How are GDPR fines calculated?

EDPB Guidance for DPAs on calculating GDPR fines

How are GDPR fines calculated?

Receiving a GDPR fine continues to be the ultimate risk keeping most privacy professionals awake at night. In this article, we unpack how GDPR fines are calculated, provide a list of the factors used by DPAs, and detail a worked example to highlight how an organisation’s response to an infringement can significantly mitigate or aggravate the fine issued by a supervisory authority.

The European Data Protection Board (“EDPB”) has recently issued guidance regarding how European Data Protection Authorities should go about calculating fines relating to violations of the EU GDPR. The EDPB had previously issued guidance focusing on the circumstances in which to impose a fine, but detailed guidance on how DPAs can calculate the actual monetary fine have not been available until now. The guidance aims to provide a transparent basis to promote the harmonisation and consistent application of fines by DPAs across the EU.

The EDPB notes that it is not possible to provide a one size fits all precise mathematical calculation for fines (DPAs have considerable discretion in their application of the guidance), but hopes that the document will provide a common starting point and harmonised methodology for DPAs to use when making such calculations.

Although the guidance is aimed at EU DPAs who have the responsibility to determine the value of monetary fines, the guidance gives industry a further insight into what factors will likely play into a DPAs determination of a fine, and what factors can be considered as mitigating or aggravating. This will be especially useful intelligence for data breach or policy violation response planning and analysis (should the need for this ever arise), as companies will be able to use the factors detailed here to guide the response and perhaps even mitigate against the severest of monetary penalties. More proactive companies will be able to use these factors in their risk calculations, guiding investment in mitigations.

Key Takeaways

  • The calculation of fines is the responsibility of the appropriate Supervisory Authority. The EDPB guidance is guidance only.
  • Article 83(1) of the EU GDPR provides the overarching guiding rationale on fines, mandating that fines shall be effective, proportionate and dissuasive for each individual case.
  • Fines can be determined by weighing a variety of factors, details of which are provided in the below tables. Based on an evaluation of these factors, DPAs can determine an infringement to be of a low, medium or high level of seriousness. This evaluation can give rise to a ‘starting point’ fine.
  • DPAs next consider mitigating or aggravating factors, which modulate the ‘starting point’ fine, but can never go beyond the legal maximums under GDPR.
  • Finally DPAs analyse whether the calculated final amount meets the requirements of effectiveness, dissuasiveness and proportionality as per Article 83 of the GDPR.

The guidelines are lengthy and extremely detailed. We have extrapolated the most important information into the below figures and tables:

  • Figure 1: Overview of the fine calculation methodology. Gives a high level overview of how fines are calculated by DPAs
  • Table 1: Factors that determine the level of GDPR fines. All of the factors that the EDPB believe should be weighed by DPAs.
  • Table 2: Illustrative example. An example created by Lucid to illustrate how fines might work in reality and how companies can possibly seek to mitigate the severity of fines if needed. Note: The EDPB strongly notes that it is not possible to provide a precise mathematical calculation for fines (DPAs have considerable discretion in their application of the guidance), and so this example should be taken as illustrative only. It is not possible for businesses to calculate precise fines for specific infringements.

Figure 1: Overview of the fine calculation methodology.

Table 1: Factors that determine the level of GDPR fines:

Process

Domain

Determining Factors

Starting Point for calculations

The nature of the processing

Business activity, non-profit, political party, etc

When the nature of processing entails higher risks, e.g. where the purpose is to monitor, evaluate personal aspects or to take decisions or measures with negative effects for the data subjects,

A clear imbalance between the data subjects and the controller (e.g. when the data subjects are employees, pupils or patients) or the processing involves vulnerable data subjects, in particular children.

The scope of the processing

The local, national or cross-border scope of the processing carried out

Greater difficulty for the data subject and the supervisory authority to curb unlawful conduct as the scope of the processing increases. The larger the scope of the processing, the more weight the supervisory authority may attribute to this factor.

The purpose of the processing

The more central the processing is to the controller or processor’s core activities, the more severe irregularities in this processing will be.

The number of data subjects concretely but also potentially affected.

The higher the number of data subjects involved, the more weight the supervisory authority may attribute to this factor.

Whether infringement takes on "systemic" connotations

The ratio between the number of data subjects affected and the total number of data subjects in that context

The level of damage suffered 

Following Recital 75 GDPR, the level of damage suffered refers to physical, material or non-material damage.

The duration of the infringement

Meaning that a supervisory authority may generally attribute more weight to an infringement with longer duration. The longer the duration of the infringement, the more weight the supervisory authority may attribute to this factor.

