigate potential adverse effects; (5) the manner in which the infringement became known to the SA (e.g., did the SA become aware of the infringement by a complaint/investigation or by the data controller/processor’s own motion); (6) compliance with measures previously ordered on the same subject matter; (7) adherence to approved codes of conduct/certification mechanisms; and (8) any other aggravating or mitigating circumstances, such as financial benefits gained or losses avoided directly or indirectly from the infringement.
Step 4: Identify the legal maximum(s) for the infringement(s) and corporate liability.
The GDPR provides overall maximum amounts, rather than setting fixed sums for specific infringements:
Articles 83(4) and 83(5)-(6) provide for static amount, i.e., up to €10 million or €20 million respectively.
Alternatively, in case of an undertaking, the fining range may shift towards a higher maximum amount based on the undertaking’s turnover, i.e., up to 2% or 4% of the undertaking’s total annual turnover of the previous financial year. This maximum amount is dynamic and individualized towards the respective undertaking and is intended to achieve effectiveness, proportionality and deterrence.
The GDPR requires SAs to consider the static maximum amount, or the dynamic turnover-based maximum amount, whichever is higher. In practice, this means that the turnover-based maximum amounts will apply only if they exceed the static maximum amounts in the case at hand.
The concept of undertaking is central to determining the correct turnover for the dynamic legal maximum. According to CJEU case law, an undertaking “encompasses every entity engaged in an economic activity, regardless of the legal status of the entity and the way in which it is financed.” In addition, for the purpose of competition law, undertakings are identified with economic units, rather than legal units. This means that a single economic unit can qualify as an undertaking even if it consists of several legal entities. Whether several legal entities form a single economic unit will depend on whether the individual entity is free in its decision-making ability or whether a leading entity (such as the parent company) exercises decisive influence over the other entities. In making that assessment, criteria such as the amount of participation, personnel or organizational ties, instructions and existence of company contracts can be taken into account.
When opting for the dynamic legal maximum, SAs also will need to calculate the undertaking’s annual turnover, i.e., the net sum of all goods and services sold, after deducting sales rebates and VAT and other taxes linked to turnover.
Step 5: Assess the effectiveness, proportionality and dissuasiveness of the fine.
SAs are tasked with verifying that the fine imposed is effective, proportionate and dissuasive in each individual case, or whether adjustments are needed:
Effectiveness. A fine generally is considered effective if it achieves the objectives with which it was imposed (e.g., reestablishing compliance with the rules, punishing unlawful behavior or both).
Proportionality. Proportionality requires that measures adopted do not go beyond what is appropriate and necessary to attain the objectives pursued by the law in question. Where there are several appropriate measures, the least onerous ones that cause the least disadvantages must be pursued. In exceptional circumstances, SAs may consider further reducing the fine based on an inability to pay, taking into account the economic viability of the concerned undertaking, proof of value loss and specific social and economic context.
Dissuasiveness. A fine must have a genuine general deterrent effect (i.e., discouraging others from committing the same infringement in the future) and specific deterrent effect (i.e., discouraging the recipient of the fine from committing the same infringement again). The amount of a fine may be increased if the SA determines that the amount is not sufficiently dissuasive.
The EDPB welcomes comments on the draft Guidelines by June 27, 2022 (the public consultation is available here).