Back when the GDPR was introduced, one of the central topics in the media was the possibility of imposing fines for data protection violations, which was greatly expanded by the regulation. Art. 83 GDPR sets worrying benchmarks with a maximum fine in the amount of 20 million euros or 4 percent of a company group’s worldwide turnover in the preceding year, without, however, providing concrete guidelines for calculation or determination of the amount of the fine. In December 2019, the German Data Protection Conference (DSK) published a concept for the determination and calculation of fines, which will likely be applied in the future by the various data protection authorities of the federal states. In the following, we will briefly introduce this concept to you.
The concept now presented by DSK is primarily geared to the turnover of the company concerned. Five steps are required to determine the specific fine:
Step 1:
In a first step, the concerned company is categorized into a class (start-up, small, medium and large company) based on its turnover. The classes are further divided into several subgroups. The classification is based on the total turnover of the company in the previous calendar year.
Step 2:
Following the classification of the company into class and subgroup, the average annual turnover is determined according to the specific sub-group.
Step 3:
This step consists of determining the basic economic value of the company. At this point, a daily rate is calculated taking into account the average annual turnover (step 2). The average annual turnover is divided by 360 and rounded up.
Step 4:
It is only at this stage that the specific infringement is taken into account and classified according to its severity as “light”, “medium”, “serious” and “very serious”. There is also a division into “formal” and “material”. Formal infringements are specified in Art. 83 (4) GDPR. Material infringements are found in Article 83 (5) and (6) GDPR, and this classification must take into account the specific circumstances of each case, such as the nature, severity and duration of the infringement. It should also be taken into account whether the infringement happened intentionally or due to negligence. Thus, a factor is determined and multiplied by the daily rate. Attention: for the group of “very serious infringements”, no specific factor is set as fixed, but can be freely chosen.
Step 5:
The fifth and last step allows for the fine to be adjusted on the basis of circumstances or criteria relating to the offender which also influence the proceedings. Thus, a discount may be granted here due to the particularly long duration of the procedure. It is also possible to take into account a particularly precarious economic situation of the company concerned.
Comment:
While it is a welcome development that the presented concept attempts to standardize the rules on setting fines, we do not consider the system to be very suitable. The classification of companies according to their turnover is too crude and one-sided. The approach leaves too much leeway for the authorities in assessing the specific infringement and does not sufficiently limit fines. We fear that this might result in considerably higher fines in the end.