GDPR-fines-what-processing-operation-and-infringements-to-base-the-fines-on

GDPR Fines: A Graphic Calculation Guide – Part 2


Your contacts

The European Data Protection Board (hereafter ‘EDPB’) has published Guidelines for the calculation of fines under the General Data Protection Regulation (GDPR). In this part 2 of a series of six articles, we will go through what processing operation(s) and infringement(s) to base the GDPR fines on.

To calculate a fine based on the methodology of the EDPB guidelines, we must first consider (1) what processing operation(s) the fine must be based upon, and (2) what infringements the fine must be based upon.

Questions that MLL can assist data controllers and data processors in answering are:

Does the case consist of a single sanctionable processing operation?

If yes, does that processing operation give rise to a single infringement?

If yes, one fine is imposed and calculated for a single infringement, the fine is calculated considering only that infringement, and the fine is subject to the legal maximum of that infringement.

Does that processing operation give rise to multiple infringements?

If yes, are these infringements attributed to one infringement that precludes or subsumes the applicability of another infringement (concurrence of offences)?

If yes, it is unlawful to sanction the offender for the same wrongdoing twice, the fine is calculated considering only the infringement selected, and the fine is subject to the legal maximum of that infringement.

Does that processing operation give rise to multiple infringements?

If yes, are these infringements attributed alongside each other where one infringement does not preclude or subsume the applicability of another infringement (unity of action)?

If yes, it is lawful to sanction the offender for all the infringements and the fine is calculated considering all applicable infringements. In cases where multiple infringements have arisen from “the same or linked processing operations”, the fine is limited to the legal maximum of the gravest infringement (GDPR Article 83(3)).

Does the case consist of multiple separate processing operations (plurality of actions)?

If yes, in one or more decisions, separate fines are imposed and calculated for each processing operation, each fine is subject to individual legal maximums for each infringement, and the total amount of the administrative fine may exceed the amount specified for the gravest infringement (since Article 83(3) does not apply).

Which obligations are considered when assessing infringements?

Any infringed obligation legally necessary for the processing operations to be lawfully carried, including like for instance transparency obligations (e.g. Article 13 GDPR).

What is considered as one sanctionable processing operation vs multiple separate sanctionable processing operations?

In cases of multiple infringements of the same or different GDPR obligations, what is considered as “the same or linked processing operations”?

In the case of multiple infringements, (1) when are these infringements attributed to one infringement that precludes or subsumes the applicability of another infringement (concurrence of offences)? and (2) when are these infringements attributed alongside each other where one infringement does not preclude or subsume the applicability of another infringement (unity of action)?

(click on the picture to enlarge)

GDPR-fines-what-processing-operation-and-infringements


Share post



most read


Highlights

MLL Legal

MLL Legal is one of the leading law firms in Switzerland with offices in Zurich, Geneva, Zug, Lausanne, London and Madrid. We advise our clients in all areas of business law and stand out in particular for our first-class industry expertise in technical-innovative specialist areas, but also in regulated industries.

MLL Meyerlustenberger Lachenal Froriep

Newsletter

Much is still unclear in relation to liability questions around AI tools.

Read our latest post about “Liability during the Lifecycle of an AI Tool” and download our white paper.

Show article.

Our Story

MLL Legal is a leading Swiss law firm with a history that dates back to 1885. The firm has grown both organically and by means of strategic mergers, the latest of which took place on 1st July 2021 between Meyerlustenberger Lachenal and FRORIEP.

The merger establishes MLL Legal, a combined new entity as one of the largest commercial law firms in Switzerland with 150 lawyers in four offices in Switzerland and two offices abroad, in London and Madrid serving clients seeking Swiss law advice.

Our firm has a strong international profile and brings together recognised leadership and expertise in all areas of law affecting commerce today, with a focus on high-tech, innovative and regulated sectors. 

About us

Publications

Click here for our latest publications

COVID-19

Read all our legal updates on the impact of COVID-19 for businesses.

COVID-19 Information

Job openings

Looking for a new challenge?

Our talented and ambitious teams are motivated by a common vision to succeed. We value open and straightforward communication accross all levels of the organisation in a supportive working environment.

Job openings

Firm News

Click here for our latest firm news.

Our Team

The regulatory and technological landscape continually require businesses to adapt and evolve.
Our 150+ lawyers are continuously innovating and striving for improvement in everything they do. We embrace new ideas and technologies, combining our wealth of expertise with creative thinking and diligence. With our hands-on approach, we implement viable solutions for the most complex legal challenges.

Our Team.

LexCast – the podcast series by MLL NexGen

Smart legal education on the go. The LexCast hosted by MLL NexGen provides legal insights in a short format that allows listeners to educate themselves on and about legal issues wherever they are and whenever they find the time.

Listen to our podcast series – stay tuned.

MLL Legal on Social Media

Follow us on LinkedIn.