DSK: Con­cept for the deter­mi­na­ti­on of GDPR fines

EN 
EN  DE  FR 

from

on

Indu­stries

Aut­ho­ri­ty

Laws

Topics

,
Take-Aways (AI)
  • DSK adopted a con­cept for cal­cu­la­ting fines in accordance with Art. 83 GDPR on June 25, 2019.
  • Tur­no­ver forms the basis; dai­ly rate = annu­al turnover/360, tur­no­ver in size clas­ses and, if appli­ca­ble, group tur­no­ver used.
  • Seve­ri­ty of the offen­se mul­ti­pli­es dai­ly rate by fac­tor (light 1 – 4, medi­um 4 – 8, seve­re 8 – 12, very seve­re ≥12).
  • Fur­ther modi­fi­ca­ti­ons: Dura­ti­on, type of pro­ce­s­sing, num­ber of data sub­jects, ext­ent of dama­ge, cul­pa­bi­li­ty, coope­ra­ti­on, pre­vious infringements.

On June 25, 2019, the Ger­man Con­fe­rence of Inde­pen­dent Data Pro­tec­tion Super­vi­sors of the Fede­ra­ti­on and the Län­der (DSK) adopted a con­cept for the cal­cu­la­ti­on of fines under Art. 83 GDPR (cf. the Minu­tes of the cor­re­spon­ding con­fe­rence). 

The con­cept takes into account the fol­lo­wing fac­tors in a com­plex model:

  • Tur­no­ver: Basis of cal­cu­la­ti­on; a so-cal­led “dai­ly rate” is deter­mi­ned here, for which the tur­no­ver is divi­ded by 360. In this con­text, the tur­no­ver is clas­si­fi­ed into size clas­ses and thus gra­du­al­ly abstrac­ted instead of being deter­mi­ned in con­cre­te terms. Inte­re­st­ingly, the DSK lea­ves open which or who­se tur­no­ver is decisi­ve; howe­ver, the DSK has alre­a­dy sta­ted ear­lier that it is the tur­no­ver of the group that is con­cer­ned, not that of the indi­vi­du­al com­pa­ny con­cer­ned (which rai­ses sub­se­quent legal que­sti­ons and is que­stionable). In any case, the tur­no­ver can be esti­ma­ted if the com­pa­nies con­cer­ned do not quan­ti­fy it. 
      • Seve­ri­ty of the vio­la­ti­on: In the 2nd step, the seve­ri­ty of the vio­la­ti­on is deter­mi­ned pri­ma­ri­ly on the basis of the “unlawful­ness sala­ry”. The dai­ly rate is then mul­ti­pli­ed by a fac­tor as follows: 
        • light: fac­tor 1 – 4;
        • Mean: fac­tor 4 – 8;
        • Hea­vy: fac­tor 8 – 12;
        • Very hea­vy: fac­tor 12 or more.
      • fur­ther modi­fi­ca­ti­on: The bus is last modi­fi­ed accor­ding to other criteria: 
        • Dura­ti­on of the violation
        • Type of processing
        • Num­ber affected
        • Ext­ent of damage
    • The­se fac­tors have the effect of redu­cing, neu­tral or incre­a­sing the fine.
    • A fur­ther modi­fi­ca­ti­on is made sub­se­quent­ly after the fur­ther Cri­te­ria of Art. 83 (2) GDPR, i.e., for exam­p­le, accor­ding to the degree of fault, loss miti­ga­ti­on mea­su­res, pre­vious vio­la­ti­ons, coope­ra­ti­on with super­vi­so­ry aut­ho­ri­ties, etc.

    As a result, this method of cal­cu­la­ti­on leads to signi­fi­cant­ly hig­her fines than were pre­vious­ly issued. 

    A detail­ed sum­ma­ry with cal­cu­la­ti­on examp­les can be found e.g. at Lat­ham & Wat­kins.