What is the cost of doing business?

– The EDPB adopts new guidelines for the calculation of administrative fines

With the advent of the EU’s General Data Protection Regulation (the “GDPR”) four years ago data protection authorities (DPAs) in EU member states were given significantly more muscle to throw around, as the GDPR enables the DPAs to issue fines that can significantly impact a company’s bottom line. As is probably well known at this point, the maximum fine under the GDPR is the higher of either EUR 20 000 000 or 4 % of total global turnover.

As the DPAs are getting more used to their (relatively) new enforcement capabilities and have had the time to investigate potential breaches of the regulation, fines high and low are being issued across the EU. In an effort to increase harmonization between the administrative fines issued across the member states the European Data Protection Board (the “EDPB”) has adopted a new set of guidelines regarding the calculation of administrative fines under the GDPR.

The new guidelines provide a systematic and chronological description of how to calculate administrative fines through the employment of a 5-step method.
According to the 5-step method now adopted by the EDPB, the calculation of a fine shall start with a DPA establishing whether the case in question concerns one or more sanctionable conducts and if a conduct has led to one or more infringements of the GDPR.

During the second step, the guidelines provide a method for the DPAs to find a starting point for further calculation based in the evaluation of i) the categorization of infringements by nature ii) the seriousness of the infringement and iii) the turnover of the recipient of the fine. As is emphasized by the guidelines however, this is not to be understood as a mere mathematical exercise and all relevant facts must be considered by the DPAs as each case must be assessed on its merits.

As for the third step, the guidelines instruct the DPAs to evaluate any and all relevant aggravating or mitigating circumstances, both past and present, and to adjust the fine accordingly. Following this, the fourth step requires the DPAs to identify the relevant legal maximum fine for the different processing operations and ensuring that this maximum is not exceeded.

Lastly, during the fifth step of the calculation, the DPAs are required to analyze the final amount of the calculated fine and assess whether the fine meets the requirements of effectiveness, dissuasiveness and proportionality as set out in Article 83(1) of the GDPR. If it is found that this is not the case, the DPAs are to increase or decrease the fine accordingly.

Although the effort by the EDPB to provide guidance in this regard is certainly welcome, it will have to be seen if these guidelines have the desired effect. As is emphasized repeatedly throughout the guidelines, the final amount of a fine depends on all relevant circumstances in the case and the new guidelines do not, contrary to what some might have wished for, provide companies with a mathematical formula for calculating the amount of a fine in advance.

The guidelines do not provide potential offenders with a means of calculating a fine in advance, thus being able to budget for the effects of future enforcement as “the cost of doing business”. Instead, the EDPB has sought to harmonize the starting points and methodology for the calculation of fines but has left ample room for individual considerations on a case-by-case basis, thereby avoiding a harmonization of outcome.

The above information published by Norelid Advokatbyrå and/or its employees is only to be considered general information and does not constitute, nor should it be used as, professional legal advice. There is a risk that the information is not complete or not entirely updated. Any use of the information is at the risk of the user.