Your contacts
The European Data Protection Board (hereafter ‘EDPB’) has published Guidelines for the calculation of fines under the General Data Protection Regulation (GDPR). In a series of six articles, we will explain the key topics of the guidelines and what companies can learn from them.
European supervisory authorities’ varying practices of calculating GDPR administrative fines can be viewed, on the one hand, as inconsistent and in conflict with the principle of uniform interpretation and application of the GDPR in general and uniform sanction for GDPR infringements in particular, as enshrined in GDPR recital 10, 11 and 13.
On the other hand, European supervisory authorities’ practices of calculating administrative fines can be viewed as consistent and in harmony with the GDPR requirement to impose fines that in each individual case (1) are effective, proportionate and dissuasive, as required in GDPR article 83(1), (2) take due regard to the circumstances of each individual case, as required in GDPR article 83(2), and (3) do not exceed the maximum amounts provided for in articles 83(4) (5) and (6) GDPR.
Although the quantification of the amount of the fine is based on a specific evaluation carried out in each case and the calculation of the amount of the fine is at the discretion of the supervisory authority, subject to the rules provided for in the GDPR, the European Data Protection Board (hereafter ‘EDPB’) has used its power (according to GDPR article 70, (1) (e)) to issue two Guidelines to encourage consistent application of the GDPR for supervisory authorities concerning the application of measures referred to in Article 58(1), (2) and (3) and the setting of administrative fines pursuant to Article 83, according to GDPR article 70, (1), (k).
The two Guidelines are (1) “Guidelines on the application and setting of administrative fines for the purpose of the Regulation 2016/679 (WP253)”, and (2) “Guidelines 04/2022 on the calculation of administrative fines under the GDPR (version 1.0)”. The former guideline focuses on the circumstances in which supervisory authorities impose a fine, whilst the latter guideline focuses on the methodology to harmonise supervisory authorities’ calculation of the amount of the fine. The latter guidelines were adopted on 12 May 2022 and are open for public consultation from 16 May 2022 to 27 June 2022. The two sets of Guidelines are applicable simultaneously and should be seen as complementary.
The EDPB intends these Guidelines for use by the supervisory authorities to ensure a consistent application and enforcement of the GDPR. The aim of these Guidelines is to create a harmonised starting point as a common orientation, on the basis of which the calculation of administrative fines in individual cases can be carried out. The Guidelines emphasise that the final amount of the fine depends on all the circumstances of the case. The EDPB therefore envisages harmonisation on the starting points and methodology used to calculate a fine, rather than harmonisation on the outcome.
The EDPB has developed a methodology consisting of five steps for calculating administrative fines for breaches of the GDPR, as illustrated below. We will present each of the five steps in separate blog posts.