EDSA: Draft gui­de­lines on fine sizing – the big­ger, the more expensive

EN 
EN  DE  FR 

from

on

Indu­stries

Aut­ho­ri­ty

Laws

Topics

,
Take-Aways (AI)
  • EDPB gui­de­lines descri­be a five-stage, har­mo­ni­zed pro­ce­du­re for cal­cu­la­ting GDPR fines with a start­ing amount, tur­no­ver adjust­ment and final assessment.
  • Fines increa­se dis­pro­por­tio­na­te­ly with com­pa­ny tur­no­ver; in the case of groups, the con­so­li­da­ted tur­no­ver (anti­trust defi­ni­ti­on of a com­pa­ny) can be used.
  • Aut­ho­ri­ties retain dis­cretio­na­ry powers: adjust­ments, fixed fines for bulk busi­ness and con­side­ra­ti­on of aggravating/mitigating cir­cum­stances possible.

On May 12, 2022, the Euro­pean Data Pro­tec­tion and Pri­va­cy Aut­ho­ri­ty (EDSA) adopted the 40-page Draft gui­de­lines for har­mo­nizati­on of the methods used by the natio­nal aut­ho­ri­ties to Cal­cu­la­ti­on of fines adopted (Gui­de­lines 04/2022 on the cal­cu­la­ti­on of admi­ni­stra­ti­ve fines under the GDPR). Comm­ents will be accept­ed until June 27, 2022.

Gene­ral

Fines are to be deter­mi­ned in five steps under the guidelines:

The main part of the gui­de­lines is an expl­ana­ti­on of the­se five steps. What quick­ly beco­mes appa­rent (the examp­les below for cla­ri­fi­ca­ti­on): Fines are high­ly depen­dent on com­pa­ny size, and dis­pro­por­tio­na­te­ly so,

  • becau­se the maxi­mum fine limit increa­ses with high turnovers
  • and the fine frame­work is also more hea­vi­ly uti­li­zed in the case of high-tur­no­ver companies).

In other words: Non-com­pli­ance dis­pro­por­tio­na­te­ly affects lar­ge com­pa­nies.

The EDSA addi­tio­nal­ly men­ti­ons that aut­ho­ri­ties can pro­vi­de for fixed fines for cer­tain vio­la­ti­ons – pro­ba­b­ly inten­ded to faci­li­ta­te mass busi­ness. After all:

It is recom­men­ded that the super­vi­so­ry aut­ho­ri­ty com­mu­ni­ca­tes the amounts and cir­cum­stances for appli­ca­ti­on beforehand.

Step 1: Sub­ject of the fine assessment

In this step, it must be deter­mi­ned which con­duct is to be sanc­tion­ed, i.e. deter­mi­na­ti­on of the rele­vant pro­ce­s­sing acti­vi­ties and deter­mi­na­ti­on of the appli­ca­bi­li­ty of Art. 83(3) GDPR (com­pe­ti­ti­on of mul­ti­ple violations).

Step 2: Deter­mi­na­ti­on of the initi­al amount

This step invol­ves deter­mi­ning an initi­al amount that can sub­se­quent­ly be increa­sed or reduced.

The EDSA first pro­ce­eds from the Bus frame pur­su­ant to Artic­le 83 (4−6) of the GDPR (EUR 10 million/2% or EUR 20 million/4%).

After that the Seve­ri­ty of the vio­la­ti­on to be deter­mi­ned pur­su­ant to Art. 83(2)(a), (b) and (g) GDPR, (inter alia) accor­ding to the natu­re, gra­vi­ty and dura­ti­on of the breach, type of data, num­ber of data sub­jects, ext­ent of dama­ge, fault (intent or negli­gence – indi­ca­ti­ve of intent is e.g. a fail­ure to fol­low the advice of the data pro­tec­tion offi­cer or a breach of own gui­de­lines), etc. The result is an initi­al cate­go­rizati­on of the initi­al amount, wher­eby the amount is also to be asses­sed gra­du­al­ly within the­se cate­go­ries accor­ding to the seve­ri­ty of the breach:

  • Low level of serious­ness (“Low level of serious­ness”): The start­ing amount shall not exce­ed 10% of the fine limit.
  • medi­um seve­ri­ty: 10 – 20%
  • high seve­ri­ty: 20 – 100%

