28 October 2019
The Conference of the Data Protection Authorities of the Federal Government and the Länder (Konferenz der unabhängigen Datenschutzaufsichtsbehörden des Bundes und der Länder, “DSK”) has introduced a five-step process for the calculation of administrative fines imposed on companies (“Model”) to sanction violations against the General Data Protection Regulation (“GDPR”).
The administration of fines in Germany has been little deterrent so far. In the past, German supervisory authorities have not been well known for imposing significantly high fines for data protection violations as opposed to its European colleagues. This may change now. The model gives the German supervisory authorities a unified basis for administering fines for data protection infringements. The model is designed to take into account (i) a company’s size (i.e. its annual turnover) and (ii) the severity of the violation. By specifically linking the assessment of fines to the actual annual turnover of the offending company, fines will increase in contrast to the past. Large companies may expect higher fines also for minor offences.
Under the GDPR, national data protection authorities may sanction GDPR violations by imposing fines of up to EUR 20 million, or up to 4 % of a company’s worldwide turnover. The Model’s goal is to ensure consistent standards for the setting of these fines by German authorities. In particular, the standards are designed to guarantee a fine’s effectiveness and proportionality (esp. with regard to the size of the company and the severity of the violation), and to create a sufficient deterrent effect.
The Model neither applies to natural persons acting in their private (non-commercial) capacity nor to non-profit associations or to cross-border issues. German courts are also not bound by it. Notably, the model ceases to apply, once a final European guideline on the calculation of administrative fines exists. In the meantime, the German supervisory authorities may also decide to alter, extend or revoke the Model.
The DSK provides a forum for the 18 independent German data protection supervisory authorities working on a uniform interpretation and application of national and European data protection law. The results of these consultations are not formally binding; however, they express the German authorities’ understanding of relevant provisions. The administrative enforcement of the GDPR in Germany is largely based on this understanding. It can be assumed that the German supervisory authorities will in future base their fine practice on this Model.
Step 1: Categorization of the offending company according to its annual turnover:
Step 2: Determination of the average annual turnover of the respective category in which the company concerned was classified:
Step 3: Determination of the basic economic value of the company: To determine the basic economic value, the average annual turnover of the category to which the company belongs (step 2) is divided by 360 (days).
Step 4: Multiplication of the basic value depending on the severity of the violation: For this purpose, in accordance with Table below and taking into account the circumstances of the individual case, the severity of the violation and the respective factor by which the basic value is multiplied are determined on the basis of the catalogue of criteria in Art. 83 (2) GDPR. This takes into account, for example, intent or negligence, measures taken to mitigate the effects of the violation, but also the way in which the violation became known to the supervisory authority.
Step 5: Adjustment of the basic value on the basis of all other circumstances - not yet considered in the previous step - in favour of and against the person concerned: These include, for example, a long duration of the proceedings or an imminent insolvency of the company. This will be the hardest criteria to pre-determine for companies as it depends on the circumstances of the individual case.