On the 16 May 2022, the European Data Protection Board (EDPB) published for public consultation its Guidelines 04/2022 on the calculation of administrative fines under the GDPR, which were adopted on the last Plenary meeting of the Board. After the public consultation, which is to be open until 27 June 2022, a final version of the Guidelines will be adopted taking into account the feedback from the consultation. The Board welcomes any comments on Guidelines 04/2022 on the calculation of administrative fines under the GDPR.
The aim of the guidelines is to harmonize the methodology, used by data protection authorities. The document also includes harmonized „starting points” for calculating a fine. In doing so, three elements are evaluated: classification of the infringement, the seriousness of the infringement and the turnover of the undertaking.
The Chair of the EDPB, Andrea Jelinek, states: „From now on, the EEA data protection authorities will follow the same methodology for calculating fines. This will further enhance harmonization and transparency of the case law of the authorities. The individual circumstances of a case must always be a determining factor and the authorities have an important role to play in ensuring that any fine is effective, proportionate and dissuasive.”
The Guidelines determine the methodology on calculation in five steps.
Firstly, the data protection authorities must establish whether the case in question concerns one or more cases of sanctioned conduct and whether they have led to one or more infringements. The aim is to clarify whether all or only some of the violations can be fined.
Second, the authorities must find the starting point for further calculation, for which a harmonized method is provided by the Board.
Third, evaluating aggravating and mitigating circumstances, which can lead to increasing or decreasing the fine accordingly.
Fourth, identifying the relevant legal maximums in accordance with art. 83, para 4-6 of the GDPR for the different processing operations and make sure that this amount will not be exceeded.
In the fifth and last step, authorities should analyze whether the final amount of the calculated fine meets the requirements of effectiveness, dissuasiveness and proportionality, or correction of the amount is to be made.
The guidelines are an important addition to the framework, which the European Data Protection Board is building for more effective cooperation between data protection authorities in cross-border cases, which is a strategic priority of the Board.
The guidelines have been submitted for public consultation for a period of 6 weeks – until 27 June, 2022.
