What is the cost of non-compliancy to GDPR?

The EDPB publishes Guidelines on the calculation of administrative fines under the GDPR

Written by: Anastasiya Maisenia

In May this year, the European Data Protection Board (the “EDPB”) published its new Guidelines on the calculation of fines under the GDPR (the “Guidelines”). As part of the public consultation process, the EDPB was seeking views of the public and, not surprisingly, by the end of the deadline it received a lot of feedback from various stakeholders (such as companies and business associations, DPOs, research institutions, NGOs and individuals alike). This highlights the importance of the topic and unveils a high demand for legal certainty when it comes to the methodology for calculating fines by the national supervisory authorities (the “SAs”).

What is the main objective of the drafted EDPB Guidelines?

By issuing new Guidelines on the calculation of fines under the GDPR, the EDPB primarily wants to achieve greater harmonisation and provide the SAs with clear ‘starting points’ to calculate fines. Importantly, in para. 5, the EDPB stresses that the Guidelines envisage a harmonisation in terms of the starting points and methodology used to calculate fines, rather than of the actual outcome (para. 5).

Currently, the approach of SAs across the EU varies due to several reasons, such as the adoption of divergent fine calculation models. The German model, for instance, ranks companies by their size and turnover. Based on this, they then calculate a basic value which is multiplied by a factor, depending on the severity of the offense. The Dutch model, on the other side, foresees standard fine brackets for various categories of infringements, without making any reference to the turnover of an enterprise (p.1).

More importantly, the concept of ‘turnover’ itself is not defined in the GDPR. It has been subject to diverse interpretations which, along with the different fine calculation methodologies, further increases the fragmentation of GDPR implementation across the EU Member States. Under the Guidelines, however, the term ‘turnover’ should be understood within the meaning of Annexes V or VI to Article 13(1) of Directive 2013/34/EU, and is referring to ‘net turnover’*.

Another cause of discrepancies among the EU Member States lies in the varying interpretation of some of the GDPR provisions given by their SAs. This issue is not tackled by the new EDPB Guidelines which, instead, focus exclusively on the fine calculation methodology.

Five-step calculation methodology under the new Guidelines

The core of the EDPB’s recently published draft Guidelines on the calculation of GDPR fines lies in their five-step methodology for calculating the fine amount. When applying all five steps, the SAs must bear in mind that “the calculation of a fine is no mere mathematical exercise. Rather, the circumstances of the specific case are the determining factors leading to the final amount, which can – in all cases – vary between any minimum amount and the legal maximum” (p.2).

These are the five steps the EDBP suggest:

Step 1. To begin with, the processing operations in the case must be identified by the SA and the application of GDPR Article 83(3) needs to be evaluated.  In other words, the SA must first determine what conduct and infringements the fine is based upon. In para. 21, the EDPB specifies that depending on the case, the SA may be dealing with one and the same or separate sanctionable conducts, whereby one conduct could also give rise to several different infringements(para. 21).

Step 2. Next, the starting point for further calculation of the fine amount needs to be identified. To do so, the SA must evaluate:

• the classification of the GDPR infringement,
• its seriousness in light of the case’s circumstances,
• the turnover of the company, which under para. 130 of the Guidelines is normally reflected in its consolidated annual financial statements. If such statements do not exist, the SA may request other documents apt to infer the company’s worldwide annual turnover in the relevant business year.

Step 3. The third step consists in evaluating any aggravating or mitigating circumstances related to past or present behaviour of the controller/processor, then adjusting the fine accordingly.

Step 4. When aggravating and mitigating circumstances have been determined, the SA needs to identify the relevant legal maximums for the different infringements. Increases applied in previous or next steps cannot exceed this maximum amount.

Step 5. Last but not least, in line with GDPR Art. 83 (1), an analysis must be made whether the calculated final amount meets the requirements of effectiveness, dissuasive effect and proportionality. The fine can still be adjusted accordingly, however again without exceeding the relevant legal maximum.

