The most significant change that GDPR made to EU data privacy law was to enhance enforcement and create a framework for increased fines for non-compliance. Four years after the GDPR started to apply, and as enforcement action picks up across the EU, the EDPB has finally issued draft guidelines on the calculation of administrative fines under the GDPR (the “Guidelines”). The EDPB aims to create a single methodology for calculating fines issued under the GDPR (for both cross-border and non-cross border cases), and thus should replace existing national frameworks, that diverge from the Guidelines. The Guidelines will sit alongside existing guidelines that focus on the circumstances in which to impose a fine.

These Guidelines and the related consultation that the EDPB has launched are likely to attract significant attention as some aspects of the proposed methodology and underlying legal analysis are unclear and/or controversial.  We set out a high-level summary of the proposed methodology below, as well as the next steps in relation to the consultation.

Step 1: One or Multiple Infringements?

The guidelines set out a step-by-step approach for calculating fines. At the same time, the EDPB is at pains to stress throughout the draft that fine calculation is not a simple mathematical exercise, that supervisory authorities must exercise their judgement, and that authorities “are not obliged to follow all steps if they are not applicable in a given case, not to provide reasoning surrounding aspects of the Guidelines that are not applicable”.

First, the Guidelines state that the supervisory authority (“SA”) should establish whether the sanctionable conduct involves a single set of linked processing operations that infringe one or more provisions of the GDPR, or if there are multiple, separable operations involved. This will help the SAs establish whether a single legal maximum (i.e., EUR 10m / 2% of the worldwide annual turnover of the undertaking, or EUR 20m / 4% of the worldwide annual turnover of the undertaking, as applicable under Articles 83(3)-(6) GDPR) applies, or if there will be separate legal maximums for separate infringements.

Step 2: Establishing the starting value of the fine

The Guidelines then set out a process for establishing the “starting point” for an administrative fine, (but also emphasize that supervisory authorities should not be required to state the exact starting amount).

This involves first establishing the “seriousness” of the infringement. To make this assessment, SAs will take account of:

  • whether the infringement is punishable by the lower maximum fine under Article 83(4) GDPR (EUR 10m / 2% of worldwide annual turnover), or the higher maximum fine under Article 83(5)-(6) GDPR (EUR 20m / 4% of worldwide annual turnover);
  • the nature, scope, context, and purposes of the processing (including whether the processing is part of a controller or processor’s “core activities”);
  • the number of data subjects both actually and potentially affected;
  • the level of damage suffered by data subjects, which includes (according to the Guidelines, referring to recital 75 GDPR), physical, material or non-material damage;
  • the duration of the infringement – as a general rule, the longer the duration of the infringement, the more weight the SA should may attribute to this factor. The guidelines note that “if permitted by national law, both the period after the GDPR’s effective date and the previous period may be taken into account when quantifying the fine”;
  • whether the infringement was intentional or negligent; and
  • the categories of personal data affected.

These are three of the factors set out in Article 83(2) GDPR, and the EDPB states they are the factors that relate directly to the infringement itself. Based on these criteria, SAs will assign an infringement as being of a “low”, “medium”, or “high” seriousness. They will then assign a starting point for the fine:

  • For “low” seriousness infringements: between 0 and 10% of the legal maximum;
  • For “medium” seriousness infringements: between 10 and 20% of the legal maximum; and
  • For “high” seriousness infringements: between 20 and 100% of the legal maximum.

The guidelines include various examples to help illustrate these proposed calculations, including infringements involving marketing, data breaches, and data subject access requests.

SAs can then choose to (but are not required to) reduce the level of the starting point. This depends on the turnover of the undertaking in question. For example, for undertakings with a low turnover (less than EUR 2m), SAs can reduce the starting point to as little as 0.2% of the original amount, but for undertakings with high turnover (greater than EUR 250m), SAs can only reduce it to a minimum of 50% of the original amount. Again, the guidelines include various examples, including hypothetical scenarios ranging from a supermarket chain with a turnover of EUR 8 billion being fined EUR 25 million for an infringement deemed to be “of a low level of seriousness”, to a start-up dating app with a turnover of EUR 500,000 being fined EUR 16,000 for selling sensitive personal data (deemed to be “of a high level of seriousness”).

Step 3:  Aggravating and Mitigating Circumstances

After calculating the starting point, SAs have discretion to adjust the amount of the fine by reference to the remaining factors set out in Article 83(2) GDPR, for example any actions taken by the controller or processor to mitigate damage suffered by data subjects, any previous infringements, and the degree of cooperation with the SA. The Guidelines state that “measures spontaneously implemented prior to the commencement of the supervisory authority’s investigation becoming known to the controller or processor are more likely to be considered a mitigating factor, than measures that have been implemented after that moment”; and that due to increased accountability requirements under GDPR, “only in exceptional circumstances, where the controller or processor has gone above and beyond the obligations imposed upon them, will [the degree of responsibility of the controller/processor] be considered a mitigating factor”.

