On October 16, 2019, the body of German Supervisory Authorities known as the Datenschutzkonferenz (“DSK”) released a document proposing a model for calculating fines under the GDPR.  The DSK indicated that this model is subject to change and will be superseded by any method put forward in guidance issued by the European Data Protection Board.

The document contains:

  • a method to assign a value to the seriousness of an offense; and
  • a method to calculate the amount of the fine in light of the seriousness of the offense.

Seriousness of the infringement.  Based on the factors set out in Art. 83(2) of the GDPR, the DSK proposes to classify an offense as minor, medium, serious or very serious. The method assigns to each classification a range of values from which a Supervisory Authority can choose (for example, if an infringement is serious pursuant to Art. 83(5) or (6), the Supervisory Authority can assign a value of between 8 and 12). This number will then be used in step 4 of the calculation methodology described below.

Calculation of the fine.  According to the DSK’s proposal, fines should then be calculated on the basis of the following 5 steps:

  1. a Supervisory Authority should start by reviewing the undertaking’s annual turnover in the preceding financial year to classify it according to its size as a micro (A), small (B), medium (C) or large (D) undertaking and assign it to a specific sub-group (for example, A.II covers micro undertakings with a turnover between € 700.000 and € 1.4 million);
  2. the Supervisory Authority should then determine the average annual turnover of the respective sub-group (in the above example, for an undertaking classified as A.II, the allocated average turnover would be € 1,050,000);
  3. then, the Supervisory Authority should divide the average annual turnover of the respective subgroup by 360 to determine the “basic economic value of the undertaking” (in the above example, the basic economic value is € 2,917);
  4. the “basic economic value” is then multiplied by the value of the seriousness of the infringement as described above;
  5. finally, the amount obtained through this multiplication is adjusted in light of “other circumstances not yet taken into account” (the DSK’s proposal is not more specific on this point).

Unfortunately, the DSK proposal does not address in detail the meaning of “undertaking” in Art. 83(4) and (5) when a company belongs to a corporate group and how the relevant annual turnover of an “undertaking” should be calculated.  In this respect, the guidance refers to recital 150 and provides that “undertaking” has the meaning given to it under Articles 101 and 102 of the TFEU, i.e., “a functional meaning of undertaking”.

This is in line with what the DSK stated in another guidance on GDPR sanctions (available here in German):

(…) the DS-GVO provides a concept of undertaking that is broader than that of Art. 4(18) GDPR. The term “undertaking” in the context of enforcement proceedings is to be inferred from Recital 150 of the GDPR. According to this recital, the broad, functional concept of enterprise borrowed from antitrust law in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European Union (TFEU) applies. The consequence of this is that parent companies and subsidiaries are regarded as an economic unit, so that the total turnover of the group of companies is taken as the basis for calculating the fine.