Violations of existing data protection regulations may become more expensive for companies in the future than before. The European Data Protection Committee (ESDA) has adopted a new model for fines. Large and high-revenue companies in particular will be affected.
The ESDA – the joint voting body of the European data protection authorities – published a resolution on the calculation of fines for data protection violations on May 12, 2022. The 40-page concept is intended to lead to a standardization of fines for DSGVO violations in the European Union and the European Economic Area. But what exactly does this look like in practice and what does the concept mean for companies?
Data protection violations: What applied until now
The idea of a fine concept for data protection violations is not new. Back in 2019, the German data protection authorities presented a model for calculating DSGVO fines. However, it only applied to companies based in Germany. Similar concepts existed in other European countries.
This led to a discrepancy – sometimes considerable – in the punishment of data protection violations. While some member states imposed rather low fines, companies in other countries had to pay fines in the double or triple-digit millions for comparable violations.
Europe-wide standardization of fines
But this is now to come to an end. The document presented under the title “Guidelines on the calculation of administrative fines under the GDPR” replaces fine concepts at the national level.
In the future, all data protection authorities of European member states will have to apply the EU concept when imposing GDPR fines.
How exactly does the procedure work?
The EU approach provides for a 5-step review of the data protection breach. First, it must be determined what conduct is to be sanctioned. Then, the authority assesses the severity of the violation and determines a starting amount for the fine. This is based on the applicable statutory maximum amount and is calculated as follows:
Violation of minor severity: Starting amount between 0 and 10 percent of the statutory maximum amount.
Violation of medium severity: Initial amount between 10 and 20 percent of the statutory maximum amount.
Serious violations: Starting amount between 20 and 100 percent of the statutory maximum amount.
The turnover of the company is also important. The higher the turnover, the higher the final fine. In the next step, the data protection authority checks whether there are aggravating or mitigating circumstances and whether the statutory maximum amounts have been complied with. Finally, it is determined whether the final amount determined is effective, proportionate and, above all, dissuasive.
The bigger, the more expensive: these companies are affected
There is no doubt that companies with high turnover are most affected by the new EU approach. While companies with annual sales of less than EUR 2 million only have to pay 0.2 percent of the initial amount, companies with annual sales of more than EUR 250 million face a fine of at least 50 percent of the initial amount. A difference that leads to significantly higher fines, especially in member states that have previously imposed rather low GDPR fines.
However, the ESDA grants the European data protection authorities room for maneuver. The fine calculation should always be based on the specific circumstances of the individual case and should by no means be a “purely mathematical process,” according to the panel.
How should data protection officers and companies respond?
Data protection officers should inform their company comprehensively about the new decision and the associated risk changes. In this way, appropriate defense and avoidance strategies can be developed in good time. To make matters worse, under the new ESDA guidelines, companies are directly liable for any acts or omissions of their representatives.
For this reason, it is essential – especially for high-turnover corporations – to formulate concrete recommendations for action for employees in order to minimize the risk of a high GDPR fine.