Intentional or negligent character of the infringement

Intent includes both knowledge and wilfulness in relation to the characteristics of an offence, whereas “unintentional” means that there was no intention to cause the infringement although the controller/processor breached the duty of care which is required in the law

Categories of personal data affected

Types of data covered by Articles 9 and 10 GDPR

Causes immediate damage or distress to the data subject (e.g. location data, data on private communication, national identification numbers, or financial data, such as transaction overviews or credit card numbers)

Mitigating and Aggravating Factors

The adoption of appropriate measures to mitigate the damage suffered by the data subjects

The measures adopted must be assessed, in particular, with regard to the element of timeliness, i.e. the time when they are implemented by the controller or processor, and their effectiveness. In that sense, measures spontaneously implemented prior to the commencement of the supervisory authority’s investigation becoming known to the controller or processor are more likely to be considered a mitigating factor, than measures that have been implemented after that moment.

Degree of responsibility of the controller or processor.

Extent the controller “did what it could be expected to do” given the nature, the purposes or the size of the processing, seen in light of the obligations imposed on them by the Regulation.

Whether the data in question was directly identifiable and/or available without technical protection. Only in exceptional circumstances, where the controller or processor has gone above and beyond the obligations imposed upon them, will this be considered a mitigating factor.

Previous infringements by the controller or processor

According to Article 83(2)(e) GDPR, any relevant previous infringements committed by the controller or processor must be considered when deciding whether to impose an administrative fine and deciding on the amount of the administrative fine.

Point in time when the prior infringement took place, considering that the longer the time between a previous infringement and the infringement currently being investigated, the lower its significance. infringements of the GDPR, since they will be more recent, must be considered as more relevant than infringements of the national provisions adopted for the implementation of Directive 95/46/EC (if national laws allow such infringements to be taken into account by the supervisory authority).

Infringements of the same subject matter must be given more significance, as they are closer to the infringement currently under investigation, especially when the controller or processor previously committed the same infringement (repeated infringements).

Degree of cooperation with the supervisory authority

Lack of cooperation may lead to the application of the fine provided for in Article 83(4)(a) GDPR. It should therefore be considered that the ordinary duty of cooperation is mandatory and should therefore be considered neutral (and not a mitigating factor)..

However, where cooperation with the supervisory authority has had the effect of limiting or avoiding negative consequences for the rights of the individuals that might otherwise have occurred, the supervisory authority may consider this a mitigating factor in the sense of Article 83(2)(f) GDPR,

The manner in which the infringement became known to the supervisory authority

Whether, and if so to what extent, the controller or processor notified the infringement out of its own motion, before the infringement was known to the supervisory authority

This circumstance is not relevant when the controller is subject to specific notification obligations (such as in the case of personal data breaches according to Article 3334).

Compliance with measures previously ordered with regard to the same subject matter

Article 83(2)(i) GDPR states that “where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures” must be considered when deciding whether to impose an administrative fine and deciding on its amount

Adherence to approved codes of conduct or approved certification mechanisms

Adherence to codes of conduct pursuant to Article 40 GDPR or approved certification mechanisms pursuant to Article 42 GDPR may be a relevant factor in deciding whether to impose a fine, and the amount of the administrative fine.

Effective, Proportionate, Dissuasive

Effectiveness

Generally speaking, a fine can be considered effective if it achieves the objectives with which it was imposed. This could be to reestablish compliance with the rules, to punish unlawful behavior, or both.

Proportionate

The supervisory authority shall therefore verify that the amount of the fine is proportionate both to the severity of the infringement and to the size of the undertaking to which the entity that committed the infringement belongs

The fine imposed shall not exceed what is necessary to achieve the objectives pursued by the GDPR

The supervisory authority may consider – in accordance with national law – to further reduce the fine on the basis of the principle of inability to pay.

There has to be objective evidence that the imposition of the fine would irretrievably jeopardise the economic viability of the undertaking concerned.

Dissuasive

A dissuasive fine is one that has a genuine deterrent effect. In that respect, a distinction can be made between general deterrence (discouraging others from committing the same infringement in the future) and specific deterrence (discouraging the addressee of the fine from committing the same infringement again). When imposing a fine, the supervisory authority takes into account both general and specific deterrence.

ILLUSTRATIVE EXAMPLE (HYPOTHETICAL FROM LUCID):

  1. The Context of the Infringement

The company 

  • US based ad tech company with global revenue approx. €90 Million

The infringement(s)

  • Processing Special Category Data without satisfying the requirements in Article 9 of the GDPR. 

  • This is a therefore a higher level infringement under Article 83 (5)

The context of the processing 

  • Processing involves monitoring of data subjects including location data and online behaviours that includes special categories of data.

  • Data may relate to vulnerable groups due to possible special categories of data being involved (health locations for example). 

  • Data involves cross border transfers of data from EU > US. 

  • The infringement is central to the processing operations of the company and the infringement takes on "systemic" connotations  

  • Processing relates to 1 million + data subjects monthly, which accounts for all data subjects involved in the processing. 

  • Infringement has been ongoing for many years.

  • No intention to cause the infringement - the controller had resources in place to manage privacy operations but had misunderstood the nature of the processing obligations in Article 9 of the GDPR.

