On October 16, 2019, the body of German Supervisory Authorities known as the Datenschutzkonferenz (“DSK”) released a document proposing a model for calculating fines under the GDPR.  The DSK indicated that this model is subject to change and will be superseded by any method put forward in guidance issued by the European Data Protection Board.

The document contains:

  • a method to assign a value to the seriousness of an offense; and
  • a method to calculate the amount of the fine in light of the seriousness of the offense.

Seriousness of the infringement.  Based on the factors set out in Art. 83(2) of the GDPR, the DSK proposes to classify an offense as minor, medium, serious or very serious. The method assigns to each classification a range of values from which a Supervisory Authority can choose (for example, if an infringement is serious pursuant to Art. 83(5) or (6), the Supervisory Authority can assign a value of between 8 and 12). This number will then be used in step 4 of the calculation methodology described below.

Calculation of the fine.  According to the DSK’s proposal, fines should then be calculated on the basis of the following 5 steps:

  1. a Supervisory Authority should start by reviewing the undertaking’s annual turnover in the preceding financial year to classify it according to its size as a micro (A), small (B), medium (C) or large (D) undertaking and assign it to a specific sub-group (for example, A.II covers micro undertakings with a turnover between € 700.000 and € 1.4 million);
  2. the Supervisory Authority should then determine the average annual turnover of the respective sub-group (in the above example, for an undertaking classified as A.II, the allocated average turnover would be € 1,050,000);
  3. then, the Supervisory Authority should divide the average annual turnover of the respective subgroup by 360 to determine the “basic economic value of the undertaking” (in the above example, the basic economic value is € 2,917);
  4. the “basic economic value” is then multiplied by the value of the seriousness of the infringement as described above;
  5. finally, the amount obtained through this multiplication is adjusted in light of “other circumstances not yet taken into account” (the DSK’s proposal is not more specific on this point).

Unfortunately, the DSK proposal does not address in detail the meaning of “undertaking” in Art. 83(4) and (5) when a company belongs to a corporate group and how the relevant annual turnover of an “undertaking” should be calculated.  In this respect, the guidance refers to recital 150 and provides that “undertaking” has the meaning given to it under Articles 101 and 102 of the TFEU, i.e., “a functional meaning of undertaking”.

This is in line with what the DSK stated in another guidance on GDPR sanctions (available here in German):

(…) the DS-GVO provides a concept of undertaking that is broader than that of Art. 4(18) GDPR. The term “undertaking” in the context of enforcement proceedings is to be inferred from Recital 150 of the GDPR. According to this recital, the broad, functional concept of enterprise borrowed from antitrust law in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European Union (TFEU) applies. The consequence of this is that parent companies and subsidiaries are regarded as an economic unit, so that the total turnover of the group of companies is taken as the basis for calculating the fine.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty…

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.

Photo of Anna Oberschelp de Meneses Anna Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.

Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.

Anna advises companies on European data protection law and helps clients coordinate…

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.

Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.

Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.

She has obtained a certificate for “corporate data protection officer” by the German Association for Data Protection and Data Security (“Gesellschaft für Datenschutz und Datensicherheit e.V.”). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).

Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.

Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.