Your contacts
Georg Krog
Lukas Bühlmann
The European Data Protection Board (hereafter ‘EDPB’) has published Guidelines for the calculation of fines under the General Data Protection Regulation (GDPR). In this part 2 of a series of six articles, we will go through what processing operation(s) and infringement(s) to base the GDPR fines on.
To calculate a fine based on the methodology of the EDPB guidelines, we must first consider (1) what processing operation(s) the fine must be based upon, and (2) what infringements the fine must be based upon.
Questions that MLL can assist data controllers and data processors in answering are:
Does the case consist of a single sanctionable processing operation?
If yes, does that processing operation give rise to a single infringement?
If yes, one fine is imposed and calculated for a single infringement, the fine is calculated considering only that infringement, and the fine is subject to the legal maximum of that infringement.
Does that processing operation give rise to multiple infringements?
If yes, are these infringements attributed to one infringement that precludes or subsumes the applicability of another infringement (concurrence of offences)?
If yes, it is unlawful to sanction the offender for the same wrongdoing twice, the fine is calculated considering only the infringement selected, and the fine is subject to the legal maximum of that infringement.
Does that processing operation give rise to multiple infringements?
If yes, are these infringements attributed alongside each other where one infringement does not preclude or subsume the applicability of another infringement (unity of action)?
If yes, it is lawful to sanction the offender for all the infringements and the fine is calculated considering all applicable infringements. In cases where multiple infringements have arisen from “the same or linked processing operations”, the fine is limited to the legal maximum of the gravest infringement (GDPR Article 83(3)).
Does the case consist of multiple separate processing operations (plurality of actions)?
If yes, in one or more decisions, separate fines are imposed and calculated for each processing operation, each fine is subject to individual legal maximums for each infringement, and the total amount of the administrative fine may exceed the amount specified for the gravest infringement (since Article 83(3) does not apply).
Which obligations are considered when assessing infringements?
Any infringed obligation legally necessary for the processing operations to be lawfully carried, including like for instance transparency obligations (e.g. Article 13 GDPR).
What is considered as one sanctionable processing operation vs multiple separate sanctionable processing operations?
In cases of multiple infringements of the same or different GDPR obligations, what is considered as “the same or linked processing operations”?
In the case of multiple infringements, (1) when are these infringements attributed to one infringement that precludes or subsumes the applicability of another infringement (concurrence of offences)? and (2) when are these infringements attributed alongside each other where one infringement does not preclude or subsume the applicability of another infringement (unity of action)?
(click on the picture to enlarge)
