The administrative fines that have been imposed by the different European supervisory authorities since the GDPR took effect vary enormously. While the highest administrative fines imposed by the German authorities to date have been EUR 20,000 and EUR 80,000 and have therefore remained well below the possible maximum fine of EUR 20 million or 4 % of worldwide annual turnover, other countries’ supervisory authorities have already delivered higher fines. The Portuguese authority has issued a EUR 400,000 fine against a hospital and the French supervisory authority has just imposed a EUR 50 million fine against Google. A fine of EUR 219,500 has been issued in Poland.
In order to avoid a growing divergence in the level of fines imposed, Article 70 of the GDPR stipulates that the European Data Protection Board, the board of EU Member States’ supervisory authorities, will issue guidelines for a uniform application of the administrative fine provisions. The GDPR itself only provides in relation to administrative fines that these should, among other things, be dissuasive in nature. Otherwise, it is at the discretion of the relevant authority to decide the level of the administrative fine, depending on the nature, seriousness, extent and circumstances of the infringement and the financial means of the controller. However, the action plan of the European Data Protection Board for 2019-20 does not include any guidelines pertaining to the calculation of administrative fines.
In order to counteract different and potentially arbitrary fines, at least at a national level, the Dutch supervisory authority has now issued guideline values for administrative fines under the GDPR. To that end, it has classified infringements of GDPR provisions in four categories depending on how serious they determine the infringement to be. They have set levels for each fine category, including an average basic fine amount which should serve as the starting point for calculating the fine. Depending on the nature, seriousness and extent of the infringement, the authority is able to adjust the basic amount of the fines down to the minimum level or up to the maximum. In exceptional cases the authority may also depart from the category completely if no appropriate penalty can otherwise be guaranteed. In the case of a repeat infringement within five years in the same or similar circumstances, the administrative fine should generally be increased by 50 %.
It is striking that the maximum fine level is set at EUR 1 million. The fine level of up to EUR 20 million or 4 % of worldwide annual turnover provided for under the GDPR is therefore by no means exhausted. Consequently, in order to impose a fine higher than EUR 1 million on a controller, the supervisory authority must always give reasons for any exception, even where this concerns a serious infringement. In practice, this will certainly reduce instances of fines over EUR 1 million.
Infringements of the provisions concerning the processing of special categories of personal data and automated decision-making fall into this highest category, for which the basic fine level is EUR 725,000.
The second-highest category, with a basic fine level of EUR 525,000, which can be increased to EUR 750,000 or reduced to EUR 300,000, includes infringements of obligations under Articles 13 and 14 to provide information, the safeguarding of the rights of data subjects along with the unlawful transfer of data to third countries and an infringement of notification obligations in the event of a breach of data protection.
On the other hand, in a business-friendly move, structural infringements, such as the infringement of the processing record or of technical and organizational measures, only fall into the third-highest category, which stipulates a basic fine level of EUR 310,000, which can be increased to EUR 500,000 or reduced to EUR 120,000.
Although the multiplicity of data protection authorities in Germany increases the risk of disparate fines, the German Data Protection Conference so far appears unwilling to draw up guidelines for setting administrative fines, but instead refers to the European Data Protection Board to that end.
However, it is probable that German data protection authorities will adopt the guideline levels and fines already imposed by foreign data protection authorities as guidance when setting the level of their administrative fines. Given that foreign authorities are clearly imposing stricter standards – even the moderate amounts in the Netherlands are several times higher than the highest fines imposed in Germany to date – it is to be expected that the German authorities will follow suit in future decisions about fines and will likewise raise the level of these in order not to appear too lax compared with their European colleagues.
It is therefore recommended to use the ongoing grace period offered by the German authorities to ensure that internal procedures are compliant with the GDPR and thus avoid an increased fine in the event of a report or inspection.