Sub­se­quent­ly the Com­pa­ny tur­no­ver to be taken into account becau­se, among other things, fines must act as a deter­rent – here the EDSA pro­po­ses the fol­lo­wing modifications:

  • Annu­al tur­no­ver ≤ EUR 2 mil­li­on: 0.2% of the start­ing amount
  • Annu­al tur­no­ver ≤ EUR 10 mil­li­on: 0.4% of the start­ing amount
  • Annu­al sales ≤ EUR 50 mil­li­on: 2% of the start­ing amount
  • Annu­al tur­no­ver EUR 50 – 100 mil­li­on: 10% of the start­ing amount
  • Annu­al tur­no­ver EUR 100 – 250 mil­li­on: 20% of the start­ing amount
  • Annu­al sales ≥ EUR 250 mil­li­on: 50% of the start­ing amount

One can app­ly this logic in a Excel as a rudi­men­ta­ry bus cal­cu­la­tor map:

Howe­ver, regu­la­tors are not requi­red to con­sider tur­no­ver in this way:

68. as a gene­ral rule, the hig­her the tur­no­ver of the under­ta­king within its appli­ca­ble tier, the hig­her the start­ing amount is likely to be. The lat­ter holds par­ti­cu­lar­ly true for the lar­gest of under­ta­kings, for which the cate­go­ry of start­ing amounts has the widest range.
69. fur­ther­mo­re, the super­vi­so­ry aut­ho­ri­ty is under no obli­ga­ti­on to app­ly this adjust­ment if it is not neces­sa­ry from the point of view of effec­ti­ve­ness, dissua­si­ve­ness and pro­por­tio­na­li­ty to adjust the start­ing amount of the fine.
70 It should be rei­te­ra­ted that the­se figu­res are the start­ing points for fur­ther cal­cu­la­ti­on, and not fixed amounts (pri­ce tags) for inf­rin­ge­ments of pro­vi­si­ons of the GDPR. The super­vi­so­ry aut­ho­ri­ty has the dis­creti­on to uti­li­ze the full fining ran­ge from any mini­mum fine until the legal maxi­mum, ensu­ring that the fine is tail­o­red to the cir­cum­stances of the case, as the Court of Justi­ce requi­res in case an abstract start­ing point is used.

Examp­les for illu­stra­ti­on (by us):

  • Vio­la­ti­on of the Data secu­ri­ty / serious inf­rin­ge­ment / annu­al tur­no­ver EUR 50 mil­li­on → → serious inf­rin­ge­ment / annu­al tur­no­ver EUR 50 mil­li­on → serious inf­rin­ge­ment Initi­al amount = EUR 120,000
    • EUR 10 million/2% of annu­al tur­no­ver (Art. 83(6) GDPR), here EUR 10 mil­li­on (as hig­her than 2% of EUR 50 million);
    • high seve­ri­ty: 20 – 100% of EUR 20 mil­li­on, i.e. at 60% = EUR 6 million.
    • Tur­no­ver: EUR 50 mil­li­on, the­r­e­fo­re 2% of the start­ing amount
  • Vio­la­ti­on of the Duty to inform / modera­te­ly serious inf­rin­ge­ment / annu­al tur­no­ver EUR 130 mil­li­on → → annu­al tur­no­ver EUR 130 mil­li­on → annu­al tur­no­ver EUR 130 mil­li­on. Initi­al amount = EUR 600,000
    • EUR 20 million/4% of annu­al tur­no­ver (Art. 83(5) GDPR), here EUR 20 mil­li­on (as hig­her than 4% of EUR 130);
    • medi­um seve­ri­ty: 10 – 20% of EUR 20 mil­li­on, i.e. at 15% = EUR 3 million.
    • Sales: EUR 130m, the­r­e­fo­re 20% of the start­ing amount
  • Duty to use a Report secu­ri­ty breach / minor inf­rin­ge­ment / annu­al tur­no­ver EUR 1.5 bil­li­on. → Initi­al amount = EUR 750,000:
    • EUR 10 million/2% of annu­al tur­no­ver (Art. 83(4) GDPR), here EUR 30 mil­li­on (2% of 1.5 billion);
    • light seve­ri­ty: 0 – 10% of EUR 30 mil­li­on, i.e. at 5% = EUR 1.5 million.
    • Sales: > EUR 250 mil­li­on, the­r­e­fo­re 50% of the start­ing amount
  • Duty, Dele­te data / serious inf­rin­ge­ment / annu­al tur­no­ver of EUR 4 bil­li­on. → Initi­al amount = EUR 48 million:
    • EUR 20 million/4% (Art. 83(5) GDPR), in this case EUR 160 mil­li­on (4% of 4 billion).
    • high seve­ri­ty: 20 – 100% of EUR 160 mil­li­on, i.e. at 60% = EUR 96 million.
    • Sales: > EUR 250 mil­li­on, the­r­e­fo­re 50% of the start­ing amount

