On October 14, 2019, the German Conference of Data Protection Authorities (DSK) published a concept for determining fines in accordance with the GDPR. In some regards, this concept resembles the model of the Berlin Data Protection Authority which was presented in June of this year (we reported in German), but some aspects remain less concrete.
According to the DSK’s own statement, the DSK’s new concept will be applied to determine fines until the European Data Protection Board publishes a final guideline. A rough outline of potential fine margins can be derived from the concept.
The basic starting point, for the supervisory authorities, within this new framework, is annual turnover, on the basis of which a five-step procedure for calculating fines is based. The DSK emphasizes that, in their opinion, turnover is a suitable, appropriate and fair starting point for the calculation of fines.
What is the procedure for calculating fines?
1. Determing a companies’ class by annual turnover
On the basis of average annual turnover, companies are divided into one of four classes.
- Micro-enterprises (class A includes companies with up to 2 million € in annual turnover, with 3 sub-groups),
- Small companies (class B includes companies with over 2 to 10 million € in annual turnover, with 3 sub-groups),
- Medium-sized companies (class C includes companies with over 10 to 50 million € in annual turnover, with 7 sub-groups), and
- Large companies (class D includes companies with over 50 million € in annual turnover, with 7 subgroups)
Each class includes additional subgroups. These subgroups contain a classification spectrum which ranges from micro-enterprises, at the lowest level, (class A.I.) with an annual turnover of up to € 700,000, to large corporations at the highest level, (class D.VII) with an annual turnover of more than € 500 million.
2. Determination of a fictive average annual turnover for each subgroup
As a second step, the average annual turnover for the individual company is determined by the authority using fictive average numbers which are created based on an average of the minimum and maximum threshold per subgroup. In this concept to determine administrative fines, specific numbers are provided by the authority which are deemed to be the average annual turnover of the subgroup. The spectrum ranges from an average value of € 350,000 (lowest level of the class A.I) to 2 or 4 % of the actual annual turnover of large companies with a turnover of more than € 500 million.
3. Basic economic value
The average annual turnover calculated in the second step is divided by 360 days and leads to a daily figure. Here the range reaches from € 972 for a microenterprise in the lowest subgroup to values beyond € 1.25 million. If the annual turnover exceeds 500 million, a fine of 2% or 4% of the annual turnover is used as the maximum threshold.
In addition to the basic economic value calculated in steps 1 – 3, a multiplier between 1 and 12 is determined, depending on the severity of the non-compliance. These classifications are divided into two groups, formal infringements in accordance with Art. 83 para. 4 and material infringements in accordance with Art. 83 para. 5 and 6 GDPR, based on the seriousness of the facts (light, medium, serious or very serious). The result is a factor between 1-6 for formal infringements and 1-12 for material infringements.
The criteria for determining seriousness are not disclosed. There are no concrete examples of when the threshold for the next degree of seriousness has been reached or which criteria are used to determine the multipliers.
5. Circumstances of an individual case
This criterion is a means of determining the amount of fines to be imposed in each individual case. Although Art. 83 para. 2 GDPR is used as the basis here, it remains very vague with regard to other aspects which are cited, for example the duration of the procedure and the threat of insolvency. In principle, the DSK plans to follow the GDPR with regard to the general conditions for the imposition of fines.
In individual cases, the following circumstances could be taken into account, pursuant to Art. 82 para. 2 GDPR: Specific facts including the number of persons affected and the extent of the damage, intent or negligence as well as measures to mitigate the damage caused, the degree of responsibility and previous conduct of the controller and commissioned data processors, taking into account data security measures in place.
The German DSK limits its concept exclusively to the allocation of administrative fines to companies active in Germany and covered by the scope of the GDPR. Furthermore, the fine should not apply to associations or natural persons outside their economic activity. The concept is also not binding either for cross-border cases or for other data protection supervisory authorities of the EU.
DSK has published a catalogue on categorizing companies as micro, SME or large enterprises. This can be helpful in assessing the economic risks of data protection infringements. However, there is a lack of transparent guidelines regarding the multiplier and other offender-related circumstances. The assessment basis “annual turnover” must also be viewed critically. After all, turnover is far from being a profit.
Although it is good to be able to specify a very rough estimation of fines, much remains unclear with regard to determining the severity of infringements as well as offender-related and other circumstances.