Listen
to
this
post
On
June
7,
2023,
the
European
Data
Protection
Board
(“EDPB”)
adopted
the
final
version
of
its
Guidelines
on
the
calculation
of
administrative
fines
under
the
GDPR
(the
“Guidelines”).
Through
the
Guidelines,
the
EDPB
intends
to
harmonize
the
methodology
used
by
supervisory
authorities
(“SA”)
to
calculate
fines.
The
EDPB
maintained
the
five-step
methodology
previously
included
in
the
public
consultation
version
of
the
Guidelines,
composed
of
the
following
steps:
1)
identify
the
processing
operations
in
the
case
and
evaluate
the
application
of
Article
83(3)
of
the
GDPR;
2)
identify
the
starting
point
for
further
calculation
of
the
fine
amount;
3)
evaluate
aggravating
and
mitigating
circumstances
related
to
past/present
behavior
of
the
controller/processor;
4)
identify
the
legal
maximum(s)
for
the
infringement(s)
and
corporate
liability
and;
5)
assess
the
effectiveness,
proportionality
and
dissuasiveness
of
the
fine
(and
increase
or
decrease
it
accordingly).
A
step-by-step
analysis
of
the
methodology
can
be
found
here.
The
EDPB
clarified
that
this
methodology
should
not
be
misunderstood
as
a
form
of
automatic
or
arithmetical
calculation;
a
human
assessment
of
all
relevant
facts
and
circumstances
at
hand
must
always
be
conducted.
While
the
final
version
of
the
Guidelines
remains
generally
aligned
with
the
public
consultation
version,
it
is
important
to
highlight
a
few
key
amendments.
In
particular,
the
EDPB
introduced
changes
in
how
the
size
of
an
organization
is
considered
in
defining
the
starting
amount
for
calculating
fines
(the
starting
amount
being
the
figure
calculated
based
on
factors
such
as
the
nature
of
the
violations
and
their
seriousness
in
accordance
with
the
five-step
methodology).
Full
details
of
how
the
size
of
the
organization
can
adjust
the
starting
amount
can
be
found
in
the
Annex
of
the
Guidelines
but
by
way
of
example:
-
For
organizations
with
an
annual
turnover
≤
€2
million,
the
SA
may
consider
to
proceed
calculations
on
the
basis
of
a
sum
between
0.2%
and
0.4%
of
the
identified
starting
amount;
and -
For
organizations
with
an
annual
turnover
of
between
€250
million
and
€500
million,
the
SA
may
consider
to
proceed
calculations
on
the
basis
of
a
sum
between
40%
and
100%
of
the
identified
starting
amount.
The
Guidelines
also
include
two
detailed
examples
of
applying
such
calculations
in
the
Annex,
along
with
several
other
examples
throughout
the
Guidelines.
Read
the
Guidelines.