After a month of rumors, uncertainty, and German data protection authorities being nontransparent, the German conference of data protection authorities (Datenschutzkonferenz, DSK) published the concept for calculating administrative fines for data protection violations (Concept, available here) on October 16, 2019.
The Concept sets out a standardized approach regarding the calculation of administrative fines in accordance with article 83(4) and (5) of the General Data Protection Regulation (GDPR) and also takes into account the circumstances of the individual case as described in article 83(2) GDPR. The Concept provides a uniform determination of administrative fines under GDPR without losing the flexibility to consider the individual case and situation of the violating person or organization (Violating Entity).
The Concept is not binding on courts, non-German authorities, or the European Data Protection Board (EDPB) and shall only be used for violations in Germany that are not cross-border cases. The Concept shall only be used until the EDPB has issued its own guidelines for the determination of fines under article 83 GDPR. In addition, the Concept shall not be used for fining associations or natural person outside of their economic activity.
In this blog, we explain the five-step procedure that the DSK applies in the calculation:
Content of the Concept
The procedure for determining GDPR fines described in the Concept comprises five steps:
Step 1 – Classifying the Violating Entity
In the first step, the Violating Entity is classified into specific categories from A to D in consideration of the global annual turnover of the Violating Entity as set out in article 83(4) and (5) GDPR. In accordance with recital 150 GDPR, the DSK determines the annual turnover of the Violating Entity in consideration of articles 101 and 102 of the Treaty of the Functioning European Union (TFEU).
- Category A: up to €2 million annual turnover
- Category B: €2 million to €10 million annual turnover
- Category C: €10 million to €50 million annual turnover
- Category D: above €50 million annual turnover
The categories are also divided into more granular subgroups. The categories shall reflect all different sizes of organizations from micro businesses, to small- and medium-sized organizations, to big organizations.
Step 2 – Average annual turnover
In the second step, the average annual turnover of the category is determined in order to be able to determine the daily rate. The average annual turnover is determined as follows:
Step 3 – Daily rate
In the third step, the supervisory authorities determine a daily rate by dividing the annual average turnover by 360 days as a basis for the calculation of the actual fine.
Step 4 – Degree of severity
In the fourth step, the GDPR violation will be categorized into one of four degrees of severity (low, medium, serious, or very serious), taking into account all factors and circumstances of the individual case as set out in article 83(2) GDPR.
Each degree of severity contains several multipliers that are applied to the daily rates determined in the Step 3.
Step 5 – Adjustment in special circumstances
Fifth, the amount determined in Step 4 will be adjusted in accordance with article 83(2) GDPR but also taking into account other circumstances, such as very long proceedings or impending insolvency of the Violating Entity.
- Fines are increasing
The Concept is a paradigm shift with regard to administrative fines for data protection violations. Until a few months ago, and even under “old” data protection law, Germany was a safe haven since administrative fines were not high (only ranging up to €200,000). Under the Concept, fines will now increase significantly. For example, the Berlin Data Protection Authority recently announced that it is preparing a fine in the double-digit million amount of euros (more on our blog).
- Minimum fines may be too high
At first glance, the Concept seems to be reasonable, particularly with regard to smaller Violating Entities. However, the Concept does not provide for a multiplier smaller than 1. This leads to bigger organizations facing high fines even in minor cases. The minimum fine for a medium-sized organization in a minor incident with an annual turnover of €45 million to €50 million is now €125,000. For a bigger organization with a turnover of €450 million, it is already €1.25 million.
Although Step 5 of the Concept provides an opportunity to adjust the fine in accordance with article 83(2) GDPR. However, these considerations have already been used in the Step 4 of the Concept. Thus, in fact the considerations will likely not lead to another result.
- Is it really the turnover of the whole group of the Violating Entity?
It is questionable whether the annual turnover of the group of undertakings is the correct scale. According to recital 150 GDPR, the definition of the term “undertaking” in article 83(4) and (5) GDPR is to be based on the concept of an undertaking as defined in competition law (articles 101 and 102 TFEU), which is interpreted very broadly (that is, it includes associated companies)
However, the GDPR already defines the term “group of undertakings” (article 4(19) GDPR) so there is no reason why the term undertaking has to be interpreted as group of undertakings (see recital 37, sentence 2). Contrary to the English language version of the GDPR (where recital 150 refers to undertakings and article 4(18) refers to enterprise), other language versions of the GDPR, such as the German, French, Italian, and Dutch language versions, use the same term for undertaking in recital 150 and article 4(18) GDPR. The principle that the criminal law or the law against administrative offences must not be extensively construed to an accused’s detriment (see article 7 ECHR) prohibits the broad interpretation of article 83(4) and (5) GDPR to also cover the group of undertakings where only the violating undertaking’s turnover is mentioned in article 83(4) and (5) GDPR. The text of the GDPR takes precedence over the recitals in the event there is a conflict.
- Does the DSK even have the competency to create the Concept?
It is not clear if the German DPAs even have the competency to create the Concept. Article 70(1)(k) GDPR provides that it is the task of the EPDB – not the national supervisory authorities – to draw up guidelines for supervisory authorities concerning the setting of administrative fines under article 83 GDPR. The aim of this provision is to harmonize the application of the GDPR across all member states. However, if the member states develop different fine concepts, this goal will not be reached. The DSK has recognized this issue and has limited the scope to Germany and set the Concept under the condition that the EDPB must decide in accordance with article 70(1)(k) GDPR. However, it has to be asked whether a national solo run with the annual turnover as the primary scale was necessary or if an entry to the EDPB without using the Concept on a national level would not have been the better approach.
The EDPB are in a continuous process to streamline the enforcement of the GDPR on an EU level, which started with EDPB’s opinion WP253, where the EDPB said that this is an evolving process. Germany now has provided a blueprint for a unified approach. If the EDPB adopts the Concept, high fines across Europe would be standard.