EDPB Releases Guidelines for Administrative Fine Calculation under GDPR
On May 12, 2022, the European Data Protection Board (“EDPB”) adopted Guidelines 04/2022 (the “Guidelines”) on the calculation of administrative fines under the European Union’s General Data Protection Regulation (“GDPR”).
These Guidelines are intended “to harmoni[z]e the methodology supervisory authorities [(“SA”)] use when calculating of the amount of the fine.” The Guidelines provide for a five-step, non-automatic or arithmetical, process for calculating the amount of the administrative fines for GDPR infringements:
1. Consider the conduct of the violating party and evaluate the application of GDPR Article 83(3).
Article 83(3) states “If a controller or processor intentionally or negligently, for the same or linked processing operations, infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement.”
Under the Guidelines, the SA must start by identifying the conduct that the violating party engaged in and determine if the infringement fits into one of these categories: “(1) concurrence of offense; (2) unity of action/processing; and (3) plurality of actions.” The outcome of this determination will establish the calculation process for the fine.
For example, in a “unity of action/processing” situation, the fine that can be assessed is, at a maximum, that which is permissible for the gravest infringement, whereas a “plurality of actions” situation can result in separate fines being imposed for each infringement action, which will then be subject to the maximum fine under each infringement.
2. Identify which infringement category is appropriate for the facts and circumstances.
The GDPR has two categories of infringements: infringements punishable under Article 83(4) GDPR, which “is punishable by a fine maximum of €10 million or 2% of the undertaking’s annual turnover, whichever is higher,” and infringements punishable under Article 83(5) and (6) GDPR, which “is punishable by a fine maximum of €20 million or 4% of the undertaking’s annual turnover, whichever is higher.”
The fines will be set between 0 and 10% of the applicable legal maximum for low level infringements; between 10% and 20% for “medium level infringements”; and between 20% and 100% for “high level infringements.” Determination of the level of infringement requires the SA to consider the following factors:
the nature, gravity and duration of the infringement;
the nature, scope or purpose of the processing at stake;
the number of data subjects affected and level of damage suffered by them;
whether data subjects are directly identifiable;
the intentional or negligent character of the infringement; and
the categories of personal data affected.
3. Evaluate the aggravating and mitigating factors under Article 83(2).
Additionally, SAs must take into account whether any of the following aggravating or mitigating factors listed under GDPR Article 83(2) are present:
any measure (technical and organizational) taken by the data controller/processor to mitigate the damage suffered by data subjects;
the degree of responsibility of the controller/processor for the infringement;
any prior infringement by the data controller/processor, and the time frame and subject matter of such prior infringement;
the degree of cooperation of the data controller/processor with the SA to remedy the infringement and mitigate potential adverse effects;
the manner in which the infringement became known to the SA (e.g., did the SA become aware of the infringement by a complaint/investigation or by the data controller/processor’s own motion);
compliance with measures previously ordered on the same subject matter;
adherence to approved codes of conduct/certification mechanisms; and
any other aggravating or mitigating circumstances, such as financial benefits gained or losses avoided directly or indirectly from the infringement.
4. Identify the legal maximum fine for the infringement and corporate liability.
As previously stated, Article 83(4) GDPR provides for a maximum fine based on the undertaking’s annual turnover, if the turnover amount exceeds the static maximum amounts in the case at hand —€10 million or €20 million.
The GDPR defines an undertaking “encompasses every entity engaged in an economic activity, regardless of the legal status of the entity and the way in which it is financed.” In competition law, undertakings are identified as economic units rather than legal units. This means that a single economic unit can be considered an “undertaking,” even if the unit encompasses several legal entities, unless these legal entities are independent from that leading unit’s decisive influence over their legal entity. This requires the SAs to consider many factors, such as:
the amount of participation;
personnel or organizational ties;
instructions; or
existence of company contracts.
5. Assess whether the fines are effective, proportionate and dissuasive.”
Although the amount of each assessed fine will be at the discretion of the SA, the Guidelines establish that the calculation of these fines must be in accordance with the Guidelines and “should be effective, proportionate and dissuasive.”
Effective – if the fine achieves the objectives that it was imposed to, such as “reestablishing compliance with the rules, punishing unlawful behavior or both”;
Proportionate – if the measures adopted are “appropriate and necessary” to obtain the objectives of the fine and, if there are multiple measures which are considered proportionate, the least onerous measure which causes the least disadvantages must be assessed;
Dissuasive – if the fine has a “genuine deterrent effect,” such as “discouraging others from committing the same infringement in the future,” or a “specific deterrent effect,” such as “discouraging the recipient of the fine from committing the same infringement again.”
The Guidelines are considered a draft document, and the EDPB will be accepting comments until June 27, 2022.