The dis­pro­por­tio­na­te increa­se in terms of sales can be illu­stra­ted by a modera­te­ly serious vio­la­ti­on of the obli­ga­ti­on to delete:

  • Sales of EUR 1 mil­li­on: EUR 6,000
  • Sales of EUR 10 mil­li­on: EUR 12,000
  • Sales of EUR 100 mil­li­on: EUR 300,000
  • Tur­no­ver of EUR 1 bn: EUR 3,000,000
  • Tur­no­ver of EUR 5 bn: EUR 15,000,000

By the way – does the tur­no­ver of the com­pa­ny or group con­cer­ned app­ly?

The EDSA unsur­pri­sin­gly ans­wers this long-dis­cus­sed que­sti­on on the basis of the defi­ni­ti­on of an under­ta­king under anti­trust law:

As for the term “under­ta­king”, the Euro­pean legis­la­tor pro­vi­des expli­cit fur­ther cla­ri­fi­ca­ti­on. Reci­tal 150 GDPR sta­tes: “Whe­re admi­ni­stra­ti­ve fines are impo­sed on an under­ta­king, an under­ta­king should be under­s­tood to be an under­ta­king in accordance with Artic­les 101 and 102 TFEU for tho­se purposes.”

The­r­e­fo­re, Artic­le 83(4)-(6) GDPR in light of reci­tal 150 reli­es on the con­cept of under­ta­king in accordance with Artic­les 101 and 102 TFEU, wit­hout pre­ju­di­ce to Artic­le 4(18) GDPR (which gives a defi­ni­ti­on of an enter­pri­se) and Artic­le 4(19) GDPR (which defi­nes a group of under­ta­kings). The for­mer con­cept is main­ly used in Chap­ter V GDPR, in the phra­se group of enter­pri­ses enga­ged in a joint eco­no­mic acti­vi­ty. Bes­i­des that, the term is applied in a gene­ral sen­se, not as the addres­see of a pro­vi­si­on or obligation.

120. Accor­din­gly, in cases whe­re the con­trol­ler or pro­ces­sor is (part of) an under­ta­king in the sen­se of Artic­les 101 and 102 TFEU, the com­bi­ned tur­no­ver of such under­ta­king as a who­le can be used to deter­mi­ne the dyna­mic upper limit of the fine (see Chap­ter 6.2.2), and to ensu­re that the resul­ting fine is in line with the prin­ci­ples of effec­ti­ve­ness, pro­por­tio­na­li­ty and dissua­si­ve­ness (Artic­le 83(1) GDPR)47.

The EDSA explains the­se fac­tors in more detail, par­ti­cu­lar­ly the anti­trust con­cept of a sin­gle eco­no­mic unit (SEU).

Step 3: Assess­ment of aggravating and miti­ga­ting circumstances

Under this hea­ding, fac­tors that have an aggravating or miti­ga­ting effect must be taken into account. This refers to the pre­vious or cur­rent beha­vi­or of the com­pa­ny, e.g. dama­ge miti­ga­ting mea­su­res, pre­vious inf­rin­ge­ments, coope­ra­ti­on with the aut­ho­ri­ties, self-dis­clo­sure, inf­ring­er pro­fit (!), etc. Howe­ver, the EDSA does not pro­po­se a modi­fi­ca­ti­on of the basic amount in terms of amount here.

Step 4: Maxi­mum amounts

The legal limits (2%/EUR 10 mil­li­on or 4%/EUR 20 mil­li­on; whi­che­ver is hig­her) for the rele­vant pro­ce­s­sing ope­ra­ti­ons repre­sent a maxi­mum that can­not be exce­e­ded. Actual­ly, this should be step 5, not step 4.

Step 5

In the final step, the aut­ho­ri­ty must assess whe­ther the cal­cu­la­ted amount meets the requi­re­ments of the Effec­ti­ve­ness, deter­rence and pro­por­tio­na­li­ty cor­re­sponds; if neces­sa­ry, it will be adjusted.