Violations of existing data protection regulations can in future more expensive than before. The European Data Protection Board (ESDA for short) has developed a new fine model model. Large and high-revenue companies are particularly affected.
On May 12, 2022, the ESDA - the joint coordination body of the European data protection authorities - published a resolution on the calculation of fines for data protection violations. The 40-page concept is intended to standardize fines for GDPR violations in the European Union and the European Economic Area. But what exactly does this look like in practice and what does the concept mean for companies?
Data protection violations: This was previously the case
The idea of a concept for fines for data protection violations is not new. Back in 2019, the German data protection authorities presented a model for calculating GDPR fines. However, it only applied to companies based in Germany. Similar concepts also existed in other European countries.
This led to a - sometimes considerable - discrepancy in the punishment of data protection violations. While some member states imposed rather low fines, companies in other countries had to pay fines in the two or three-digit million range for comparable violations.
Europe-wide standardization of fines
But this is now set to end. The document presented under the title "Guidelines on the calculation of administrative fines under the GDPR" replaces the concept of fines at national level.
In future, all data protection authorities in the European member states will have to apply the EU approach when imposing GDPR fines.
How exactly does the procedure work?
The EU concept provides for a 5-step review of the data protection breach. The first step is to determine which behavior is to be sanctioned. The authority then assesses the severity of the breach and sets an initial amount for the fine. This is based on the applicable statutory maximum amount and is calculated as follows:
- Violation of minor severity: Initial amount between 0 and 10 percent of the statutory maximum amount
- Violation of medium severity: Initial amount between 10 and 20 percent of the statutory maximum amount
- Serious violations: Initial amount between 20 and 100 percent of the statutory maximum amount
The company's turnover is also important. The higher the turnover, the higher the final fine. In the next step, the data protection authority checks whether there are aggravating or mitigating circumstances and whether the statutory maximum amounts have been complied with. Finally, it determines whether the final amount determined is effective, proportionate and, above all, dissuasive.
The bigger, the more expensive: these companies are affected
There is no doubt that companies with high turnover are the most affected by the new EU concept. While companies with an annual turnover of less than EUR 2 million only have to pay 0.2 percent of the initial amount, companies with an annual turnover of more than EUR 250 million face a fine of at least 50 percent of the initial amount. A difference that leads to significantly higher fines, especially in member states that have previously imposed rather low GDPR fines.
However, the ESDA allows the European data protection authorities room for maneuver. The calculation of fines should always be based on the specific circumstances of the individual case and should by no means be a "purely mathematical process", according to the committee.
How should data protection officers and companies react?
Data protection officers should inform their company comprehensively about the new decision and the associated risk changes. In this way, appropriate defense and avoidance strategies can be developed in good time. To make matters worse, the new ESDA guidelines make companies directly liable for all acts or omissions of their representatives.
For this reason, it is essential - especially for companies with high turnover - to formulate specific recommendations for employees in order to minimize the risk of a high GDPR fine.