  • Evidence of serious distress caused to certain individuals (for example data subject’s family and colleagues were able to see ads served about highly sensitive and embarrassing health conditions).   

2. Calculate a starting point

Nature, gravity and duration of the infringement

Serious

Negligent or intentional character

Not intentional, but negligent

Categories of data and data subject

Highly sensitive and special category

Serious of the infringement 

High 

Example Starting Point Determination 

80% of the legal maximum 

(€20 million under the EU GDPR or 4% of annual global turnover) 

Starting Point Fine

€16 million 

3. Adjust based on turnover

Turnover  

€90 Million

Adjustment 

10% of the starting point (turnover is between €50-100 million) 

Adjusted Starting Point 

€1.6 million

4. Mitigating and aggravating factors: Here we provide two example responses to the infringement, to illustrate how the actions of a company can mitigate or aggravate the DPA response.

Key:

Mitigates the fine 

Neutral - has no effect

Aggravates the fine

Factors

Response 1

Response 2

The adoption of appropriate measures to mitigate the damage suffered by the data subjects

The company became aware of the infringement during the course of its own privacy management programme and put in place measures to mitigate damage prior to the commencement of the supervisory authority’s investigation.  

The company begins to put in place measures to mitigate damage only after the supervisory authority makes contact. 

Degree of responsibility of the controller or processor.

The controller had in place a privacy management programme but was negligent in its understanding of Article 9 obligations. 

The controller had in place a privacy management programme but was negligent in its understanding of Article 9 obligations. 

Data involved is pseudonymised but by design singles out individuals 

Data involved is pseudonymised but by design singles out individuals 

Previous infringements by the controller or processor

No previous infringements.  

The company has been subject to previous investigation and enforcement action by the supervisory authority, within the last 5 years, for a different violation.

Degree of cooperation with the supervisory authority

Cooperates fully, transparently and in a timely manner with the supervisory authority. 

Internal processes mean that response is delayed and contains inaccuracies. Lack of care and  transparency in response. 

The manner in which the infringement became known to the supervisory authority

The company notified the supervisory authority when it became aware of the infringement. 

The company did not notify the supervisory authority.

Compliance with measures previously ordered with regard to the same subject matter

NA

Company complied with previous orders from the supervisory authority. 

Adherence to approved codes of conduct or approved certification mechanisms

NA (no relevant codes of conduct pursuant to Article 40 GDPR or approved certification mechanisms pursuant to Article 42 GDPR) 

NA (no relevant codes of conduct pursuant to Article 40 GDPR or approved certification mechanisms pursuant to Article 42 GDPR) 

EFFECT ON FINE (example only - this will depend on the specific DPA’s assessment) 

Fine reduced to €160,000

Fine increased to €3 million

5. Final Determination. We continue our example here with the final determination of the fine by checking that the fine is effective, proportionate and dissuasive. In reality at this stage DPAs will have substantial leeway to tailor the fine based on their own  judgement, and this will again depend on the specific posture of the particular DPA - some are more aggressive than others.

Factors

Response 1

Response 2

Effectiveness

The fine of €160,000 is effective because it reestablishes compliance with the rules and punishes unlawful behaviour.  

The fine of €3 million is effective because it reestablishes compliance with the rules and punishes unlawful behaviour.  

Proportionate

The fine of €160,000 for an entity with turnover of €90 million may not be proportionate to the size of the entity and the severity of the infringement as is on the low side..  

The fine of €3 million for an entity with turnover of €90 million may not be proportionate to the size of the entity as is on the high side. 

The fine does not exceed the legal maximum under GDPR. 

The fine does not exceed the legal maximum under GDPR, but is very close to the legal maximum.

The undertaking does not have a legitimate inability to pay the fine. 

The company presents legitimate evidence that the size of the fine will have a serious impact on the financial viability of the company, and that there may be issues with ability to pay. 

Dissuasive

The fine of €160,000 for an entity with turnover of €90 million may not be sufficiently dissuasive for other similar sized entities. 

The fine of €3 million f0 for an entity with turnover of €90 million is likely to be sufficiently dissuasive for other similar sized entities. 

EFFECT ON FINE

Fine increased slightly to make it more proportionate to the entity and dissuasive

Fine decreased based on proportionality and the legitimate financial difficulties that such a fine would cause

FINAL FINE

€200,000

€2 million

Conclusion.

In practice it is not possible for companies to accurately calculate GDPR fines that they believe are fair and appropriate. This remains the sole responsibility of the applicable supervisory authority, However, this illustrative example can give us an insight into the type of factors that companies can consider when planning responses to GDPR violations.

In our example case, the contrasting actions of the two company responses have changed our example fine by a factor of ten, highlighting the importance of proper privacy management and an effective and transparent organisational privacy culture. It is our experience that supervisory authorities are generally fair and act in good faith towards companies who are subject to investigation and possible enforcement action. Regulators will expect this approach to be reciprocated and will most likely err on the side of leniency for companies who are open, transparent, cooperative and proactive in their response to policy infringements.