Christian Leuthner and Sven Schonhofen provide an overview of the Concept for calculating fines under the GDPR recently published by the German DPAs and which may point the way for further guidance from the EDPB
The German conference of data protection authorities (Datenschutzkonferenz, DSK) published their concept for calculating administrative fines for data protection violations in October 2019.
The Concept sets out a standardised approach regarding the calculation of administrative fines in accordance with article 83(4) and (5) of the General Data Protection Regulation (GDPR) and takes into account the circumstances of the individual case as described in article 83(2) GDPR. It provides a uniform determination of administrative fines under GDPR without losing the flexibility to consider the individual case and situation of the violating person or organisation (known as the Violating Entity).
The Concept is not binding on courts, non-German authorities, or the European Data Protection Board (EDPB) and shall only be used for violations in Germany that are not cross-border cases. It will only be used until the EDPB has issued its own guidelines for the determination of fines under article 83 GDPR and will not be used for fining associations or natural person outside of their economic activity.
The five-step procedure that the DSK applies in the calculation is explained below:
Step 1 – Classifying the Violating Entity
In the first step, the Violating Entity is classified into a specific category from A to D according to the global annual turnover of the Violating Entity as set out in article 83(4) and (5) GDPR. In accordance with recital 150 GDPR, the DSK determines the annual turnover of the Violating Entity in consideration of articles 101 and 102 of the Treaty of the Functioning European Union (TFEU).
The categories are also divided into more granular subgroups. The categories shall reflect all different sizes of organisations from micro businesses, through small- and medium-sized organisations, to big organisations.
Step 2 – Average annual turnover
In the second step, the average annual turnover of the category is determined in order to be able to determine the daily rate. The average annual turnover is determined as follows:
Step 3 – Daily rate
In the third step, the supervisory authorities determine a daily rate by dividing the annual average turnover by 360 days as a basis for the calculation of the actual fine.
Step 4 – Degree of severity
In the fourth step, the GDPR violation will be categorised into one of four degrees of severity (low, medium, serious, or very serious), taking account of all factors and circumstances of the individual case as set out in article 83(2) GDPR.
Each degree of severity contains several multipliers that are applied to the daily rates determined in the Step 3.
Step 5 – Adjustment in special circumstances
Fifth, the amount determined in Step 4 will be adjusted in accordance with article 83(2) GDPR but also other circumstances, such as very long proceedings or impending insolvency of the Violating Entity.
1. Fines are increasing
The Concept is a paradigm shift for administrative fines for data protection violations. Until a few months ago, and even under “old” data protection law, Germany was a safe haven since administrative fines were not high (only ranging up to €200,000). Under the Concept, fines will now increase significantly. For example, the Berlin Data Protection Authority recently announced that it is preparing a fine in the double-digit million amount of euros.
2. Minimum fines may be too high
At first glance, the Concept seems to be reasonable, particularly for smaller Violating Entities. However, the Concept does not provide for a multiplier smaller than 1. This leads to bigger organisations facing high fines even in minor cases. The minimum fine for a medium-sized organisation in a minor incident with an annual turnover of €45 million to €50 million is now €125,000. For a bigger organisation with a turnover of €450 million, it is already €1.25 million.
Although Step 5 of the Concept provides an opportunity to adjust the fine in accordance with article 83(2) GDPR, these considerations have already been used in the Step 4.so in practice is not likely to lead to a different result.
3. Is it really the turnover of the whole group of the Violating Entity?
It is questionable whether the annual turnover of the group of undertakings is the correct scale. According to recital 150 GDPR, the definition of the term “undertaking” in article 83(4) and (5) GDPR is based on the concept of an undertaking as defined in competition law (articles 101 and 102 TFEU), which is interpreted very broadly (that is, it includes associated companies)
However, the GDPR already defines the term “group of undertakings” (article 4(19) GDPR) so there is no reason why the term undertaking has to be interpreted as group of undertakings (see recital 37, sentence 2). Contrary to the English language version of the GDPR (where recital 150 refers to undertakings and article 4(18) refers to enterprise), other language versions of the GDPR, such as the German, French, Italian, and Dutch language versions, use the same term for undertaking in recital 150 and article 4(18) GDPR. The principle that the criminal law or the law against administrative offences must not be extensively construed to an accused’s detriment (see article 7 ECHR) prohibits the broad interpretation of article 83(4) and (5) GDPR to cover the group of undertakings where only the violating undertaking’s turnover is mentioned in article 83(4) and (5) GDPR. The text of the GDPR takes precedence over the recitals in the event there is a conflict.
4. Does the DSK even have the competency to create the Concept?
It is not clear if the German DPAs even have the competency to create the Concept. Article 70(1)(k) GDPR provides that it is the task of the EPDB – not the national supervisory authorities – to draw up guidelines for supervisory authorities concerning the setting of administrative fines under article 83 GDPR. The aim of this provision is to harmonise the application of the GDPR across all member states. However, if the member states develop different fine concepts, this goal will not be reached. The DSK has recognised this issue and has limited the scope to Germany and set the Concept under the condition that the EDPB must decide in accordance with article 70(1)(k) GDPR. However, it has to be asked whether a national solo run with the annual turnover as the primary scale was necessary or if an entry to the EDPB without using the Concept on a national level would not have been the better approach.
The EDPB are continuously streamlining the enforcement of the GDPR on an EU level, starting with EDPB’s opinion WP253 where the EDPB said that this is an evolving process. Germany now has provided a blueprint for a unified approach. If the EDPB adopts the Concept, high fines across Europe would be standard.
Christian Leuthner is an associate in the Frankfurt office of Reed Smith and member of the IP, Tech & Data Group
Sven Schonhofen is associate in the Munich office of Reed Smith and member of the IP, Tech & Data Group.
This article is adapted from a post originally published on the Reed Smith website and is reproduced with kind permission.