German authorities publish a new system for calculating data protection fines

Share on linkedin
Share on email
Share on whatsapp
Share on facebook
Share on twitter

The Conference of the German Independent Data Protection Supervisory Authorities (German Datenschutzkonferenz or DSK) recently published a new system for calculating administrative fines imposed under the GDPR.

The German model involves a certain degree of complexity and includes the following five steps for calculating data protection fines:

  • Assigning the company to a group based on its size
  • Determination of the average annual turnover of the company according to its group
  • Calculation of the daily rate
  • Multiplication of the daily rate according to the severity of the infringement
  • Classification of the infringement

1.Assignment the company to a group based on its size

The offending company is classified into one of four possible groups: (A) micro, (B) small, (C) medium, or (D) large enterprise. At the same time, the company will be assigned a subcategory in order to ensure that the classification is as accurate as possible.

This classification will be made based on the company’s worldwide turnover in the previous year. It is important to point out that, for groups of companies, the concept of company will comprise the entire economic entity. Ultimately, for the calculation, the concept of a group of companies as provided by the European Union’s antitrust legislation will be used.

2.Determination of the average annual turnover of the company according to its group

In addition, the Conference of Authorities will determine the company’s average annual turnover. For this, a fixed amount is allocated based on the subgroup to which the company has been assigned, providing that the turnover in the previous year was less than €500,000.

If the turnover exceeded that amount, the percentages provided for data protection fines in Article 83 of the GDPR will be applied directly, which are 2% or 4% of the turnover.

3.Calculation of the daily rate

In order to calculate the daily rate or daily quota, the average annual turnover, which was obtained in the previous step, is divided by 360.

4. Multiplication of the daily rate according to the severity of the infringement

The circumstances of each case are used to classify the severity of the infraction as minor, medium, severe, or very severe.

The multiplier is obtained depending on whether the infraction was technical (Art. 83.4 GDPR) or material (Art. 83.5 and 6 GDPR).

Examples of technical infractions are the lack of formalisation of the contract of data controllers and processors, the violation of privacy by design and by default, the lack of designation of a DPO, etc.

Among the material infractions are found breaches of the rights of the interested parties or infringements of the basis of the legitimisation of the processing of personal data.

In short, the daily quota must be multiplied by the multiplier factor obtained, which will result in a range. Once this range is obtained, the average will be calculated, which will be the basis for the calculation of the final data protection fine.

5. Classification of the infringement

In this last step, the nature of the infraction, the consequences on the interested parties, the number of affected parties, the extent of the damage suffered, and so on will be taken into account.

The consequences of this new system are expected to impose much higher penalties on companies since the calculation of the annual turnover has an upward trend.

Additionally, experts question if this profit-based model to calculate data protection fines is proportional. This system may eventually be taken to court.

Share this article

Share

Share on linkedin
Share on email
Share on whatsapp
Share on facebook
Share on twitter

Article written by

Lisa Hoffman

Chief of Legal Operations at Pridatect and certified data protection officer

Related articles

Newsletter

Would you like to receive regular updates on data protection and GDPR? Subscribe to our newsletter and you will be the first to receive our new blog articles, webinars and ebooks.

Free Webinars