Conditions for imposing administrative fines – The German Data Protection Authorities’ approach
The GDPR states in Art. 83 GDPR that infringements shall be subject to administrative fines up to 20 000 000 euros, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher. In comparison to former German Data Privacy Law, this means an increase by the factor 60. What this also means is that it is harder for the DPAs to determine the “right” administrative fine.
The Calculation Model
According to the press release of the DPA from 16 October 2019, the publication of the concept of how to determine administrative fines is supposed to create more transparency regarding the enforcement of data privacy. Controller and processor should we able to understand decisions of the DPAs better.
The published concept is only applicable to fines against undertakings and is carried out in five steps:
Step 1: The undertaking is categorized according to its annual turnover. In category A are undertakings with an annual turnover of 2 000 000 euros or less, in category B are undertakings with an annual turnover of more than 2 000 000 euros up to 10 000 000 euros. In category C are undertakings with an annual turnover of more than10 000 000 euros up to 50 000 000 euros and in category D are undertakings with an annual turnover of more than 50 000 000 euros. Afterwards the undertaking is categorized more specifically into sub-categories according to their annual turnover (Categories A.I to A.III, B.I to B.III, C.I to C.VII and D.I to D.VII)
The sub-categories sum up to a total of 20 categories according to the annual turnover.
Step 2: Determination of the average annual turnover within the sub-category. In the lowest sub-category A.I with an annual turnover up to 700 000 euros, this initial value is 350 000 euros. In the highest sub-category D.VII with an annual turnover of more than 500 000 000 euros the initial value is the actual annual turnover of the undertaking.
Step 3: Determination of the fundamental factor. In the lowest sub-category A.I, this factor is 972 euros. In the highest sub-category D.VII, this factor is the average daily turnover of the undertaking. To draw a picture, the factor for the second highest sub-category D.VI with an annual turnover over 400 000 000 euros up to 500 000 000 euros sums up to 1 250 000 euros.
Step 4: Multiplication of the fundamental factor with a factor that reflects the severity of the infringement. Because of the different conditions within the GDPR the German Data Protection Authorities distinguish between infringements against formal provisions (Art. 83 (4) GDPR) and against substantive provisions (Art. 83 (5), (6) GDPR). The factors for infringements against formal provisions are 1 to 6, for infringements against substantive provisions 1 to 12.
Step 5: Adjusting the calculation outcome in step 4 according to additional criteria stated in Art. 83 (2) that was not yet taken into account.
It has to be acknowledged that the German DPAs try to create transparency within the calculation of administrative fines. This is especially supposed to ensure equality. Concepts like this one are quite common to determine penalties.
A first assessment
The DPAs’ concept makes very clear what the new level of fines according to GDPR can mean in practice – but not necessarily must mean.
Despite all criticism about the correct order of carrying out the steps of the concept, it has to be said that the concept brings equality both in the lower categories and in the upper categories. In practice the steps 4 and 5 will be a significant role to determine the final administrative fine, because these steps reflect the individual measures and steps that the controller or processor can influence directly. Especially these steps cannot be displayed in a concept but have to be determined case by case.
Article provided by:
Dr. Jens Eckhardt, dmp Derra, Meyer & Partner PartGmbB
Fachanwalt für IT-Recht
Vorstand (Recht) Eurocloud Deutschland _eco e.V.
Nils Steffen, Meyer & Partner PartGmbB
www.datenschutzkonferenz-online.de/media/pm/20191016_pressemitteilung_bußgeldkonzept.pdf (Topical at 10. December 2019)
Concept: www.datenschutzkonferenz-online.de/media/dskb/20191126_dsk_fining_concept_en.pdf (Topical at 10. December 2019)
Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project
Director CPC project: Dr. Tobias Höllwarth, firstname.lastname@example.org