EDPB Adopts Guidelines on the Calculation of Administrative Fines

On
June
7,
2023,
the
European
Data
Protection
Board
(“EDPB”)
adopted
the
final
version
of
its

Guidelines
on
the
calculation
of
administrative
fines
under
the
GDPR
(the
“Guidelines”).
Through
the
Guidelines,
the
EDPB
intends
to
harmonize
the
methodology
used
by
supervisory
authorities
(“SA”)
to
calculate
fines.

The
EDPB
maintained
the
five-step
methodology
previously
included
in
the
public
consultation
version
of
the
Guidelines,
composed
of
the
following
steps:
1)
identify
the
processing
operations
in
the
case
and
evaluate
the
application
of
Article
83(3)
of
the
GDPR;
2)
identify
the
starting
point
for
further
calculation
of
the
fine
amount;
3)
evaluate
aggravating
and
mitigating
circumstances
related
to
past/present
behavior
of
the
controller/processor;
4)
identify
the
legal
maximum(s)
for
the
infringement(s)
and
corporate
liability
and;
5)
assess
the
effectiveness,
proportionality
and
dissuasiveness
of
the
fine
(and
increase
or
decrease
it
accordingly).
A
step-by-step
analysis
of
the
methodology
can
be
found

here. 

The
EDPB
clarified
that
this
methodology
should
not
be
misunderstood
as
a
form
of
automatic
or
arithmetical
calculation;
a
human
assessment
of
all
relevant
facts
and
circumstances
at
hand
must
always
be
conducted.

While
the
final
version
of
the
Guidelines
remains
generally
aligned
with
the
public
consultation
version,
it
is
important
to
highlight
a
few
key
amendments.
In
particular,
the
EDPB
introduced
changes
in
how
the
size
of
an
organization
is
considered
in
defining
the
starting
amount
for
calculating
fines
(the
starting
amount
being
the
figure
calculated
based
on
factors
such
as
the
nature
of
the
violations
and
their
seriousness
in
accordance
with
the
five-step
methodology). 
Full
details
of
how
the
size
of
the
organization
can
adjust
the
starting
amount
can
be
found
in
the
Annex
of
the
Guidelines
but
by
way
of
example:

• For
  organizations
  with
  an
  annual
  turnover
  ≤
  €2
  million,
  the
  SA
  may
  consider
  to
  proceed
  calculations
  on
  the
  basis
  of
  a
  sum
  between
  0.2%
  and
  0.4%
  of
  the
  identified
  starting
  amount;
  and
• For
  organizations
  with
  an
  annual
  turnover
  of
  between
  €250
  million
  and
  €500
  million,
  the
  SA
  may
  consider
  to
  proceed
  calculations
  on
  the
  basis
  of
  a
  sum
  between
  40%
  and
  100%
  of
  the
  identified
  starting
  amount.

The
Guidelines
also
include
two
detailed
examples
of
applying
such
calculations
in
the
Annex,
along
with
several
other
examples
throughout
the
Guidelines.

Read
the

Guidelines.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts