On May 16, 2022, the European Data Protection Board (‘EDPB’) published draft regulatory guidelines (‘draft guidance’) on the calculation of administrative fines for infringements of the EU General Data Protection Regulation (‘GDPR’). In the draft guidance, the EDPB sets out its methodology, consisting of five steps, for calculating administrative fines.
The EDPB adopted these guidelines to harmonize the methodology that data protection authorities should use when calculating administrative fines. The draft guidance should be read together with the guidelines that the EDPB has previously published on when to impose administrative fines for GDPR violations.[1]
Article 83 GDPR
Article 83(1) GDPR requires data protection authorities to ensure that the imposition of administrative fines is in each individual case effective, proportionate and dissuasive. When deciding on the amount of a specific fine, the authorities need to give due regard to a list of circumstances that refer to features of the infringement, the intentional or negligent character of the infringement, and any relevant previous infringements by the controller or processor (Article 83(2) GDPR). The amount of the fine cannot exceed the maximum amounts provided for in Articles 83(4)-(6) GDPR.
Five step methodology
The EDPB stresses that the calculation of administrative fines requires a case-by-case assessment, within the parameters provided for by the GDPR.
To harmonize the calculation of fines, the EDPB proposes that data protection authorities apply a methodology that consists of the following five steps:
- Identify the processing operations and evaluate the application of Article 83(3) GDPR
The data protection authority should consider what conduct and infringements trigger the imposition of a fine. Article 83(3) GDPR specifies that if a controller or processor infringes several GDPR provisions by the same or linked processing operations, the total amount of the administrative fine cannot exceed the maximum amount that applies to the most serious infringement.
The EDPB further points out that it is important to establish: (1) whether or not the circumstances are to be considered as one or multiple sanctionable ‘conducts’, (2) in case of one conduct, whether or not this conduct gives rise to one or more infringements, and (3) in case of one conduct that gives rise to multiple infringements, whether or not it would be lawful to fine the offender for the same wrongdoing twice (e.g., because the conduct infringed two provisions of the GDPR which protect the same legal interest).
- Find the starting point for calculating the fine
In order to determine the right starting point for calculating an effective, dissuasive and proportionate fine, the EDPB considers that data protection authorities should take into account the following three elements:
- The categorization of infringements by nature under Article 83(4)-(6) GDPR – i.e., whether the infringement falls within the ‘lower tier’ of infringements, which are listed in Article 83(4) GDPR, or within the ‘higher tier’ of infringements listed in Articles 83(5) & (6) GDPR;
- The seriousness of the infringement, taking into account certain circumstances listed in Article 83(2), such as the categories of personal data affected by the infringement; and
- The turnover of the undertaking.
- Evaluate whether aggravating and mitigating circumstances apply
After having determined the starting point for calculating the fine, all circumstances of the case should be taken into account and weighed before determining the final fine to be imposed on the controller or processor. In this third step, the data protection authorities should consider any aggravating and mitigating circumstances that relate to the past or present behavior of the controller or processor. These circumstances are listed in Article 83(2) GDPR, and include, for example, the actions taken by the controller or processor to mitigate damage suffered by data subjects, as well as any previous GDPR infringements.
Where applicable, aggravating and mitigating circumstances may result in an increase or decrease of the final fine.
- Identify the maximum fine that can be imposed
The maximum fine will depend on whether the infringement falls within Article 83(4) GDPR or 83(5) & (6) GDPR:
- Infringements falling within Article 83(4) GDPR are subject to a maximum fine of 10,000,000 EUR (which the EDPB calls the ‘static maximum’), or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year (which the EDPB calls the ‘dynamic maximum’), whichever is higher; and
- Infringements falling within Articles 8(5) & (6) GDPR are subject to a (static) maximum fine of 20,000,000 EUR, or in the case of an undertaking, a (dynamic) maximum of up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
The draft guidance emphasizes that the concept of ‘undertaking’ (as developed by the Court of Justice of the European Union in competition law cases) encompasses ‘every entity engaged in an economic activity, regardless of the legal status of the entity and the way it is financed’. The criteria for determining what constitutes an undertaking are based on the economic, legal and organizational links between the parent company and its subsidiary, such as the level of participation, the personnel or organizational ties, instructions, and the existence of company contracts.
While the EDPB makes a clear attempt to address the many practical issues regarding the dynamic maximum fine amounts for undertakings, many questions remain unanswered. For example:
- The EDPB references the ‘Akzo presumption’ developed in the context of competition law. Under the Akzo presumption, where a parent company holds 100% of shares or almost 100% of shares in a subsidiary which has infringed the GDPR and therefore is able to exercise decisive influence over the conduct of its subsidiary, a (rebuttable) presumption arises that the parent company does in fact exercise a decisive influence over the conduct of its subsidiary, including as regards the subsidiary’s processing of personal data (as a controller and/or processor). The parent and subsidiary can therefore be considered to form a single undertaking for the purpose of calculating administrative fines.
- Although the EDPB notes that the Akzo presumption may be rebutted, it does not provide guidance on the circumstances in which it is possible to do so – other than to state that ‘account must be taken of all the relevant factors relating to those links that tie the subsidiary to the parent company, which may vary from case to case’.
The lack of clarity here makes it particularly challenging for organizations with a large number of subsidiaries or with complex corporate/data protection structures to quantify the risk of a breach of the GDPR.
- Analyze whether the calculated final amount meets the requirements of effectiveness, dissuasiveness and proportionality.
The final step in the EDPB’s proposed methodology is to assess whether the calculated final amount meets the requirements of effectiveness, dissuasiveness and proportionality. Where needed for compliance with the requirement for the fine to be effective, dissuasive and proportionate, the data protection authority can still adjust the fine- but without exceeding the relevant legal maximum.
—
The draft guidance is open for public consultation. Stakeholders can submit feedback until June 27, 2022, after which the EDPB is expected to adopt its final guidelines.
Source: EDPB, Guidelines 04/2022 on the calculation of administrative fines under the GDPR – https://edpb.europa.eu/system/files/2022-05/edpb_guidelines_042022_calculationofadministrativefines_en.pdf.
[1] EDPB Guidelines on the application and setting of administrative fines for the purpose of the Regulation 2016/679, WP253, endorsed by the EDPB in its first Plenary Meeting on May 25, 2018.