Franchise

Question of the month – how are fines under the GDPR calculated?

The EDPB has issued guidance on how fines under the GDPR are calculated. Whilst it may not be your first choice in terms of reading material, it does have some interesting things to say on how the behaviour of organisations faced with an enforcement action can better (or worsen!) their position and gives some insight into the workings behind the fines imposed. The EDPB notes that fines are within the discretion of the supervisory authority save to the extent the GDPR sets out rules in relation to them. The EDPB guidance pulls out the following five stages:

  1. Identify the processing operations and evaluate whether there is one or multiple infringements.
  2. Identify the starting point for further calculation of the fine, which involves:
    • Establishing the classification of the infringement (whether it falls within the lower or upper maximum fine).
    • Considering the seriousness of the infringement based on the specific circumstances, looking at the nature, gravity and duration of the infringement(s), taking into account the nature, scope or purpose of the processing concerned, as well as the number of data subjects affected, and the level of damage suffered by them. Regard is also given to matters such as whether the infringement was negligent or intentional and the type of personal data involved.
    • Establishing the turnover of the entity (where the EDPB suggests adjustments to be made to the starting amount of the fine in reference to the annual turnover of the entity).
  3. Evaluate the aggravating and mitigating factors relating to the party’s past or present behaviour. The guidance notes that measures taken before a Data Protection Authority (DPA) is involved are more likely to be considered mitigating factors than those taken after. There will be a consideration of the degree to which the entity “did what it was supposed to do” in terms of compliance,   previous infringements, time frame and subject matter, co-operation with the DPA, the way the infringement came to light, adherence to codes of conduct/certification mechanisms and compliance with previous orders relating to the same subject matter as well as other factors. The guidance gives examples of how mitigating and aggravating factors may affect a fine.
  4. Identify the legal maximum for each infringement (this includes some guidance on the term “undertaking” and “turnover”).
  5. Consider whether the amount reached by this analysis meets the requirements of effectiveness, dissuasiveness (having a genuine deterrent effect on the addressee and the world at large) and proportionality (in relation to the severity of the infringement and to the size of the undertaking).

The annex to the guidance provides some useful worked illustrations.

The EDPB states that the calculation of fines is not a mere mathematical exercise but will depend very much on the circumstances of the case. The EDPB confirms in its guidance the need to act early, co-operate and learn from previous infringements in order to put yourself in a better position if faced with an enforcement action.

The full guidance can be found here.

Share:

Facebook
Twitter
Pinterest
LinkedIn

Related Posts

Don't just take our word for it
"We have been working with HelloDPO for several years now and I have always found them to be friendly, approachable and above all professional in their approach. I would have no hesitation in recommending them."
Serena MayDirector, Southern HR Ltd
Serena May
"We have been working with HelloDPO for several years now and I have always found them to be friendly, approachable and above all professional in their approach. I would have no hesitation in recommending them."
Serena MayDirector, Southern HR Ltd
Serena May
“We have worked with Jenai, Alison and the HelloDPO team for over 5 years as our DPO and have found their advice and support invaluable. They are pragmatic and flexible in the advice they provide, and assist in making data protection compliance apply in a corporate environment. Working with them is like having additional members of our team, and the relationship has flourished over time."
Craig SaundersHead of International Privacy, Aetna Global Benefits (UK) Ltd
Craig Saunders
“The team (Jenai and Lisa) provided DPO services and compliance support to our business for over a year, during which they consistently delivered high quality advice and excellent client service. The demands of the hospitality industry are high and HelloDPO adapted to this quickly and seamlessly – they are responsive, knowledgeable, and pragmatic. They are also a pleasure to work with.”
Frasers Hospitality (UK) Ltd
“We have been working with HelloDPO for nearly a year. The team have been great to work with, highly professional and flexible. Most importantly, they have given clear advice and guidance in what is a very complex area. Well done and we look forward to continuing working with you!”
Ruth HidalgoDirector, Chartered Accountants Worldwide
Ruth Hidalgo
“The HelloDPO team have led us patiently through the intricacies of GDPR over the years, helping us to navigate a careful path to ensure understanding of the rules and therefore compliance with them. HelloDPO are a pleasure to work with and I’d have no hesitation in recommending them to others looking for good, commercial advice in this complex area.”
Sanjay PatelFinance Director, Cadogan Group Limited
“We have recently engaged HelloDPO and the team, led by Jenai, has been responsive, practical and generally very helpful when dealing with our data protection queries. We look forward to what’s on track to becoming a great working relationship!”
Federica CozzaniSenior Legal Counsel, Compre Group
Federica Cozzani
“If you’re looking for trustworthy, pragmatic and diligent legal advisors, say Hello(to)DPO! The team has been a great support to Skyscanner on a broad range of privacy and data protection matters, whether advising at a compliance level or on more acute legal issues. You’ll enjoy considerate, timely and helpful advice, provided by professionals with whom it’s a delight to work.”
Gemma WithamDirector of Legal (Privacy), Group Privacy Officer, Sykscanner Limited
Gemma Witham
“Jenai and Emma are amazing to deal with. They strike the right balance between understanding the business needs while doing it’s fiduciary duty to ensure we are on the right track from a legal, ethical and moral perspective. Working with HelloDPO’s guidance over the past 2 years has enabled X-Mode (now known as Outlogic) to be able to navigate complex and at times uncertain waters with GDPR in a strategic and ethical manner.”
Joshua AntonCEO, Outlogic
Joshua Anton
“A great bespoke service, delivered flexibly by absolute experts in a friendly, collaborative and accessible way. I cannot recommend more highly!"
Clare RussellInterim Head of Legal, Vue UK & Ireland
Clare Russell
“HelloDPO have been brilliant at getting our data compliance into shape. We have come such a long way in our ways of working and they are always on hand to help when we have complicated or urgent issues – they have simply become part of the team."
Josh TowbHead of Business Transformation, Jigsaw
Josh Towb
“The HelloDPO team have provided Channel 4 with a wide range of data protection advice over the years. Alison is always delightful to work with, and her advice is pragmatic and set within a commercial context, which is particularly helpful. HelloDPO runs regular DP Confessionals, which provide our team with a valuable wider industry view and a sense of issues which other organisations are struggling with, and the ways in which they are approaching them."
Rebecca MillerChannel 4
Previous
Next

Subscribe to our privacy news and legislation updates

Subscribe now

We are here to make our data-driven world a more equitable and ethical place to live, work, and thrive by pragmatically balancing our clients’ commercial ambitions with every individual’s right to privacy.

Linkedin
Navigation
Legal & compliance
HelloDPO Law Logo
© 2024 HelloDPO. All rights reserved. The use of any material on the website without our prior written consent is strictly prohibited.

Website developed by Bowler Hat

Data Protection; Demystified