The Conference of the German Independent Data Protection Supervisory Authorities (German Datenschutzkonferenz or DSK) recently published a new system for calculating administrative fines imposed under the GDPR.
The German model involves a certain degree of complexity and includes the following five steps for calculating data protection fines:
- Assigning the company to a group based on its size
- Determination of the average annual turnover of the company according to its group
- Calculation of the daily rate
- Multiplication of the daily rate according to the severity of the infringement
- Classification of the infringement
1.Assignment the company to a group based on its size
The offending company is classified into one of four possible groups: (A) micro, (B) small, (C) medium, or (D) large enterprise. At the same time, the company will be assigned a subcategory in order to ensure that the classification is as accurate as possible.
This classification will be made based on the company’s worldwide turnover in the previous year. It is important to point out that, for groups of companies, the concept of company will comprise the entire economic entity. Ultimately, for the calculation, the concept of a group of companies as provided by the European Union’s antitrust legislation will be used.
2.Determination of the average annual turnover of the company according to its group
In addition, the Conference of Authorities will determine the company’s average annual turnover. For this, a fixed amount is allocated based on the subgroup to which the company has been assigned, providing that the turnover in the previous year was less than €500,000.
If the turnover exceeded that amount, the percentages provided for data protection fines in Article 83 of the GDPR will be applied directly, which are 2% or 4% of the turnover.
3.Calculation of the daily rate
In order to calculate the daily rate or daily quota, the average annual turnover, which was obtained in the previous step, is divided by 360.
4. Multiplication of the daily rate according to the severity of the infringement
The circumstances of each case are used to classify the severity of the infraction as minor, medium, severe, or very severe.
The multiplier is obtained depending on whether the infraction was technical (Art. 83.4 GDPR) or material (Art. 83.5 and 6 GDPR).
Examples of technical infractions are the lack of formalisation of the contract of data controllers and processors, the violation of privacy by design and by default, the lack of designation of a DPO, etc.
Among the material infractions are found breaches of the rights of the interested parties or infringements of the basis of the legitimisation of the processing of personal data.
In short, the daily quota must be multiplied by the multiplier factor obtained, which will result in a range. Once this range is obtained, the average will be calculated, which will be the basis for the calculation of the final data protection fine.
5. Classification of the infringement
In this last step, the nature of the infraction, the consequences on the interested parties, the number of affected parties, the extent of the damage suffered, and so on will be taken into account.
The consequences of this new system are expected to impose much higher penalties on companies since the calculation of the annual turnover has an upward trend.
Additionally, experts question if this profit-based model to calculate data protection fines is proportional. This system may eventually be taken to court.