In the third and final part of this series of articles, we present Guidelines 04/2022 of the European Data Protection Board (hereinafter: EDPB), from Chapter 4 to Chapter 8.
According to the EDPB guidelines, a general calculation method or harmonized starting point that may be derived from the GDPR for determining the level of administrative fines, which takes into account all the individual circumstances of a given case and helps the supervisory authority to determine the level of the fine required, while being obliged to examine each case individually.
It is important that, in the context of data protection, when investigating a breach, all the individual circumstances of the breach must be assessed and ultimately a sanction must be imposed that meets the requirements of Article 83(1) of the General Data Protection Regulation (hereinafter “GDPR” or “the Regulation“), i.e. that it is effective, proportionate and dissuasive.
According to the EDPB, there are three factors to consider when determining the calculation base:
- the nature and character of the infringement,
- the gravity of the infringement, and
- the turnover of the undertaking concerned.
The GDPR classifies potential breaches into two main categories depending on the degree of seriousness, distinguishing between less serious and more serious infringements. The infringements less serious in nature are punishable under Article 83(4), while the punishment for more serious infringements are set out in Article 83(5) to (6).
In assessing the gravity of the infringement, the supervisory authority should give due regards to the nature, gravity and duration of the infringement, the nature, scope or purpose of the processing concerned, the number of data subjects affected and the level of the damage caused to them; the intentional or negligent nature of the infringement; and the categories of personal data affected by the infringement:
- The nature of the infringement – the interest protected by the provision affected by the infringement must be examined.
- The gravity of the infringement is determined according to 5 criteria – the nature, the scope and the purpose of the processing, the number of data subjects and the level of damage caused. The nature of the processing shows the context of the processing, the types of data processed by the infringer and its role as data controller. Depending on this, we can speak of a more or less serious infringement. If, for example, the infringer has committed the infringement by the exercise or misuse of its supervisory or decision-making powers, and the data subjects suffer the resulting disadvantage, the infringement shall be deemed to be more severe. The scope of the processing should be assessed by looking at whether the processing took place in a local, national, cross-border or international context. The purpose of the processing will lead the supervisory authority to consider whether the activity in the context of which the infringement occurred falls within the core tasks of the controller. The supervisory authority may pay particular attention to the number of data subjects affected, the level of damage and the physical, material or non-material nature of the damage thereof. These two aspects may be relevant if, for example, a large number of data subjects’ interests were harmed in the event of damage, but the extent of the damage is negligible.
- The categories of personal data affected play a significant role. The GDPR identifies categories of personal data that merit special protection thereof.
On this basis, the supervisory authority shall examine the individual circumstances of each infringement and classifies the case into one of three categories: low, medium and high level of seriousness. Typically, the more serious the infringement, the higher the basis for calculating the fine is likely to be.
The GDPR provides for a corrective factor to be taken into account when determining the starting point for calculating the fine to be imposed – the annual turnover of the undertaking. The principles of EU law justify the application of this correction, as the rules set forth in the GDPR apply to both micro-enterprises and multinational corporations. The supervisory authority may therefore take into account the annual turnover of the undertakings when determining the level of the sanction, as follows:
The GDPR sets out the legal maximum amount of fines that may be imposed. The administrative fine should be effective, proportionate and dissuasive if the supervisory authority, taking into account all the individual circumstances of the case, tailors the amount on a case-by-case basis, within the enitre range available up until the legal maximum set out in the Regulation. It is therefore fair for the authorities to differentiate between undertakings on the basis of their size and turnover. If the turnover of an undertaking does not exceed €2 million per year, the calculations shall proceed on the basis of a sum down to 0.2% of the identified starting amount; for annual turnover of €10 million per year, the calculation is to be modified on the basis of a sum down to 0.4% of the starting amount, for annual turnover of €50 million or more of a sum down of 2%, for annual turnover between €50 and €100 million sum down of 10%, for annual turnover between €100 million and €250 million sum down of 20%, and for turnover above €250 million a sum down of 50% of the identified starting amount be calculated.
