It has been known for some weeks that, on June 25, 2019, the conference of independent federal and regional data protection supervisory authorities in Germany (DSK) agreed on a new procedure to determine fines for companies that infringe GDPR provisions. On October 16, 2019, the DSK published its new concept. Although the new calculation model does, on the one hand, help provide certainty in how fines are determined, it also raises some further questions.
In order to avoid a growing divergence in the level of fines, Article 70 GDPR stipulates that the European Data Protection Board (EDBP), the board of EU Member States’ supervisory authorities, will issue guidelines for a uniform application of the administrative fine provisions. However, the EDBP has not yet issued any such guidelines. In order to ensure that fines are at least consistent within Germany whilst waiting for the EDBP to issue its own guidelines, the DSK has now developed a procedure to determine how fines are calculated. The procedure established by the DSK shall only be valid until a European procedure for calculating fines has been issued.
The decisive basis for imposing fines continues to be Art. 83 GDPR, which specifies various factors which must be considered when determining fines. The DSK’s procedure is closely linked to these factors. The upper limit of the fines will therefore still be EUR 20 million or 4 % of annual turnover.
The DSK’s procedure specifies 5 steps in determining a fine:
Categorization of the undertaking according to its size: The affected undertaking is assigned to one of four size categories on the basis of its turnover. Here, the DSK maintains the functional definition of an undertaking within the meaning of Articles 101 and 102 TFEU, as the GDPR recitals also refer to this regulation. This means that, for affiliated companies, the calculation is based on the worldwide turnover of the whole group.
Ascertaining the average yearly turnover of the relevant group: The DSK has issued an average yearly turnover for each size category.
Determination of the basic economic value: This basic value is established by dividing the average yearly turnover of the group to which the company has been assigned by 360 (days), thus obtaining an average daily rate.
Multiplication of the basic value by a factor based on the severity of the circumstances: The first part of this step involves determining the severity of the breach; this is done using a points system that takes into account the factors listed in Art. 83 GDPR (such as the nature, duration and scope of the infringement, the degree of responsibility of the controller and any mitigation measures taken). The number of points then indicates whether the infringement should be classified as having a low, average, high or very high degree of gravity. On the basis of the degree of gravity and the nature of the infringement (Art. 83 (4) or Art. 83 (5) and (6) GDPR), a factor between 1 and 12 is used to multiply the daily rate previously calculated.
Adjustment of the calculated value according to circumstances relating to the perpetrator and other circumstances not yet considered: Finally, the authority can adjust the fine to the individual case on the basis of aggravating or mitigating factors that have not yet been taken into account.
The new model is very closely linked to the turnover of the corporate group, which could lead to much higher fines in future. For a group with a yearly turnover of EUR 400 - 500 million, for instance, even a slight infringement could lead to a fine of approximately EUR 1.25 million; in other words, the consequence could be fines that feel disproportionately high. However, antitrust law has been determining fines on the basis of group turnover for many years and courts regularly consider very high fines not to be disproportionate, but rather to be a legitimate deterrent.
However, it remains to be seen whether the alignment with group turnover will survive a judicial review. Indeed, in contrast to antitrust law, the GDPR distinguishes between an individual enterprise and a group of undertakings in its definitions (see, for example, Art. 4 no. 19 GDPR for a group of undertakings). Art. 83 GDPR, on the other hand, only mentions the undertaking’s turnover when dealing with how to determine the fine, and not that of the group. This means there are also good arguments against the use of the group turnover to determine the fine.
Finally, the courts will need to decide whether the fines calculated using the DSK’s procedure are lawful and binding. In antitrust law, the Higher Regional Court of Düsseldorf has already decided that courts are not bound by the general calculation model of the Bundeskartellamt [German Federal Cartel Office]. In worst case scenarios, there can even be a reformatio in peius, i.e. courts often impose even higher fines than the Bundeskartellamt.
Even when, in individual cases, a court might reduce the fine, companies will continue to need to assume much higher fines until case law has stabilized. Companies are therefore advised to carefully check that all their data protection compliance measures have been implemented correctly. In addition, companies should identify and make provisions for potentially higher fine risks in future. This calculation can now be much more precise thanks to the concept developed by the DSK. Companies must furthermore ensure that the increased fine risks are incorporated into their risk management and that corresponding provisions are made that affect the company’s annual financial statements or net profit (for further information on the effects of the GDPR on annual audits, please see our Newsletter Update Data Protection No. 45.)