by Gerald Trieb und Roman Haller//
The European Data Protection Board (EDPB) has recently issued guidelines on the calculation of administrative fines under the GDPR for public consultation. Therein, a five-step process is presented, according to which the calculation of the amount of the penalty should be carried out by the national data protection authorities in the future. The guidelines shall help to harmonize the calculation of fines throughout the European Economic Area.
The first step is to identify the processing activities in violation of the GDPR and whether these activities are a single operation or several. For example, the EDPB considers it as a linked processing activity if data is collected and then stored or if data is collected and subsequently analyzed.
This is relevant because Art 83 para 3 GDPR provides that in the case of identical or linked processing activities, only a single penalty may be imposed, which shall not exceed the maximum amount of the penalty applicable to the most serious infringement. Even if the same provision is violated several times by a linked processing activity, the restriction of Art 83 para 3 GDPR shall apply.
If a linked processing activity is not given and several violations of the GDPR are found, the authority can generally issue several penalties without regard to Art 83 para 3 GDPR.
In this step, a starting point for the calculation of the penalty is to be determined, whereby in particularly serious cases, even this starting point may already be the maximum penalty amount. Determination criteria are the categorization of the breach according to Art 83 para 4-6 GDPR, the seriousness of the breach and the turnover of the violator. First, therefore, the relevant range of penalties under the GDPR must be determined; second, the seriousness of the breach, whereby either a low, medium or high level of seriousness must be defected, taking into account the nature of the breach, the severity of the breach and the duration.
The seriousness of the breach shall in turn be considered based on the nature of the processing, the scope of the processing, the purpose of the processing, the number of data subjects and the level of harm in terms of the interference with the individual freedoms and rights of the data subjects. For this categorization, the EDPB also gives examples on page 20-22 of the guidelines.
Depending on whether the level of seriousness is light, medium or high, the starting point should be set at 0-10%, 10-20% or 20-100% of the identified maximum penalty. This starting point may, but need not be adjusted based on the turnover of the company being penalized. Here, the EDPB provides the reduction to certain percentages of the determined starting value, which can be found on page 23 of the guidelines. The EDPB also gives examples for this on pages 23-24 of the guidelines.
In the third step, mitigating and aggravating circumstances must be taken into account. Mitigating factors may be measures taken by the controller or processor that have reduced the harm suffered by the data subjects.
However, measures of data protection by technology (Art 25 GDPR) or security of processing (Art 32 GDPR) can only have a mitigating effect if – by far – more precautions have been taken than required by the GDPR.
Past breaches may also constitute aggravating circumstances. Past breaches that concern the same subject matter as the current breach are to be weighted more heavily than others.
The GDPR stipulates the obligation to cooperate with the supervisory authority; consequently, only particularly extensive cooperation that prevents harm to data subjects that would otherwise have occurred is to be taken into account as a mitigating factor.
Finally, the EDPB holds that all other circumstances may also be considered as mitigating or aggravating.
Examples of aggravating or mitigating circumstances can be found on pages 30-32.
In a penultimate step, the maximum penalty applicable in the individual case must be determined, which, depending on the turnover of the controller/processor, is a fixed sum or a proportion of the turnover (2 or 4%). In the case of groups of companies, the turnover can be added together if the parent company has a decisive influence on the subsidiaries.
In our opinion, the usefulness of this step is doubtful, as the maximum penalty amount and the turnover should already be taken into account in the second step to determine the starting point for the calculation of the penalty.
The final step is to check whether the penalty determined satisfies the requirements of effectiveness, proportionality and deterrence. If this is not the case, the penalty can still be adjusted. Although the guidelines provide for the inclusion of economic and socio-economic circumstances as part of the proportionality test, it is very restrictive in its application.
The proposed guidelines provide only a rough framework to guide regulators in determining penalties, so it is still not possible to calculate the specific penalty risk of certain violations. Instead, the level of penalties depends on a large number of case-by-case decisions, which are ultimately largely at the discretion of the supervisory authorities. By setting minimum limits, however, each company can determine what penalty it must expect in any case for a minor/medium/severe violation, apart from any mitigating circumstances (which the EDPB handles very restrictively). However, companies can by no means expect lower penalties in the future and have to keep complying closely with the GDPR in order to avoid the draconian penalties imposed by the European supervisory authorities.
Eventually, the EDPB is surprisingly clear in denying the necessity of identifying culpable conduct by a natural person of the controller/ processor as a prerequisite for the company’s liability. However, neither the national case law completely contrary to this opinion (for example Austria’s Highest Administrative Court) nor the questions already awaiting a decision by the ECJ in a preliminary ruling procedure are mentioned. If the ECJ were to follow the EDPB´s opinion, companies could be confronted with an “easier” possibility for the DPA to issue penalties, in the future.