Main points of criticism on the fine calculation method

Relying on turnover

Even though the public largely welcomed the EDPB’s attempt to harmonise the approach to calculating administrative fines throughout the EU by introducing a straightforward five step methodology, certain aspects of the Guidelines were heavily criticised in the public consultation. This criticism, in the author’s view, is not unfounded and beyond doubt deserves serious consideration by the EDPB. Below an overview of what are probably the most controversial points:

• The focus on turnover in the Guidelines is at odds with the GDPR, which uses the turnover of the controller or processor as the upper limit, but not as the lower limit of the fine amount (Section 4.3).

According to numerous returns from stakeholders, relying on the turnover of a company (as opposed to profit, meaning the actual earnings after all expenses have been deducted from net sales) as one of the key factors when determining the starting point of the fine may lead to disproportionate fines being imposed on controllers and processors.

Minimum fine

Moreover, the reference to a ‘minimum fine’ made in the Guidelines deserves further clarification as the GDPR itself does not set any rules on the minimum fine amount, which raises a question of over-interpretation of the GDPR by the EDPB.

• The EDPB invites the SAs to establish fixed amounts of fines for certain violations, which somewhat contradicts the principles of accountability and proportionality in imposing administrative fines. Such fixed amounts can be established at the discretion of the SAs while taking into account, among others, the social and economic circumstances of the Member State, in relation to the seriousness of the infringement as stipulated by Article 83(2)(a), (b) and (g) GDPR (Section 2.3).

‘Price Tag’ on violations

In other words, the proposal to put a ‘price tag’ on certain GDPR violations does not seem to be consistent with GDPR Art. 83(1), which stipulates that each SA shall ensure that the fines for GDPR infringements are proportionate, effective and dissuasive.

• The Guidelines emphasise the intentional and negligent behaviour of the controller or processor leading to an infringement. However, they ignore the cases where a controller or processor acts in good faith, driven by the principle of accountability, but their interpretation of GDPR does not fully coincide with the approach taken by the SA.

Lack of practical examples

The intentional or negligent character of the infringement in specific circumstances would, therefore, need to be further clarified by the EDPB.

• The Guidelines lack sufficient real-life and practical examples.

In particular, this concerns the practical application of   to which the EDPB makes reference in its new Guidelines(section 3.1.1). For instance, more practical examples would help stakeholders to better understand

• The particular focus on fines of the EDPB may lead to administrative fines becoming a default enforcement model of the GDPR.

The toolbox put at the disposal of the SAs by GDPR Art. 58(2) is much more extensive and includes other enforcement tools which in some cases may be considerably more efficient, proportionate, and dissuasive than administrative fines.

Conclusion, what does non-compliancy to GDPR cost you?

The adoption of these new Guidelines (which currently are still in the draft stage) definitely constitutes a move in the right direction by the EDPB and aims to meet the high need/demand for legal certainty and uniformity of GDPR enforcement from the various stakeholders. However, whilst the Guidelines envisage harmonisation on the starting points and methodology used to calculate fines, they do not pursue an objective of harmonisation of the outcome.

This means that the SAs will still dispose over a large marge de manoeuvre when applying fines, which may potentially lead to what is known as ‘forum shopping’, with companies establishing their headquarters in those EU Member States where SAs are known to have a more lenient approach towards GDPR enforcement. Moreover, the special focus placed on fines here may also lead to other corrective actions in the SAs toolbox – as stipulated in GDPR Art. 58(2) – taking a backseat in practice, with SAs less inclined to use the other enforcement measures at their disposal.

As mentioned, for now the Guidelines are still in the draft stage, with the final version expected to be adopted by the end of 2022 – it remains to be seen what they will finally look like!

*According to the Guidelines, net turnover includes “revenue from the sale, rental and leasing of products and revenue from the sale of services less sales deductions (e.g. rebates, discounts) and VAT. Net turnover includes revenue from the sale, rental and leasing of products and revenue from the sale of services less sales deductions (e.g. rebates, discounts) and VAT. Revenue therefore does not include items which are unrelated to the business object/sector of the company such as for example the proceeds from the sale of fixed assets, rental of unused parts of buildings, insurance premiums, commissions and interest income in case of an industrial company” (paras. 128-129).