The European Data Protection Board (“EDPB”) has recently adopted the final version of Guidelines on the calculation of administrative fines under the GDPR (“the Guidelines”), which aim to harmonise the methodology data protection authorities (“DPA”) use to calculate fines for infringement of GDPR provisions.

The Guidelines supplement the previously adopted Guidelines on application and calculation of administrative fines under GDPR, which focus on circumstances in which fines are imposed.

As such, the Guidelines represent an important addition to the establishment of more efficient cooperation among local DPA’s on cross-border cases, which is a strategic priority for the EDPB.

GDPR

In accordance with the GDPR provisions, the calculation of fines is at the discretion of acting authorities, in accordance with rules contained in the GDPR.

One of the GDPR requirements in this regard is that the amount of the fine in each individual case is proportionate and efficient, i.e., to have a dissuasive character, while a series of circumstances is taken into account for the calculation of fine. What is particularly considered are the features of infringement, i.e., seriousness and duration, character of perpetrators, i.e., degree of accountability, number of data subjects and type of personal data, as well as all other mitigating and aggravating factors.

In addition, the amount of fine in any case may not exceed the maximum established by the GDPR.

In other words, the quantification of fine is based on the estimation of specific circumstances of each particular case, within the parameters prescribed by the GDPR.

Guidelines

In this sense, the Guidelines have stipulated a five-step methodology:

• Firstly, it is necessary to identify the processing actions taken in a particular case, and to examine the existence of conditions for application of Article 83(3) of GDPR (If a controller or processor intentionally or negligently, for the same or linked processing operations, infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement).
• Secondly, it is necessary to identify a starting point for further calculation of the amount of fine, which is done by classification of infringement in terms of the GDPR (whether the infringement falls within the provision of Article 83(4) or 83(5) and (6) of GDPR), and subsequently by estimation of infringement in terms of its nature, seriousness and duration.
• The third step is estimation of mitigating and aggravating circumstances in terms of previous or current conduct of the controller and/or processor, including the appropriate increase or reduction of fine.
• The following, i.e., fourth step is identification of relevant legal maximums of fines for different infringements, given that, as already noted, the established amount of fine may not exceed the legally prescribed maximum.
• Finally, it is necessary to analyse whether the established amount of fine meets the requirements of proportionality and efficiency, i.e., whether it has the mentioned dissuasive character, hence the amount of fine can be accordingly adjusted (of course, without exceeding the legal maximum).

All of the above indicated steps represent an instruction as to the manner and all circumstances of each particular case that need to be carefully observed in order for the established fine to have a dissuasive character and to achieve the desired goal, while the results of practical implementation of the Guidelines will certainly be actively and continuously monitored and analysed by the EDPB.

This article is to be considered as exclusively informative, with no intention to provide legal advice. If you should need additional information, please contact us directly.