Step 4 – Check against legal maximum

As a fourth step, SAs should check that the fine they intend to impose does not exceed the applicable legal maximum. Notably, the EDPB uses the same definition of “undertaking” as is set out in EU competition law, which presumes that (directly or indirectly) wholly-owned subsidiaries form part of the same “undertaking” as their ultimate parent. This could have the effect of significantly increasing the legal maximum fine for multinational organizations.

Step 5 – Effectiveness, Proportionality And Dissuasiveness

Finally, SAs must conduct a final assessment of whether the fine is “effective, dissuasive, and proportionate” as required by Article 83(1) GDPR. This means that the fine must achieve its goals (which might be to establish compliance or to punish), must have a “genuine deterrent effect” on both the infringing controller or processor and others that might commit the same infringement, and must not go beyond what is necessary to achieve the goals of the GDPR.

Next steps

The Guidelines are currently under public consultation, which closes on 27 June. After the public consultation, the EDPB will adopt a final version. The accompanying press release indicates that this version will include a reference table setting out examples of how the seriousness of an infringement and the turnover of an undertaking might be assessed to calculate the starting value of a fine.

Photo of Mark Young Mark Young

Mark Young, an experienced tech regulatory lawyer, advises major global companies on their most challenging data privacy compliance matters and investigations.

Mark also leads on EMEA cybersecurity matters at the firm. He advises on evolving cyber-related regulations, and helps clients respond to…

Mark Young, an experienced tech regulatory lawyer, advises major global companies on their most challenging data privacy compliance matters and investigations.

Mark also leads on EMEA cybersecurity matters at the firm. He advises on evolving cyber-related regulations, and helps clients respond to incidents, including personal data breaches, IP and trade secret theft, ransomware, insider threats, and state-sponsored attacks.

Mark has been recognized in Chambers UK for several years as “a trusted adviser – practical, results-oriented and an expert in the field;” “fast, thorough and responsive;” “extremely pragmatic in advice on risk;” and having “great insight into the regulators.”

Drawing on over 15 years of experience advising global companies on a variety of tech regulatory matters, Mark specializes in:

  • Advising on potential exposure under GDPR and international data privacy laws in relation to innovative products and services that involve cutting-edge technology (e.g., AI, biometric data, Internet-enabled devices, etc.).
  • Providing practical guidance on novel uses of personal data, responding to individuals exercising rights, and data transfers, including advising on Binding Corporate Rules (BCRs) and compliance challenges following Brexit and Schrems II.
    Helping clients respond to investigations by data protection regulators in the UK, EU and globally, and advising on potential follow-on litigation risks.
  • GDPR and international data privacy compliance for life sciences companies in relation to:
    clinical trials and pharmacovigilance;

    • digital health products and services; and
    • marketing programs.
    • International conflict of law issues relating to white collar investigations and data privacy compliance.
  • Cybersecurity issues, including:
    • best practices to protect business-critical information and comply with national and sector-specific regulation;
      preparing for and responding to cyber-based attacks and internal threats to networks and information, including training for board members;
    • supervising technical investigations; advising on PR, engagement with law enforcement and government agencies, notification obligations and other legal risks; and representing clients before regulators around the world; and
    • advising on emerging regulations, including during the legislative process.
  • Advising clients on risks and potential liabilities in relation to corporate transactions, especially involving companies that process significant volumes of personal data (e.g., in the adtech, digital identity/anti-fraud, and social network sectors.)
  • Providing strategic advice and advocacy on a range of EU technology law reform issues including data privacy, cybersecurity, ecommerce, eID and trust services, and software-related proposals.
  • Representing clients in connection with references to the Court of Justice of the EU.
Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on data protection, data security and cybercrime matters in various sectors, and in particular in the pharmaceutical and information technology sector. Kristof has been specializing in this area for over fifteen years and covers the entire spectrum of…

Kristof Van Quathem advises clients on data protection, data security and cybercrime matters in various sectors, and in particular in the pharmaceutical and information technology sector. Kristof has been specializing in this area for over fifteen years and covers the entire spectrum of advising clients on government affairs strategies concerning the lawmaking, to compliance advice on the adopted laws regulations and guidelines, and the representation of clients in non-contentious and contentious matters before data protection authorities.

Photo of Paul Maynard Paul Maynard

Paul Maynard is an associate in the technology regulatory group in the London office. He focuses on advising clients on all aspects of UK and European privacy and cybersecurity law relating to complex and innovative technologies such as adtech, cloud computing and online…

Paul Maynard is an associate in the technology regulatory group in the London office. He focuses on advising clients on all aspects of UK and European privacy and cybersecurity law relating to complex and innovative technologies such as adtech, cloud computing and online platforms. He also advises clients on how to respond to law enforcement demands, particularly where such demands are made across borders.

Paul advises emerging and established companies in various sectors, including online retail, software and education technology. His practice covers advice on new legislative proposals, for example on e-privacy and cross-border law enforcement access to data; advice on existing but rapidly-changing rules, such the GDPR and cross-border data transfer rules; and on regulatory investigations in cases of alleged non-compliance, including in relation to online advertising and cybersecurity.