On October 16, 2019, the body of German Supervisory Authorities known as the Datenschutzkonferenz (“DSK”) released a document proposing a model for calculating fines under the GDPR.  The DSK indicated that this model is subject to change and will be superseded by any method put forward in guidance issued by the European Data Protection Board.

The document contains:

  • a method to assign a value to the seriousness of an offense; and
  • a method to calculate the amount of the fine in light of the seriousness of the offense.

Seriousness of the infringement.  Based on the factors set out in Art. 83(2) of the GDPR, the DSK proposes to classify an offense as minor, medium, serious or very serious. The method assigns to each classification a range of values from which a Supervisory Authority can choose (for example, if an infringement is serious pursuant to Art. 83(5) or (6), the Supervisory Authority can assign a value of between 8 and 12). This number will then be used in step 4 of the calculation methodology described below.

Calculation of the fine.  According to the DSK’s proposal, fines should then be calculated on the basis of the following 5 steps:

  1. a Supervisory Authority should start by reviewing the undertaking’s annual turnover in the preceding financial year to classify it according to its size as a micro (A), small (B), medium (C) or large (D) undertaking and assign it to a specific sub-group (for example, A.II covers micro undertakings with a turnover between € 700.000 and € 1.4 million);
  2. the Supervisory Authority should then determine the average annual turnover of the respective sub-group (in the above example, for an undertaking classified as A.II, the allocated average turnover would be € 1,050,000);
  3. then, the Supervisory Authority should divide the average annual turnover of the respective subgroup by 360 to determine the “basic economic value of the undertaking” (in the above example, the basic economic value is € 2,917);
  4. the “basic economic value” is then multiplied by the value of the seriousness of the infringement as described above;
  5. finally, the amount obtained through this multiplication is adjusted in light of “other circumstances not yet taken into account” (the DSK’s proposal is not more specific on this point).

Unfortunately, the DSK proposal does not address in detail the meaning of “undertaking” in Art. 83(4) and (5) when a company belongs to a corporate group and how the relevant annual turnover of an “undertaking” should be calculated.  In this respect, the guidance refers to recital 150 and provides that “undertaking” has the meaning given to it under Articles 101 and 102 of the TFEU, i.e., “a functional meaning of undertaking”.

This is in line with what the DSK stated in another guidance on GDPR sanctions (available here in German):

(…) the DS-GVO provides a concept of undertaking that is broader than that of Art. 4(18) GDPR. The term “undertaking” in the context of enforcement proceedings is to be inferred from Recital 150 of the GDPR. According to this recital, the broad, functional concept of enterprise borrowed from antitrust law in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European Union (TFEU) applies. The consequence of this is that parent companies and subsidiaries are regarded as an economic unit, so that the total turnover of the group of companies is taken as the basis for calculating the fine.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty…

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.

Photo of Anna Sophia Oberschelp de Meneses Anna Sophia Oberschelp de Meneses

I advise companies across the EU on technology laws, with a focus on data protection, cybersecurity, and current consumer protection laws. I help businesses navigate complex regulations like the GDPR, AI Act, Digital Services Act, Unfair Commercial Practices Directive, and the upcoming Digital…

I advise companies across the EU on technology laws, with a focus on data protection, cybersecurity, and current consumer protection laws. I help businesses navigate complex regulations like the GDPR, AI Act, Digital Services Act, Unfair Commercial Practices Directive, and the upcoming Digital Fairness Act, turning legal requirements into practical, business-friendly solutions.

In data protection, I support tailored GDPR compliance, international data transfers, and privacy-conscious marketing. On cybersecurity, I guide clients through risk assessments, incident response, and evolving laws such as NIS2 and the Cyber Resilience Act. Regarding consumer protection, I advise on existing laws to help businesses revise their terms and conditions for compliance and review online interfaces to ensure all mandatory consumer information is clearly provided, tackling issues like dark patterns and unfair contract clauses.

Fluent in multiple languages and experienced across borders, I’m passionate about helping clients embed compliance into their operations and thrive in the fast-changing digital landscape.