GDPR Infringements by Companies.

 How the Amount of Fines is Calculated.

DSGVO Infringements by Companies

The Conference of independent supervisory data protection authorities of the federation and the federal states (Datenschutzkonferenz, DSK) has published a concept for the setting of fines. Part 2 of the Guideline for the avoidance of fines and defence against penalty notices.

The starting point for the imposition of fines is the General Data Protection Regulation (GDPR). This, however, only sets out the maximum amount of the fine as well as a number of indications the authorities must use as a basis for their assessment. So far, the regulation is imprecise and broadly formulated. A uniform set of rules is therefore urgently needed in order to create legal certainty.

A Fine in Five Steps

The DSK’s fine concept has provided the data protection authorities of the federal states with a guideline. This guideline enables the authorities to determine the amount of the fines to be imposed. The concept provides for five successive steps:

  • In steps 1 to 3, a so-called basic economic value of the relevant company is determined, and
  • then, in step 4, it is multiplied by a factor for the gravity of the infringement.
  • In step 5, the last step, the authorities are granted discretionary power. In this way they can increase or reduce the fine due to special circumstances. The assessment basis for the company’s turnover is the company’s worldwide turnover in the previous year.

The specific reference values in the concept published by the DSK can be found here.

First of all, the concept paper creates a certain clarity concerning the underlying concept of an enterprise and the calculation of turnover. The DSK remains rather vague when it comes to the assessment or severity of an infringement. The categories range from slight to medium and serious to very serious. These categories are then multiplied by a factor which depends on whether there is a formal infringement under the GDPR or a material infringement.

The degree of severity of the infringement (i. e. minor, medium, etc.) is again determined according to the GDPR’s list of criteria. This list of criteria is formulated very broadly and openly. This is evident from a look at the first criterion under Art. 83 para. 2 lit. a) GDPR: It states that, among other things, the nature, severity and duration of the infringement are to be taken into account.

What does this mean in practice?

It means for companies that this set of rules does not create a clear path in neither transparency nor legal certainty. The data protection authorities still have a wide discretion in each individual decision. At the same time, this means that it can sometimes be worthwhile to take a confrontational course (i. e. to take the matter to court) and have the fine reviewed in court.

It is important to note that the concept of the DSK loses its validity as soon as the European Data Protection Board has issued its final guidelines on the methodology for setting fines.