Aggravating and mitigating circumstances
After examining the issues covered so far, the supervisory authority should also take into account certain aggravating and mitigating circumstances as corrective factors. A mitigating circumstance may be the measures taken by the data controller or data processor to mitigate the harm suffered by the data subjects. An aggravating circumstance may occur depending on the degree of responsibility of the controller or processor, or the extent to which it has acted as it “ought to have been expected to act”, i.e. whether it has taken the necessary measures, e.g. technical protection, procedures and protocols, to ensure adequate protection of the data it processes. The existence of a previous infringement or failure to comply with a previous decision, code of conduct or other procedure may be taken into account as an aggravating or mitigating circumstance. However, in this context, the time from when a prior infringement took place should also be taken into account. The longer time passing between the previous infringement and the infringement currently under investigation, the less relevant it is. Furthermore, it may also be significant as to the previous infringement(s) are of the same or different subject matter to the one being investigated – it may be of relevance depending on whether the infringement is a repeated conduct, or if it is independent of the previous action.
The supervisory authority may take a more adverse decision in relation to an incident of non-compliance if the data controller or data processor does not seek to cooperate with the authority to mitigate the consequences of the non-compliance. A more severe qualification may also depend on how the authority became aware of the breach – i.e. whether it was informed by the controller/processor itself or whether it was initiated on the basis of an external notification.
The legal maximum
The GDPR adopts a general EU regulatory approach by not setting a specific amount to sanction an infringement, but by setting a maximum fine that the supervisory authority may impose, which is not to be exceeded. These amounts are static or dynamic amounts: Article 83 (4)-(6) provide for static amounts, i.e. Article 83(4) of the GDPR, the maximum fine for breaches of the provisions listed therein allows for a fine up to EUR 10 million, while breaches of the provisions according to Article 83(5)-(6) of the GDPR allow for a maximum fine of up to EUR 20 million. However, for an undertaking, the GDPR applies a dynamic calculation depending on their annual turnover and individualizes the amount of the fine based on the annual turnover of the undertaking. In the event of a breach of the provisions of Article 83(4) of the GDPR, a maximum fine of 2% of the total annual turnover of the undertaking in the previous financial year may be imposed if it is higher than the static maximum amount, while Article 83 (5)-(6) provide for an amount of 4% of the turnover.
Effectiveness, proportionality and dissuasiveness
The GDPR emphasizes the above principles with the aim to ensure that the fine in each case applies to the specific breach, taking into account all the individual circumstances. The EDPB considers that it is the duty of the supervisory authorities to verify whether the amount of the fine meets these requirements or whether a further adjustment of the amount is necessary. Generally speaking, a sanction is effective if it achieves the interest protected by the GDPR, e.g. if it restores the controller’s or processor’s compliance with the GDPR. The dissuasiveness of a fine is achieved if it has genuine deterrent effect both from an objective and a subjective point of view. It has an general deterrent effect if it dissuades others from committing similar infringements, whileit has a specific deterrent effect if it deters the specific actor from committing the same infringement again.
The principle of proportionality requires that the measures taken by the public authorities do not go beyond what is appropriate and necessary to achieve the objectives pursued by the legislation in question. The supervisory authority must pay particular attention to ensuring that the data protection fine imposed is proportionate to the gravity of the infringement and to the annual turnover of the undertaking to which the offending data controller or data processor belongs.
A derivative of the principle of proportionality applies in case of inability to pay, where the supervisory authority may consider further reducing the fine. However, such reduction may only apply in very exceptional cases. Objective evidence is required that the imposition of the fine would irretrievably jeopardize the economic viability of the undertaking. The economic viability of the undertaking must be demonstrated by detailed financial data, on the basis of which the authority will assess the future development or viability of the undertaking in terms of solvency, liquidity and profitability. The fine is to jeopardize the economic viability of the undertaking if it is likely to result in a significant reduction in the undertaking’s assets, which would lead to its exit from the market and the lack of alternative ways of continuing its operations. The supervisory authority shall also take into account whether the undertaking is operating in an economic environment that is going through a crisis.
The Guidelines outline a general method for the calculation of fines and promote further harmonization and transparency of supervisory authorities’ fining practices. However, this general method is not to be used as an automatic calculation. Consequently, the individual assessment of a fine should always be based on a human assessment of all relevant circumstances of the particular case and should be effective, proportionate and dissuasive in the light of the specific circumstances of the case.
2024.02.22.
Dr. Miklós Péter
Do you have a question about data protection or the position of Data Protection Officer? Contact me!
dr. Miklós Péter – GDPR lawyer/ dmp@dmp.hu / +36306485521