You would have to have been living under a rock not to have seen some of the significant fines issued since GDPR came into force (British Airways? Amazon? Meta?) and you may well know that the maximum fine is EUR 20m or 4% of worldwide annual turnover in the previous financial year, whichever is higher, but do you know what the EU regulators take into account when they are deciding on what fine to order and what you could do to help make sure any potential fine is minimised?
The EDPB has guidance on how fines under the GDPR are calculated. Whilst it may not be your first choice in terms of reading material, it does have some interesting things to say on how the behaviour of organisations faced with an enforcement action can better (or worsen!) their position and gives some insight into the workings behind the fines imposed. The EDPB guidance pulls out the following five stages:
- Identify the processing operations and evaluate whether there is one or multiple infringements.
- Identify the starting point for further calculation of the fine, which involves:
- Establishing the classification of the infringement (whether it falls within the lower ((EUR 10 million/2%) or upper (EUR 20 million/4%) maximum fine). Infringements such as data breaches and failure to comply with DSAR requirements fall under the upper maximum.
- Considering the seriousness of the infringement based on the specific circumstances, looking at the nature, gravity and duration of the infringement(s), taking into account the nature, scope or purpose of the processing concerned, as well as the number of data subjects affected, and the level of damage suffered by them. Regard is also given to matters such as whether the infringement was negligent or intentional and the type of personal data involved.
- Establishing the turnover of the entity (the Court of Justice of the European Union has recently confirmed that where the infringing company is part of a group – it is the group’s turnover rather than just the infringing entity’s)
- Evaluate the aggravating and mitigating factors relating to the party’s past or present behaviour. The guidance notes that measures taken before a Data Protection Authority (DPA) is involved are more likely to be considered mitigating factors than those taken after. There will be a consideration of the degree to which the entity “did what it was supposed to do” in terms of compliance, previous infringements, time frame and subject matter, co-operation with the DPA, the way the infringement came to light, adherence to codes of conduct/certification mechanisms and compliance with previous orders relating to the same subject matter as well as other factors. The guidance gives examples of how mitigating and aggravating factors may affect a fine.
- Identify the legal maximum for each infringement.
- Consider whether the amount reached by this analysis meets the requirements of effectiveness, dissuasiveness (having a genuine deterrent effect on the addressee and the world at large) and proportionality (in relation to the severity of the infringement and to the size of the undertaking).
The annex to the guidance provides some useful worked illustrations.
Calculating fines is not just a mathematical exercise and depends very much on the circumstances of the case. The EDPB highlights the need to act early, co-operate and learn from previous infringements in order to put yourself in a better position if faced with an enforcement action.
The full guidance can be found here.
